Analysis
-
max time kernel
143s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 05:10
Static task
static1
Behavioral task
behavioral1
Sample
256057e4f992644fc9c1afe381f11ac1.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
256057e4f992644fc9c1afe381f11ac1.exe
Resource
win10
General
-
Target
256057e4f992644fc9c1afe381f11ac1.exe
-
Size
714KB
-
MD5
256057e4f992644fc9c1afe381f11ac1
-
SHA1
1d31b5e458ab0fca9f494104671406082dc893f8
-
SHA256
f540fb6b1e7f9612aa1ca6347c6de7a54ab883bcd23463a5011d0cbc57383974
-
SHA512
94e264f2c159908d60ad57b7464e22b52d518b73a419f9bb940634862978cd058e244ecc0539e12dd10d94485d34d8340b7f26be5861179e5bc2d261fd430003
Malware Config
Extracted
azorult
http://82.165.75.233/index.php
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
256057e4f992644fc9c1afe381f11ac1.exedescription pid process target process PID 676 wrote to memory of 1576 676 256057e4f992644fc9c1afe381f11ac1.exe 256057e4f992644fc9c1afe381f11ac1.exe PID 676 wrote to memory of 1576 676 256057e4f992644fc9c1afe381f11ac1.exe 256057e4f992644fc9c1afe381f11ac1.exe PID 676 wrote to memory of 1576 676 256057e4f992644fc9c1afe381f11ac1.exe 256057e4f992644fc9c1afe381f11ac1.exe PID 676 wrote to memory of 1576 676 256057e4f992644fc9c1afe381f11ac1.exe 256057e4f992644fc9c1afe381f11ac1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
256057e4f992644fc9c1afe381f11ac1.exedescription pid process target process PID 676 set thread context of 1576 676 256057e4f992644fc9c1afe381f11ac1.exe 256057e4f992644fc9c1afe381f11ac1.exe -
Loads dropped DLL 16 IoCs
Processes:
256057e4f992644fc9c1afe381f11ac1.exepid process 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
256057e4f992644fc9c1afe381f11ac1.exe256057e4f992644fc9c1afe381f11ac1.exepid process 676 256057e4f992644fc9c1afe381f11ac1.exe 1576 256057e4f992644fc9c1afe381f11ac1.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
256057e4f992644fc9c1afe381f11ac1.exepid process 676 256057e4f992644fc9c1afe381f11ac1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
256057e4f992644fc9c1afe381f11ac1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 256057e4f992644fc9c1afe381f11ac1.exe -
Checks for installed software on the system 1 TTPs 30 IoCs
Processes:
256057e4f992644fc9c1afe381f11ac1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 256057e4f992644fc9c1afe381f11ac1.exe Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall 256057e4f992644fc9c1afe381f11ac1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\256057e4f992644fc9c1afe381f11ac1.exe"C:\Users\Admin\AppData\Local\Temp\256057e4f992644fc9c1afe381f11ac1.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\256057e4f992644fc9c1afe381f11ac1.exe"C:\Users\Admin\AppData\Local\Temp\256057e4f992644fc9c1afe381f11ac1.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Checks for installed software on the system
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll
-
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll
-
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll
-
memory/1576-0-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1576-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1576-1-0x000000000041A1F8-mapping.dmp