Analysis
-
max time kernel
132s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 10:03
Static task
static1
Behavioral task
behavioral1
Sample
55467CY.xlsm
Resource
win7v20201028
Behavioral task
behavioral2
Sample
55467CY.xlsm
Resource
win10v20201028
General
-
Target
55467CY.xlsm
-
Size
2.8MB
-
MD5
736c9bf1bbf0332f1acf1967fc1470e7
-
SHA1
40a3360c60fc0714581e5b32c7f6c3b7727da2f0
-
SHA256
3bb7c47aa4dbab2d785c8058555788595be24c6c021fe03fd6b2ecce8730dff1
-
SHA512
b5ed20a6421cead68f2d0ad43f680172b695cbd8a0c1234f8be9cea21c360130095131f8f8fe1fe2c60355beab49cf60b909176b31031ab15f1bb1ee0bc63990
Malware Config
Extracted
azorult
https://www.themindset.org.ng/nc_assets/fonts/098/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cscript.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3492 1160 cscript.exe EXCEL.EXE -
Blacklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 27 3492 cscript.exe -
Executes dropped EXE 3 IoCs
Processes:
55467CY.exevpvbfm.pifRegSvcs.exepid process 2308 55467CY.exe 3980 vpvbfm.pif 3732 RegSvcs.exe -
Loads dropped DLL 4 IoCs
Processes:
RegSvcs.exepid process 3732 RegSvcs.exe 3732 RegSvcs.exe 3732 RegSvcs.exe 3732 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\2fda\nss3.dll js -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vpvbfm.pifdescription pid process target process PID 3980 set thread context of 3732 3980 vpvbfm.pif RegSvcs.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegSvcs.exeEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegSvcs.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Processes:
RegSvcs.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RegSvcs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegSvcs.exe -
NTFS ADS 3 IoCs
Processes:
EXCEL.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\{4D63065F-2637-4862-953A-28117D5B717C}\q:Zone.Identifier EXCEL.EXE File opened for modification C:\Users\Admin\AppData\Local\Temp\{4D63065F-2637-4862-953A-28117D5B717C}\xx:Zone.Identifier EXCEL.EXE File created C:\programdata\asc.txt:script1.vbs EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1160 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
vpvbfm.pifRegSvcs.exepid process 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3980 vpvbfm.pif 3732 RegSvcs.exe 3732 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 1160 EXCEL.EXE 1160 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEpid process 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE 1160 EXCEL.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
EXCEL.EXEcscript.exe55467CY.exevpvbfm.pifdescription pid process target process PID 1160 wrote to memory of 3492 1160 EXCEL.EXE cscript.exe PID 1160 wrote to memory of 3492 1160 EXCEL.EXE cscript.exe PID 3492 wrote to memory of 2308 3492 cscript.exe 55467CY.exe PID 3492 wrote to memory of 2308 3492 cscript.exe 55467CY.exe PID 3492 wrote to memory of 2308 3492 cscript.exe 55467CY.exe PID 2308 wrote to memory of 3980 2308 55467CY.exe vpvbfm.pif PID 2308 wrote to memory of 3980 2308 55467CY.exe vpvbfm.pif PID 2308 wrote to memory of 3980 2308 55467CY.exe vpvbfm.pif PID 3980 wrote to memory of 2208 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2208 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2208 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 1364 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 1364 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 1364 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 1120 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 1120 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 1120 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2076 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2076 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2076 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2372 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2372 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2372 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2228 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2228 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2228 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2712 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2712 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 2712 3980 vpvbfm.pif mshta.exe PID 3980 wrote to memory of 3732 3980 vpvbfm.pif RegSvcs.exe PID 3980 wrote to memory of 3732 3980 vpvbfm.pif RegSvcs.exe PID 3980 wrote to memory of 3732 3980 vpvbfm.pif RegSvcs.exe PID 3980 wrote to memory of 3732 3980 vpvbfm.pif RegSvcs.exe PID 3980 wrote to memory of 3732 3980 vpvbfm.pif RegSvcs.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\55467CY.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cscript.exe"C:\Windows\system32\cscript.exe" C:\programdata\asc.txt:script1.vbs2⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\programdata\55467CY.exeC:\programdata\55467CY.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\37558992\vpvbfm.pif"C:\37558992\vpvbfm.pif" asjmbpxf.pft4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"5⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\37558992\asjmbpxf.pftMD5
b3defc138f5406fc8819f448e7378274
SHA12c084421a604339e35b8f3a1b92f511f35fcab1d
SHA256d865303eabf5f64a2f4dcf103f128289cceabc53f12cb69e13dcd37cf49f06e1
SHA51209146e9554398658cf188c5d9071a02fa2812a5b13b1e44b7407c204a81303c2a6613ebb4649cc1bff0a145e04fb098199ffc453626eb84a1c21d42e08e9083c
-
C:\37558992\fnscdjqluq.mscMD5
74fd727bdcf0ae8f29e2a6ecfe3a6eb8
SHA179c1109ae4d0a5ff9e2f15bcd9b7e7c5ebcc60d5
SHA256187644d563f5c19da5a112bec6ac23dbf122e9d922fff9b777e5ee85a9c35f4e
SHA512c3c46ac4d8f9329f257c7aa9484f1be5776b5accbc597101019e16dd8218d5640970c5233e5e16c8071e6c5973a303c64755c5011aa62d6c204af90b31506e57
-
C:\37558992\vpvbfm.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\37558992\vpvbfm.pifMD5
43e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\ProgramData\55467CY.exeMD5
574c8d7fdf2cbf1dc4a9f50a0b105076
SHA139a81e9a14956ed8ab680d8a672e8e2170d545cd
SHA2562a65e229bd86d048aba1f43a69b144735660c7bbf4e3756be772b5935cb4057d
SHA512166170d00f65a8dc0b61f3971d68b52103947d1fd5c02dd180e581a9a9d23249f05c478fd696c604c8db444a430526b54e6a8a9e04418ef6f05641f4766d4857
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\programdata\55467CY.exeMD5
574c8d7fdf2cbf1dc4a9f50a0b105076
SHA139a81e9a14956ed8ab680d8a672e8e2170d545cd
SHA2562a65e229bd86d048aba1f43a69b144735660c7bbf4e3756be772b5935cb4057d
SHA512166170d00f65a8dc0b61f3971d68b52103947d1fd5c02dd180e581a9a9d23249f05c478fd696c604c8db444a430526b54e6a8a9e04418ef6f05641f4766d4857
-
C:\programdata\asc.txt:script1.vbsMD5
f1dd122be3ca4cd8c9ae1655b19d3f8b
SHA110d651834a3f41cfe6e3ccdf88b7f45cdf5cc748
SHA256d08d66c0b0ab25e27c1046f60627cc12ba3ff95a7561c1f6f51544f951adfe34
SHA5128976d0dadb81374794a7bcecd361e26d7a96e64685a917b3602a71788b3bb85cff2ceff4c803b14b7a3927f91488c3caffcdb12069b4b2bcc706fe0394aaf4c8
-
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\2fda\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
memory/1120-19-0x0000000000000000-mapping.dmp
-
memory/1160-0-0x00007FFE20AF0000-0x00007FFE21127000-memory.dmpFilesize
6.2MB
-
memory/1160-2-0x000001E95C699000-0x000001E95C6AA000-memory.dmpFilesize
68KB
-
memory/1364-18-0x0000000000000000-mapping.dmp
-
memory/2076-20-0x0000000000000000-mapping.dmp
-
memory/2208-17-0x0000000000000000-mapping.dmp
-
memory/2228-22-0x0000000000000000-mapping.dmp
-
memory/2308-7-0x0000000000000000-mapping.dmp
-
memory/2372-21-0x0000000000000000-mapping.dmp
-
memory/2712-23-0x0000000000000000-mapping.dmp
-
memory/3492-5-0x0000000000000000-mapping.dmp
-
memory/3732-25-0x000000000061A1F8-mapping.dmp
-
memory/3732-29-0x0000000000600000-0x0000000000B14000-memory.dmpFilesize
5.1MB
-
memory/3732-28-0x0000000072C20000-0x0000000072CB3000-memory.dmpFilesize
588KB
-
memory/3732-24-0x0000000000600000-0x0000000000B14000-memory.dmpFilesize
5.1MB
-
memory/3980-14-0x0000000072C20000-0x0000000072CB3000-memory.dmpFilesize
588KB
-
memory/3980-11-0x0000000000000000-mapping.dmp