Analysis
-
max time kernel
58s -
max time network
94s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 12:45
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win7
Behavioral task
behavioral2
Sample
Purchase Order.exe
Resource
win10v200430
General
-
Target
Purchase Order.exe
-
Size
248KB
-
MD5
47d75d97c84b7f0381f7397c2234ac07
-
SHA1
c8d49410da62c0e7dd37b5f6403b03be0eb71857
-
SHA256
5d21ac6bca0ba98cba5930bc0ad3bc702615c3169f8fd73535f920adb8f547b3
-
SHA512
f506c875b97f7693eecaa9a03dcf8b3e9ad98c809bda1e45599e052331b80df4ee3b9a79b64f2347d6f61bdfde95f647a1389922ac6afb6ff87ce1e55c9c3f14
Malware Config
Extracted
azorult
https://www.nirjhara.com/mine/32/index.php
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Purchase Order.exedescription pid process target process PID 1424 wrote to memory of 828 1424 Purchase Order.exe Purchase Order.exe PID 1424 wrote to memory of 828 1424 Purchase Order.exe Purchase Order.exe PID 1424 wrote to memory of 828 1424 Purchase Order.exe Purchase Order.exe PID 1424 wrote to memory of 828 1424 Purchase Order.exe Purchase Order.exe PID 1424 wrote to memory of 828 1424 Purchase Order.exe Purchase Order.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Purchase Order.exepid process 1424 Purchase Order.exe -
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Purchase Order.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Purchase Order.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Purchase Order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Purchase Order.exedescription pid process Token: SeDebugPrivilege 1424 Purchase Order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order.exedescription pid process target process PID 1424 set thread context of 828 1424 Purchase Order.exe Purchase Order.exe -
Loads dropped DLL 16 IoCs
Processes:
Purchase Order.exepid process 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe 828 Purchase Order.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Purchase Order.exepid process 828 Purchase Order.exe -
Checks for installed software on the system 1 TTPs 30 IoCs
Processes:
Purchase Order.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName Purchase Order.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall Purchase Order.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName Purchase Order.exe Key opened \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName Purchase Order.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName Purchase Order.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"Purchase Order.exe"2⤵
- Checks processor information in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll
-
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll
-
memory/828-0-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/828-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/828-1-0x000000000041A1F8-mapping.dmp