Analysis
-
max time kernel
136s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-04-2021 10:04
Static task
static1
Behavioral task
behavioral1
Sample
04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe
Resource
win10v20210408
General
-
Target
04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe
-
Size
231KB
-
MD5
0a1c0441a4b383a7c91bb3a0b2036b20
-
SHA1
cc32f97cdd7389e4857ca508a4b598831f6c7fd3
-
SHA256
04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6
-
SHA512
faa4b15dc354c966dd9447ed52cf94964b224c4b30bb9692706af119e2e6936a2e6188b7cc3743129aeb80db96ecd18573a860fe2ea6fd4bbc3c37af4e09de14
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
XD.exeGuMonSet32.exepid process 508 XD.exe 2556 GuMonSet32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exe upx C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2700 508 WerFault.exe XD.exe -
Modifies registry class 1 IoCs
Processes:
04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe 2700 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2700 WerFault.exe Token: SeBackupPrivilege 2700 WerFault.exe Token: SeDebugPrivilege 2700 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exedescription pid process target process PID 808 wrote to memory of 508 808 04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe XD.exe PID 808 wrote to memory of 508 808 04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe XD.exe PID 808 wrote to memory of 508 808 04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe XD.exe PID 808 wrote to memory of 2556 808 04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe GuMonSet32.exe PID 808 wrote to memory of 2556 808 04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe GuMonSet32.exe PID 808 wrote to memory of 2556 808 04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe GuMonSet32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe"C:\Users\Admin\AppData\Local\Temp\04721BFDE5ECE7D75CE90D7D09DDCC71028B26F229038.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XD.exe"C:\Users\Admin\AppData\Local\Temp\XD.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 12243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exe"C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exeMD5
0ee8839051ff9c7c2699c3d80043eaa7
SHA177ead602300e8f2556601e30bab65b4eec5cf527
SHA256a92f119736413ecdc6d764112f57dfeee6c7f5b8cc2ec4c9e235af08cb11b771
SHA512a5210f5fef07ef47a703e7f63842f8f93d7115f3c375d5a2812975f03d58c9a31cf24fc9e9afe47f501a732b7640146d945ce302f9c67dbad4d84311143de9df
-
C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exeMD5
0ee8839051ff9c7c2699c3d80043eaa7
SHA177ead602300e8f2556601e30bab65b4eec5cf527
SHA256a92f119736413ecdc6d764112f57dfeee6c7f5b8cc2ec4c9e235af08cb11b771
SHA512a5210f5fef07ef47a703e7f63842f8f93d7115f3c375d5a2812975f03d58c9a31cf24fc9e9afe47f501a732b7640146d945ce302f9c67dbad4d84311143de9df
-
C:\Users\Admin\AppData\Local\Temp\XD.exeMD5
96fb8d393302d80b87fc5871102e9125
SHA1234a809d5b9ada6b911fbe3846f55c4748cb46a0
SHA2564a92cd9b845b492b6ba216b85dab28421111d7bbe9f31e857a767cb6fefb09a5
SHA51246b704f5daa16002849b0473991810e5eb483e3a3ffc2fee3ad38f3f2218296dba48a19fec65aa24f81371d1068b191f30f642cc7304d6f30cb68e4fdee966dd
-
C:\Users\Admin\AppData\Local\Temp\XD.exeMD5
96fb8d393302d80b87fc5871102e9125
SHA1234a809d5b9ada6b911fbe3846f55c4748cb46a0
SHA2564a92cd9b845b492b6ba216b85dab28421111d7bbe9f31e857a767cb6fefb09a5
SHA51246b704f5daa16002849b0473991810e5eb483e3a3ffc2fee3ad38f3f2218296dba48a19fec65aa24f81371d1068b191f30f642cc7304d6f30cb68e4fdee966dd
-
memory/508-114-0x0000000000000000-mapping.dmp
-
memory/2556-117-0x0000000000000000-mapping.dmp