Analysis
-
max time kernel
82s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
10-07-2020 10:21
Static task
static1
Behavioral task
behavioral1
Sample
62231fa0b731bd0aac1c55bd8ed15898.exe
Resource
win7v200430
General
-
Target
62231fa0b731bd0aac1c55bd8ed15898.exe
-
Size
242KB
-
MD5
62231fa0b731bd0aac1c55bd8ed15898
-
SHA1
d3dd155f601bb80e417b9b0a6cf294215107af46
-
SHA256
b699a2766f106ff77377780bad431b72ef1748bf989e09f2b82fb73cf30cbde3
-
SHA512
6539e010a88784c5c6c605038b2edb38c06d060543140e08c405025fd4c825f281e78993309a82dabb26148d5ad5eaf5eb0ea87f9fe95a520cd59d9c508c683c
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
osaz.exerc.exeac.exeds1.exeds2.exeosaz.exepid process 3276 osaz.exe 632 rc.exe 852 ac.exe 364 ds1.exe 1176 ds2.exe 3136 osaz.exe -
Loads dropped DLL 4 IoCs
Processes:
62231fa0b731bd0aac1c55bd8ed15898.exepid process 3912 62231fa0b731bd0aac1c55bd8ed15898.exe 3912 62231fa0b731bd0aac1c55bd8ed15898.exe 3912 62231fa0b731bd0aac1c55bd8ed15898.exe 3912 62231fa0b731bd0aac1c55bd8ed15898.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
62231fa0b731bd0aac1c55bd8ed15898.exeosaz.exedescription pid process target process PID 3100 set thread context of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3276 set thread context of 3136 3276 osaz.exe osaz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3856 364 WerFault.exe ds1.exe 4044 852 WerFault.exe ac.exe 1112 1176 WerFault.exe ds2.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
62231fa0b731bd0aac1c55bd8ed15898.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 62231fa0b731bd0aac1c55bd8ed15898.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 62231fa0b731bd0aac1c55bd8ed15898.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1800 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
62231fa0b731bd0aac1c55bd8ed15898.exepid process 3912 62231fa0b731bd0aac1c55bd8ed15898.exe 3912 62231fa0b731bd0aac1c55bd8ed15898.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3856 WerFault.exe Token: SeBackupPrivilege 3856 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
62231fa0b731bd0aac1c55bd8ed15898.exe62231fa0b731bd0aac1c55bd8ed15898.execmd.exerc.exedescription pid process target process PID 3100 wrote to memory of 3276 3100 62231fa0b731bd0aac1c55bd8ed15898.exe osaz.exe PID 3100 wrote to memory of 3276 3100 62231fa0b731bd0aac1c55bd8ed15898.exe osaz.exe PID 3100 wrote to memory of 3276 3100 62231fa0b731bd0aac1c55bd8ed15898.exe osaz.exe PID 3100 wrote to memory of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3100 wrote to memory of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3100 wrote to memory of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3100 wrote to memory of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3100 wrote to memory of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3100 wrote to memory of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3100 wrote to memory of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3100 wrote to memory of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3100 wrote to memory of 3912 3100 62231fa0b731bd0aac1c55bd8ed15898.exe 62231fa0b731bd0aac1c55bd8ed15898.exe PID 3912 wrote to memory of 632 3912 62231fa0b731bd0aac1c55bd8ed15898.exe rc.exe PID 3912 wrote to memory of 632 3912 62231fa0b731bd0aac1c55bd8ed15898.exe rc.exe PID 3912 wrote to memory of 632 3912 62231fa0b731bd0aac1c55bd8ed15898.exe rc.exe PID 3912 wrote to memory of 852 3912 62231fa0b731bd0aac1c55bd8ed15898.exe ac.exe PID 3912 wrote to memory of 852 3912 62231fa0b731bd0aac1c55bd8ed15898.exe ac.exe PID 3912 wrote to memory of 852 3912 62231fa0b731bd0aac1c55bd8ed15898.exe ac.exe PID 3912 wrote to memory of 364 3912 62231fa0b731bd0aac1c55bd8ed15898.exe ds1.exe PID 3912 wrote to memory of 364 3912 62231fa0b731bd0aac1c55bd8ed15898.exe ds1.exe PID 3912 wrote to memory of 364 3912 62231fa0b731bd0aac1c55bd8ed15898.exe ds1.exe PID 3912 wrote to memory of 1176 3912 62231fa0b731bd0aac1c55bd8ed15898.exe ds2.exe PID 3912 wrote to memory of 1176 3912 62231fa0b731bd0aac1c55bd8ed15898.exe ds2.exe PID 3912 wrote to memory of 1176 3912 62231fa0b731bd0aac1c55bd8ed15898.exe ds2.exe PID 3912 wrote to memory of 1492 3912 62231fa0b731bd0aac1c55bd8ed15898.exe cmd.exe PID 3912 wrote to memory of 1492 3912 62231fa0b731bd0aac1c55bd8ed15898.exe cmd.exe PID 3912 wrote to memory of 1492 3912 62231fa0b731bd0aac1c55bd8ed15898.exe cmd.exe PID 1492 wrote to memory of 1800 1492 cmd.exe timeout.exe PID 1492 wrote to memory of 1800 1492 cmd.exe timeout.exe PID 1492 wrote to memory of 1800 1492 cmd.exe timeout.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe PID 632 wrote to memory of 2160 632 rc.exe TapiUnattend.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62231fa0b731bd0aac1c55bd8ed15898.exe"C:\Users\Admin\AppData\Local\Temp\62231fa0b731bd0aac1c55bd8ed15898.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\osaz.exe"C:\Users\Admin\AppData\Local\Temp\osaz.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\osaz.exe"{path}"3⤵
- Executes dropped EXE
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\62231fa0b731bd0aac1c55bd8ed15898.exe"{path}"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\rc.exe"C:\Users\Admin\AppData\Local\Temp\rc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"4⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\ac.exe"C:\Users\Admin\AppData\Local\Temp\ac.exe"3⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 9484⤵
- Program crash
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\ds1.exe"C:\Users\Admin\AppData\Local\Temp\ds1.exe"3⤵
- Executes dropped EXE
PID:364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 9124⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\ds2.exe"C:\Users\Admin\AppData\Local\Temp\ds2.exe"3⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 9124⤵
- Program crash
PID:1112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "62231fa0b731bd0aac1c55bd8ed15898.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- Delays execution with timeout.exe
PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c2257678b2fa6523210ba60d4fbfcdda
SHA11417d42f550ee3ad0d802a298a14712011cfa8fa
SHA256fad6f1e59c3d79075062761a1003d8877f258b30999d5bfef6512c9a09f85a35
SHA5120ca3b162fba84d31afcf700ecbef776dcb9059e1171c9301cef2691d4597870ec9ff4fbc2b041c04e4179d2479f28504cd26d4540a2b3d5026cdc34d0341f2bc
-
MD5
c2257678b2fa6523210ba60d4fbfcdda
SHA11417d42f550ee3ad0d802a298a14712011cfa8fa
SHA256fad6f1e59c3d79075062761a1003d8877f258b30999d5bfef6512c9a09f85a35
SHA5120ca3b162fba84d31afcf700ecbef776dcb9059e1171c9301cef2691d4597870ec9ff4fbc2b041c04e4179d2479f28504cd26d4540a2b3d5026cdc34d0341f2bc
-
MD5
1e00c034fe9dab4478a8a5b88df04b49
SHA16f3a3bc86c62dd84180675e02a928d06167eec84
SHA256ddf2740467d31c8b672bf66d71d9e4a59c04baf15c63752abfffe37e90c496e4
SHA5123fd2b373ab9496b5129130a44d2b684d1ea5f501255929d9c73b8d2264607ba6a84a1d2eba3a81df054d35081d1a6881c0cd43fa5241e5b121743d6f26cab0e7
-
MD5
1e00c034fe9dab4478a8a5b88df04b49
SHA16f3a3bc86c62dd84180675e02a928d06167eec84
SHA256ddf2740467d31c8b672bf66d71d9e4a59c04baf15c63752abfffe37e90c496e4
SHA5123fd2b373ab9496b5129130a44d2b684d1ea5f501255929d9c73b8d2264607ba6a84a1d2eba3a81df054d35081d1a6881c0cd43fa5241e5b121743d6f26cab0e7
-
MD5
b11e1b59c55fe58bee59b66a38bc962c
SHA144c5a2a6f456849f9280294300f5892a8cb53087
SHA256dd788c4aec3c45dd1a524971169ac0cccd3271b1a02544398494385a430edfe9
SHA512a55ed0bfbfb5777c0a379268fd0da95dfc56559887e3b67e516a6cd164f72b52037e880e6e82190946fdc6367c5ac33c11d4bdc56a97c102be3b9a6bfddeff14
-
MD5
b11e1b59c55fe58bee59b66a38bc962c
SHA144c5a2a6f456849f9280294300f5892a8cb53087
SHA256dd788c4aec3c45dd1a524971169ac0cccd3271b1a02544398494385a430edfe9
SHA512a55ed0bfbfb5777c0a379268fd0da95dfc56559887e3b67e516a6cd164f72b52037e880e6e82190946fdc6367c5ac33c11d4bdc56a97c102be3b9a6bfddeff14
-
MD5
55a24afe65e5d8459cc31973277d1909
SHA15c045b7d2c2a083ac65927519dd85339c7b58aa5
SHA2568959562f5a87f40b9c3917a98e10d68e2c459c8df9bdd9664f615af6d5b9959e
SHA5125fe45d4de5b113b97e77752b25da0b4e234c78321e51d85c7a9fcea8e295394e1aa2e454c41381107b92d91a4872c86b30a67ca0604fc774459dfce2bb23a9f1
-
MD5
55a24afe65e5d8459cc31973277d1909
SHA15c045b7d2c2a083ac65927519dd85339c7b58aa5
SHA2568959562f5a87f40b9c3917a98e10d68e2c459c8df9bdd9664f615af6d5b9959e
SHA5125fe45d4de5b113b97e77752b25da0b4e234c78321e51d85c7a9fcea8e295394e1aa2e454c41381107b92d91a4872c86b30a67ca0604fc774459dfce2bb23a9f1
-
MD5
55a24afe65e5d8459cc31973277d1909
SHA15c045b7d2c2a083ac65927519dd85339c7b58aa5
SHA2568959562f5a87f40b9c3917a98e10d68e2c459c8df9bdd9664f615af6d5b9959e
SHA5125fe45d4de5b113b97e77752b25da0b4e234c78321e51d85c7a9fcea8e295394e1aa2e454c41381107b92d91a4872c86b30a67ca0604fc774459dfce2bb23a9f1
-
MD5
0c6a22a028ce02e10608bb44b7b4c66f
SHA1686ca5b3fdb1606769054107783ab4ad49a3acec
SHA256491cff43b259addd44a312094b15674d2c33c9ab901500130fead03e7d9d6530
SHA512dbee8252a20e0e90242282b14c76ca8256700055b65f27f3b19131bd27613a5168363d4507daac641234504f15b3b6d4a53140b5c591e6df732aa253087ffaaa
-
MD5
0c6a22a028ce02e10608bb44b7b4c66f
SHA1686ca5b3fdb1606769054107783ab4ad49a3acec
SHA256491cff43b259addd44a312094b15674d2c33c9ab901500130fead03e7d9d6530
SHA512dbee8252a20e0e90242282b14c76ca8256700055b65f27f3b19131bd27613a5168363d4507daac641234504f15b3b6d4a53140b5c591e6df732aa253087ffaaa
-
MD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
MD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
MD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
MD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f