Analysis
-
max time kernel
133s -
max time network
92s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
14-05-2020 12:04
Static task
static1
Behavioral task
behavioral1
Sample
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
Resource
win10v200430
General
-
Target
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
-
Size
88KB
-
MD5
7e61b2b7856c264f9f70ccaef847494c
-
SHA1
aa0c219b24a943d0276cb98c3bd6237f24dd6887
-
SHA256
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13
-
SHA512
60b26c9acb0379fa8cb272eeac46d5a08766e5a00389121091ec66d255a5b2d1e4903346e963e097df6b88378e201b44f31d1bfc2117d3d9efc40e90284d5508
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1756-10-0x0000000000400000-0x000000000040C000-memory.dmp disable_win_def behavioral1/memory/1756-12-0x0000000000400000-0x000000000040C000-memory.dmp disable_win_def behavioral1/memory/1756-13-0x0000000000400000-0x000000000040C000-memory.dmp disable_win_def -
Executes dropped EXE 3 IoCs
Processes:
fdsf.exefdsf.exefdsf.exepid process 1480 fdsf.exe 1764 fdsf.exe 1756 fdsf.exe -
Checks QEMU agent state file 2 TTPs 2 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe -
Loads dropped DLL 3 IoCs
Processes:
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exefdsf.exepid process 1020 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 1480 fdsf.exe 1480 fdsf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exepid process 1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 1020 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 1020 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exefdsf.exedescription pid process target process PID 1296 set thread context of 1020 1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe PID 1480 set thread context of 1756 1480 fdsf.exe fdsf.exe -
Suspicious behavior: EnumeratesProcesses 166 IoCs
Processes:
fdsf.exefdsf.exepid process 1480 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe 1756 fdsf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exepid process 1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fdsf.exefdsf.exedescription pid process Token: SeDebugPrivilege 1480 fdsf.exe Token: SeDebugPrivilege 1756 fdsf.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exefdsf.exepid process 1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 1756 fdsf.exe 1756 fdsf.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exefdsf.exefdsf.exedescription pid process target process PID 1296 wrote to memory of 1020 1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe PID 1296 wrote to memory of 1020 1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe PID 1296 wrote to memory of 1020 1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe PID 1296 wrote to memory of 1020 1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe PID 1296 wrote to memory of 1020 1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe PID 1020 wrote to memory of 1480 1020 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe fdsf.exe PID 1020 wrote to memory of 1480 1020 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe fdsf.exe PID 1020 wrote to memory of 1480 1020 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe fdsf.exe PID 1020 wrote to memory of 1480 1020 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe fdsf.exe PID 1480 wrote to memory of 1764 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1764 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1764 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1764 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1756 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1756 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1756 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1756 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1756 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1756 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1756 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1756 1480 fdsf.exe fdsf.exe PID 1480 wrote to memory of 1756 1480 fdsf.exe fdsf.exe PID 1756 wrote to memory of 1072 1756 fdsf.exe cmstp.exe PID 1756 wrote to memory of 1072 1756 fdsf.exe cmstp.exe PID 1756 wrote to memory of 1072 1756 fdsf.exe cmstp.exe PID 1756 wrote to memory of 1072 1756 fdsf.exe cmstp.exe PID 1756 wrote to memory of 1072 1756 fdsf.exe cmstp.exe PID 1756 wrote to memory of 1072 1756 fdsf.exe cmstp.exe PID 1756 wrote to memory of 1072 1756 fdsf.exe cmstp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe"C:\Users\Admin\AppData\Local\Temp\2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe"1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe"C:\Users\Admin\AppData\Local\Temp\2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe"2⤵
- Checks QEMU agent state file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fdsf.exe"C:\Users\Admin\AppData\Local\Temp\fdsf.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fdsf.exe"{path}"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fdsf.exe"{path}"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\oapivsvn.inf5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fdsf.exeMD5
788fe4e8bdcff1069a879664b02410ec
SHA13931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55
SHA256fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f
SHA512b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384
-
C:\Users\Admin\AppData\Local\Temp\fdsf.exeMD5
788fe4e8bdcff1069a879664b02410ec
SHA13931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55
SHA256fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f
SHA512b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384
-
C:\Users\Admin\AppData\Local\Temp\fdsf.exeMD5
788fe4e8bdcff1069a879664b02410ec
SHA13931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55
SHA256fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f
SHA512b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384
-
C:\Users\Admin\AppData\Local\Temp\fdsf.exeMD5
788fe4e8bdcff1069a879664b02410ec
SHA13931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55
SHA256fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f
SHA512b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384
-
C:\Windows\temp\oapivsvn.infMD5
488582f9401169c8bd9b8088bb469720
SHA17d2430a9a03cd7be21fa1c21e00f791febd2d4f2
SHA256e74855808223a95010ddee92d1fb8079757e12f975e134b6c24d33f17a38c220
SHA5122f387dcfda412107acd2c06e306d3ff24feb3de1ebadfac4e7ccbfa7b04cdbee812548ca8353150cf530840f487d7874cd8bfe56fb6b05920f515548428d9f38
-
\Users\Admin\AppData\Local\Temp\fdsf.exeMD5
788fe4e8bdcff1069a879664b02410ec
SHA13931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55
SHA256fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f
SHA512b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384
-
\Users\Admin\AppData\Local\Temp\fdsf.exeMD5
788fe4e8bdcff1069a879664b02410ec
SHA13931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55
SHA256fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f
SHA512b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384
-
\Users\Admin\AppData\Local\Temp\fdsf.exeMD5
788fe4e8bdcff1069a879664b02410ec
SHA13931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55
SHA256fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f
SHA512b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384
-
memory/1480-6-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1756-10-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1756-12-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1756-13-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB