Analysis
-
max time kernel
115s -
max time network
55s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 18:03
Static task
static1
Behavioral task
behavioral1
Sample
bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe
Resource
win10v20201028
General
-
Target
bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe
-
Size
833KB
-
MD5
9b0cba63f37783d933cd86fc96f2aa07
-
SHA1
b5a93abac6411cc261b9f3d484fec192e136338c
-
SHA256
bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31
-
SHA512
473926d8f8d6e8127fca322a850ae988fd9bf286719d17936b7bd52b221c4d8e6eb4c15b785a2bc0b1d39bb2c24cac7901e65503b94d7e0d3e710fbe7cce9be1
Malware Config
Extracted
azorult
http://main.kebleflooring.co.uk/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
backup.exerar_temp1.exepid process 1192 backup.exe 324 rar_temp1.exe -
Loads dropped DLL 5 IoCs
Processes:
bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exepid process 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe 1248 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rar_temp1.exepid process 324 rar_temp1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exedescription pid process target process PID 1668 wrote to memory of 1192 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe backup.exe PID 1668 wrote to memory of 1192 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe backup.exe PID 1668 wrote to memory of 1192 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe backup.exe PID 1668 wrote to memory of 1192 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe backup.exe PID 1668 wrote to memory of 324 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe rar_temp1.exe PID 1668 wrote to memory of 324 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe rar_temp1.exe PID 1668 wrote to memory of 324 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe rar_temp1.exe PID 1668 wrote to memory of 324 1668 bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe rar_temp1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe"C:\Users\Admin\AppData\Local\Temp\bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\backup.exeC:\Users\Admin\AppData\Local\backup.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\rar_temp1.exeC:\Users\Admin\AppData\Local\rar_temp1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\backup.exeMD5
49fad1b9e61959fad1566eeaac72eb33
SHA1f5d128c09a53bf4ce97789e67bf8197d6d44f118
SHA25687f4e1cbc145e642d7c69f6935ef9be74475e76827de585561218f96350e6fed
SHA5122fcb2c34e5e5c60060cec00a3396500f2e0df9cd871cc36474f2e1c8b9e6e6dce066077b3ec1e11e2b409c4f2247588fcb5099c4369fcd84d5d232ac795ffdeb
-
C:\Users\Admin\AppData\Local\rar_temp1.exeMD5
2aec40fc2e52200343e4f67f654c67ed
SHA1bc9897911617a27c9a5c150a8448cfad02017cf3
SHA256224a640ec25e14f8cf70b3e1a28b8e9039835d1caaf824df9935d96f0eca4cd7
SHA512ae166620dd905eb5b4dfd4dd6b4f1cb385f5e7a5e736b8cc9e94aa89e2d594462b4e139fa723cdc4c56675cfbe1c548cc6a156363e13550ab0e598ad158bfb07
-
\Users\Admin\AppData\Local\backup.exeMD5
49fad1b9e61959fad1566eeaac72eb33
SHA1f5d128c09a53bf4ce97789e67bf8197d6d44f118
SHA25687f4e1cbc145e642d7c69f6935ef9be74475e76827de585561218f96350e6fed
SHA5122fcb2c34e5e5c60060cec00a3396500f2e0df9cd871cc36474f2e1c8b9e6e6dce066077b3ec1e11e2b409c4f2247588fcb5099c4369fcd84d5d232ac795ffdeb
-
\Users\Admin\AppData\Local\backup.exeMD5
49fad1b9e61959fad1566eeaac72eb33
SHA1f5d128c09a53bf4ce97789e67bf8197d6d44f118
SHA25687f4e1cbc145e642d7c69f6935ef9be74475e76827de585561218f96350e6fed
SHA5122fcb2c34e5e5c60060cec00a3396500f2e0df9cd871cc36474f2e1c8b9e6e6dce066077b3ec1e11e2b409c4f2247588fcb5099c4369fcd84d5d232ac795ffdeb
-
\Users\Admin\AppData\Local\rar_temp1.exeMD5
2aec40fc2e52200343e4f67f654c67ed
SHA1bc9897911617a27c9a5c150a8448cfad02017cf3
SHA256224a640ec25e14f8cf70b3e1a28b8e9039835d1caaf824df9935d96f0eca4cd7
SHA512ae166620dd905eb5b4dfd4dd6b4f1cb385f5e7a5e736b8cc9e94aa89e2d594462b4e139fa723cdc4c56675cfbe1c548cc6a156363e13550ab0e598ad158bfb07
-
\Users\Admin\AppData\Local\rar_temp1.exeMD5
2aec40fc2e52200343e4f67f654c67ed
SHA1bc9897911617a27c9a5c150a8448cfad02017cf3
SHA256224a640ec25e14f8cf70b3e1a28b8e9039835d1caaf824df9935d96f0eca4cd7
SHA512ae166620dd905eb5b4dfd4dd6b4f1cb385f5e7a5e736b8cc9e94aa89e2d594462b4e139fa723cdc4c56675cfbe1c548cc6a156363e13550ab0e598ad158bfb07
-
\Users\Admin\AppData\Local\rar_temp1.exeMD5
2aec40fc2e52200343e4f67f654c67ed
SHA1bc9897911617a27c9a5c150a8448cfad02017cf3
SHA256224a640ec25e14f8cf70b3e1a28b8e9039835d1caaf824df9935d96f0eca4cd7
SHA512ae166620dd905eb5b4dfd4dd6b4f1cb385f5e7a5e736b8cc9e94aa89e2d594462b4e139fa723cdc4c56675cfbe1c548cc6a156363e13550ab0e598ad158bfb07
-
memory/324-11-0x0000000000000000-mapping.dmp
-
memory/324-13-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmpFilesize
8KB
-
memory/1192-5-0x0000000000000000-mapping.dmp
-
memory/1668-2-0x0000000074B31000-0x0000000074B33000-memory.dmpFilesize
8KB
-
memory/2028-8-0x000007FEF7080000-0x000007FEF72FA000-memory.dmpFilesize
2.5MB