Analysis
-
max time kernel
13s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-04-2021 23:36
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice14042187605521.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Proforma Invoice14042187605521.exe
Resource
win10v20210408
General
-
Target
Proforma Invoice14042187605521.exe
-
Size
219KB
-
MD5
63abd3223757a3c4b40d52f01d274837
-
SHA1
3cfc44783d590f0c0b19bffb205b43ed8579a0ca
-
SHA256
99a0a4ce4a345e3729c6177c979011f01d2272541d94e284b4da18c6cd59fd9c
-
SHA512
039a0791e2c4f0e3333b6c48b601540cc2ded502c9c0f34058709b63715f0db2444f81a357f2aa005abb8de52ac38a6256af0bcfc408670227d225e535029897
Malware Config
Extracted
azorult
http://cupazo.co.in/TyBmo/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 5 IoCs
Processes:
Proforma Invoice14042187605521.exeMSBuild.exepid process 364 Proforma Invoice14042187605521.exe 1000 MSBuild.exe 1000 MSBuild.exe 1000 MSBuild.exe 1000 MSBuild.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proforma Invoice14042187605521.exedescription pid process target process PID 364 set thread context of 1000 364 Proforma Invoice14042187605521.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1000 MSBuild.exe 1000 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Proforma Invoice14042187605521.exepid process 364 Proforma Invoice14042187605521.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Proforma Invoice14042187605521.exedescription pid process target process PID 364 wrote to memory of 1000 364 Proforma Invoice14042187605521.exe MSBuild.exe PID 364 wrote to memory of 1000 364 Proforma Invoice14042187605521.exe MSBuild.exe PID 364 wrote to memory of 1000 364 Proforma Invoice14042187605521.exe MSBuild.exe PID 364 wrote to memory of 1000 364 Proforma Invoice14042187605521.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice14042187605521.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice14042187605521.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice14042187605521.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\6E3C648E\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\6E3C648E\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\6E3C648E\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\6E3C648E\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
\Users\Admin\AppData\Local\Temp\nsr64FA.tmp\rn5m6.dllMD5
1df3f1a816ae6b40e3db82eacc6e2cd2
SHA15719d00ef8fa6355427065e47d6483257636b7c3
SHA256b6b8f1459cdc09825f47a2ba1f9fbd9a2c140ef08214ca255e34091fefb8a9af
SHA512785f3b98d26f2e4daa578db22ec3d34bf6dc3f82ab644f82aac53db0182d66bbed56485f1af4fbc500906ef2481858d9e257bdbc62f412fc3b6409eaa5835773
-
memory/364-117-0x0000000002D71000-0x0000000002D73000-memory.dmpFilesize
8KB
-
memory/364-116-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/1000-115-0x000000000041A684-mapping.dmp
-
memory/1000-118-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB