Analysis
-
max time kernel
73s -
max time network
70s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 45584.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Purchase Order 45584.xlsx
Resource
win10v20201028
General
-
Target
Purchase Order 45584.xlsx
-
Size
2.3MB
-
MD5
69eac4dc4f1e64e9912a7a20acdea37d
-
SHA1
05a713ac7bb1c39c51aaa4ba132131e751f70db4
-
SHA256
257586cb20dfe8e3fa19a99c2084e51904c6e714b021a72d39fd382e8910b709
-
SHA512
0cb333bce7c9800ad2ae0705d5adb7e7dc20104ac024ece04cf62a0bfe3be89ddcc9791c51f869f9303bb7b35c40ef3219b5bf63a7c42995231e37138e296b4f
Malware Config
Extracted
azorult
http://al-ifah.com/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1412 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 428 vbc.exe 1952 vbc.exe 1272 vbc.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1412 EQNEDT32.EXE 1412 EQNEDT32.EXE 1412 EQNEDT32.EXE 1412 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum vbc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 428 set thread context of 1272 428 vbc.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1064 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
vbc.exepid process 428 vbc.exe 428 vbc.exe 428 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 428 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1064 EXCEL.EXE 1064 EXCEL.EXE 1064 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EQNEDT32.EXEvbc.exedescription pid process target process PID 1412 wrote to memory of 428 1412 EQNEDT32.EXE vbc.exe PID 1412 wrote to memory of 428 1412 EQNEDT32.EXE vbc.exe PID 1412 wrote to memory of 428 1412 EQNEDT32.EXE vbc.exe PID 1412 wrote to memory of 428 1412 EQNEDT32.EXE vbc.exe PID 428 wrote to memory of 112 428 vbc.exe schtasks.exe PID 428 wrote to memory of 112 428 vbc.exe schtasks.exe PID 428 wrote to memory of 112 428 vbc.exe schtasks.exe PID 428 wrote to memory of 112 428 vbc.exe schtasks.exe PID 428 wrote to memory of 1952 428 vbc.exe vbc.exe PID 428 wrote to memory of 1952 428 vbc.exe vbc.exe PID 428 wrote to memory of 1952 428 vbc.exe vbc.exe PID 428 wrote to memory of 1952 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe PID 428 wrote to memory of 1272 428 vbc.exe vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order 45584.xlsx"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FIbVXFwlmJS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4692.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4692.tmpMD5
d0871a55adf4bb4bab149375af1e3e98
SHA14d44e88f5993e36ed4f2523c7292c39ee77e0195
SHA256a7dff174e3cc37e05be82c0d8a50c908a06b0cc92a0cbc0582f1e75857da3158
SHA512f592e7aee18d783de8a079818660e7c77a07fe1caa33f71c7273178a868c0a47ece394be3c06670e930b3c04ffc1e24cffc8a29cad4ef7d80755354064b9bc42
-
C:\Users\Public\vbc.exeMD5
06904ee5e04abada43cb86d7a0457b5e
SHA1749902ad199c0c1063ec0c0150db410f8579c54b
SHA2563827b74e0bdab2de9236a5157690e90526a50d128e18f869b3d283c1a09069e9
SHA512cb79a70da1d32501ed647b69198804eb37774624910b97a600c0a07a0aacd54ca1eec6e42261e4df7f4590c746e573aae4ace775d21d22577d472cc31cdd5016
-
C:\Users\Public\vbc.exeMD5
06904ee5e04abada43cb86d7a0457b5e
SHA1749902ad199c0c1063ec0c0150db410f8579c54b
SHA2563827b74e0bdab2de9236a5157690e90526a50d128e18f869b3d283c1a09069e9
SHA512cb79a70da1d32501ed647b69198804eb37774624910b97a600c0a07a0aacd54ca1eec6e42261e4df7f4590c746e573aae4ace775d21d22577d472cc31cdd5016
-
C:\Users\Public\vbc.exeMD5
06904ee5e04abada43cb86d7a0457b5e
SHA1749902ad199c0c1063ec0c0150db410f8579c54b
SHA2563827b74e0bdab2de9236a5157690e90526a50d128e18f869b3d283c1a09069e9
SHA512cb79a70da1d32501ed647b69198804eb37774624910b97a600c0a07a0aacd54ca1eec6e42261e4df7f4590c746e573aae4ace775d21d22577d472cc31cdd5016
-
C:\Users\Public\vbc.exeMD5
06904ee5e04abada43cb86d7a0457b5e
SHA1749902ad199c0c1063ec0c0150db410f8579c54b
SHA2563827b74e0bdab2de9236a5157690e90526a50d128e18f869b3d283c1a09069e9
SHA512cb79a70da1d32501ed647b69198804eb37774624910b97a600c0a07a0aacd54ca1eec6e42261e4df7f4590c746e573aae4ace775d21d22577d472cc31cdd5016
-
\Users\Public\vbc.exeMD5
06904ee5e04abada43cb86d7a0457b5e
SHA1749902ad199c0c1063ec0c0150db410f8579c54b
SHA2563827b74e0bdab2de9236a5157690e90526a50d128e18f869b3d283c1a09069e9
SHA512cb79a70da1d32501ed647b69198804eb37774624910b97a600c0a07a0aacd54ca1eec6e42261e4df7f4590c746e573aae4ace775d21d22577d472cc31cdd5016
-
\Users\Public\vbc.exeMD5
06904ee5e04abada43cb86d7a0457b5e
SHA1749902ad199c0c1063ec0c0150db410f8579c54b
SHA2563827b74e0bdab2de9236a5157690e90526a50d128e18f869b3d283c1a09069e9
SHA512cb79a70da1d32501ed647b69198804eb37774624910b97a600c0a07a0aacd54ca1eec6e42261e4df7f4590c746e573aae4ace775d21d22577d472cc31cdd5016
-
\Users\Public\vbc.exeMD5
06904ee5e04abada43cb86d7a0457b5e
SHA1749902ad199c0c1063ec0c0150db410f8579c54b
SHA2563827b74e0bdab2de9236a5157690e90526a50d128e18f869b3d283c1a09069e9
SHA512cb79a70da1d32501ed647b69198804eb37774624910b97a600c0a07a0aacd54ca1eec6e42261e4df7f4590c746e573aae4ace775d21d22577d472cc31cdd5016
-
\Users\Public\vbc.exeMD5
06904ee5e04abada43cb86d7a0457b5e
SHA1749902ad199c0c1063ec0c0150db410f8579c54b
SHA2563827b74e0bdab2de9236a5157690e90526a50d128e18f869b3d283c1a09069e9
SHA512cb79a70da1d32501ed647b69198804eb37774624910b97a600c0a07a0aacd54ca1eec6e42261e4df7f4590c746e573aae4ace775d21d22577d472cc31cdd5016
-
memory/112-20-0x0000000000000000-mapping.dmp
-
memory/428-19-0x0000000004BD0000-0x0000000004C25000-memory.dmpFilesize
340KB
-
memory/428-11-0x0000000000000000-mapping.dmp
-
memory/428-14-0x000000006B540000-0x000000006BC2E000-memory.dmpFilesize
6.9MB
-
memory/428-15-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/428-17-0x00000000005B0000-0x00000000005D3000-memory.dmpFilesize
140KB
-
memory/428-18-0x0000000004B90000-0x0000000004B91000-memory.dmpFilesize
4KB
-
memory/1064-2-0x000000002F6D1000-0x000000002F6D4000-memory.dmpFilesize
12KB
-
memory/1064-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1064-3-0x0000000071001000-0x0000000071003000-memory.dmpFilesize
8KB
-
memory/1272-23-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1272-24-0x000000000041A684-mapping.dmp
-
memory/1272-27-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1412-5-0x0000000076101000-0x0000000076103000-memory.dmpFilesize
8KB
-
memory/1508-6-0x000007FEF7140000-0x000007FEF73BA000-memory.dmpFilesize
2.5MB