Analysis
-
max time kernel
15s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-04-2021 07:36
Static task
static1
Behavioral task
behavioral1
Sample
HalkbankEkstre0414217826353988773.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
HalkbankEkstre0414217826353988773.exe
Resource
win10v20210408
General
-
Target
HalkbankEkstre0414217826353988773.exe
-
Size
153KB
-
MD5
3455f87da5d2a50c79506161412ca0a3
-
SHA1
c6234860a5b7a187c245e96638a4919bbef6966d
-
SHA256
da889f40e6ee1f71dbc8282fa19dbeee68f5028384af7f96f620bd4f23d2de42
-
SHA512
5b762e7f31e12654d3688ce81059436d90d29e906cb3b0319d7a14c5914bb7be6f8b723f8d51fecacc0558981694e313e34dea4ebfb1d025be58e613003b29a8
Malware Config
Extracted
azorult
http://cupazo.co.in/TyBmo/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 6 IoCs
Processes:
HalkbankEkstre0414217826353988773.exeHalkbankEkstre0414217826353988773.exeMSBuild.exepid process 852 HalkbankEkstre0414217826353988773.exe 200 HalkbankEkstre0414217826353988773.exe 2936 MSBuild.exe 2936 MSBuild.exe 2936 MSBuild.exe 2936 MSBuild.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
HalkbankEkstre0414217826353988773.exedescription pid process target process PID 200 set thread context of 2936 200 HalkbankEkstre0414217826353988773.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MSBuild.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 2936 MSBuild.exe 2936 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
HalkbankEkstre0414217826353988773.exeHalkbankEkstre0414217826353988773.exepid process 852 HalkbankEkstre0414217826353988773.exe 852 HalkbankEkstre0414217826353988773.exe 200 HalkbankEkstre0414217826353988773.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
HalkbankEkstre0414217826353988773.exeHalkbankEkstre0414217826353988773.exedescription pid process target process PID 852 wrote to memory of 3528 852 HalkbankEkstre0414217826353988773.exe MSBuild.exe PID 852 wrote to memory of 3528 852 HalkbankEkstre0414217826353988773.exe MSBuild.exe PID 852 wrote to memory of 3528 852 HalkbankEkstre0414217826353988773.exe MSBuild.exe PID 852 wrote to memory of 200 852 HalkbankEkstre0414217826353988773.exe HalkbankEkstre0414217826353988773.exe PID 852 wrote to memory of 200 852 HalkbankEkstre0414217826353988773.exe HalkbankEkstre0414217826353988773.exe PID 852 wrote to memory of 200 852 HalkbankEkstre0414217826353988773.exe HalkbankEkstre0414217826353988773.exe PID 200 wrote to memory of 2936 200 HalkbankEkstre0414217826353988773.exe MSBuild.exe PID 200 wrote to memory of 2936 200 HalkbankEkstre0414217826353988773.exe MSBuild.exe PID 200 wrote to memory of 2936 200 HalkbankEkstre0414217826353988773.exe MSBuild.exe PID 200 wrote to memory of 2936 200 HalkbankEkstre0414217826353988773.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\521pekm1xtMD5
f84bd86a197e08dcf95c733d9e650f34
SHA1dfc6b54a5940ad4b162e2251b0a9aad74490ab61
SHA25621b7b85dfea0a5284f5c8760a46750280f8956e498137b044a9d0eb688aed508
SHA51283d7180f1c81932803e91a4dcce9e0e7b710be10ff818e3a03816facb26ab6bcd59cd3e5d95fd4cf0dfb43688588135916c42cb424950065e101f46e4d10a752
-
C:\Users\Admin\AppData\Local\Temp\9folrhk0ki2nMD5
c1cbf6c77fbdc0db63906a7a69665c56
SHA161f70bef4fde742140949363094502ec77947924
SHA256e70febeccfd2175ff431786a61aea7012fb0da5e7d53a3978749e507dba31e0a
SHA512d8b791c269990a62ef3e4f521c03eb35e895e7bcdc9e7f525158495cd9d666a6a0e0ea6b980104e925b2ba446e8b68754709fe04ad3fb36b6058030b8751bc48
-
\Users\Admin\AppData\Local\Temp\6E3C648E\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\6E3C648E\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\6E3C648E\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\6E3C648E\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
\Users\Admin\AppData\Local\Temp\nso9D21.tmp\2azzens5lweoq5l.dllMD5
5344b0bbb3d4851985d30338a60ae6b0
SHA1bb0b4f32eaa2aa5b3d5ef50675ec689a84a55795
SHA2560cc326a1b49c7c0622394569dc5da9fd0ef59c4d9d84e3029117a1aee6b873b3
SHA512bc429ab4eab424b28c7fdd1f737dcb3aabbbcffa5af1f3f9803ac6e79f1c5e5898066495ebdb90509d61fbc54b3a5afb7033ca93a6dc680008fb17cbfaee6bcc
-
\Users\Admin\AppData\Local\Temp\nss8E1D.tmp\2azzens5lweoq5l.dllMD5
5344b0bbb3d4851985d30338a60ae6b0
SHA1bb0b4f32eaa2aa5b3d5ef50675ec689a84a55795
SHA2560cc326a1b49c7c0622394569dc5da9fd0ef59c4d9d84e3029117a1aee6b873b3
SHA512bc429ab4eab424b28c7fdd1f737dcb3aabbbcffa5af1f3f9803ac6e79f1c5e5898066495ebdb90509d61fbc54b3a5afb7033ca93a6dc680008fb17cbfaee6bcc
-
memory/200-117-0x0000000000000000-mapping.dmp
-
memory/200-123-0x00000000024C1000-0x00000000024C3000-memory.dmpFilesize
8KB
-
memory/200-122-0x00000000024C0000-0x00000000024C1000-memory.dmpFilesize
4KB
-
memory/852-116-0x0000000002DC1000-0x0000000002DC3000-memory.dmpFilesize
8KB
-
memory/852-115-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/2936-124-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2936-121-0x000000000041A684-mapping.dmp