Analysis
-
max time kernel
123s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 18:33
Static task
static1
Behavioral task
behavioral1
Sample
48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe
Resource
win10v20201028
General
-
Target
48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe
-
Size
1016KB
-
MD5
329eb21fd7ed1e184c14f77a998dff71
-
SHA1
0ef2938890ed8352c65763a0450ae8754d499f87
-
SHA256
48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73
-
SHA512
9ffda07a378394a08b93ed09b7c91136cc00e5fc944ad6426368509690e0d9258406cad25473553ed954cf60af76e5649e6eb3a4f3e3cfc2698202816f2e2900
Malware Config
Extracted
azorult
http://185.208.182.54/mmc/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
dbhvfiti.pifRegSvcs.exepid process 3444 dbhvfiti.pif 2676 RegSvcs.exe -
Loads dropped DLL 4 IoCs
Processes:
RegSvcs.exepid process 2676 RegSvcs.exe 2676 RegSvcs.exe 2676 RegSvcs.exe 2676 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll js -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dbhvfiti.pifdescription pid process target process PID 3444 set thread context of 2676 3444 dbhvfiti.pif RegSvcs.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
dbhvfiti.pifRegSvcs.exepid process 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 3444 dbhvfiti.pif 2676 RegSvcs.exe 2676 RegSvcs.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exedbhvfiti.pifdescription pid process target process PID 3980 wrote to memory of 3444 3980 48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe dbhvfiti.pif PID 3980 wrote to memory of 3444 3980 48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe dbhvfiti.pif PID 3980 wrote to memory of 3444 3980 48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe dbhvfiti.pif PID 3444 wrote to memory of 416 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 416 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 416 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 3360 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 3360 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 3360 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1120 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1120 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1120 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1988 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1988 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1988 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1240 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1240 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1240 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 3892 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 3892 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 3892 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1960 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1960 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 1960 3444 dbhvfiti.pif mshta.exe PID 3444 wrote to memory of 2676 3444 dbhvfiti.pif RegSvcs.exe PID 3444 wrote to memory of 2676 3444 dbhvfiti.pif RegSvcs.exe PID 3444 wrote to memory of 2676 3444 dbhvfiti.pif RegSvcs.exe PID 3444 wrote to memory of 2676 3444 dbhvfiti.pif RegSvcs.exe PID 3444 wrote to memory of 2676 3444 dbhvfiti.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe"C:\Users\Admin\AppData\Local\Temp\48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\36534553\dbhvfiti.pif"C:\36534553\dbhvfiti.pif" avxoqwc.voe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\36534553\avxoqwc.voeMD5
344db84184d0dad4dd7debdd590d57db
SHA158e68a495c1aac9c7f326fed10a299d2e79bb2fd
SHA256d5d630c7659d9e8eb4b0bb704515eb5020fb759586a22ede35f6847811736887
SHA5123dfe65e3ad0cc68c21702b8a30c05c43020dafcae399511efb911fc0fbf692d02dba74e62401a76f56970a7fed3b9bc4c0439b44a88bf8f748b3df6e8c712fb2
-
C:\36534553\cgrmrtk.mscMD5
5bee1e3b54aef4f9e6886466aa6697ec
SHA1eb45ab8498207b1fe9ec1b1e747f286d2c1459af
SHA2569f0489c9624c5c7ad1d3e02368940b5a0a3a5cc114a474ed9d3c9cefd2f6ee7e
SHA5125a86f7300a9266ba5ea6573aaecafce94138b2fb3092ac4ce6b9a9edf79efc686aaf89749c535765ad762b7b1eedab89a74dae7a502aabf5fe63d67c93e88301
-
C:\36534553\dbhvfiti.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\36534553\dbhvfiti.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
memory/416-7-0x0000000000000000-mapping.dmp
-
memory/1120-9-0x0000000000000000-mapping.dmp
-
memory/1240-11-0x0000000000000000-mapping.dmp
-
memory/1960-13-0x0000000000000000-mapping.dmp
-
memory/1988-10-0x0000000000000000-mapping.dmp
-
memory/2676-14-0x0000000000F60000-0x00000000014B9000-memory.dmpFilesize
5.3MB
-
memory/2676-18-0x0000000072BC0000-0x0000000072C53000-memory.dmpFilesize
588KB
-
memory/2676-19-0x0000000000F60000-0x00000000014B9000-memory.dmpFilesize
5.3MB
-
memory/2676-15-0x0000000000F7A684-mapping.dmp
-
memory/3360-8-0x0000000000000000-mapping.dmp
-
memory/3444-1-0x0000000000000000-mapping.dmp
-
memory/3444-4-0x0000000072BC0000-0x0000000072C53000-memory.dmpFilesize
588KB
-
memory/3892-12-0x0000000000000000-mapping.dmp