Analysis
-
max time kernel
126s -
max time network
99s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-05-2021 02:30
Static task
static1
Behavioral task
behavioral1
Sample
8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
Resource
win10v20210410
General
-
Target
8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
-
Size
3.3MB
-
MD5
a2e9f04fd2ce09694073d43ac62a5d0e
-
SHA1
e98853e3512694b13425b82646cd2e869bae31bb
-
SHA256
8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2
-
SHA512
ca413738e4404368d05c0ceaf351c8de9f33189ec8821635211e3c35896265542911b4cedaf6caf988ab9f4d21c5781df1384c4c8219edcc54e921dee50b6732
Malware Config
Extracted
azorult
http://92.63.192.72/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
busshost.exeYTLoader.exepid process 1300 busshost.exe 1556 YTLoader.exe -
Loads dropped DLL 8 IoCs
Processes:
8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exeWerFault.exepid process 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
Processes:
8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exedescription ioc process File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe File created C:\Program Files (x86)\LetsSee!\Uninstall.ini 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1500 1556 WerFault.exe YTLoader.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe 1500 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1500 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
YTLoader.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1556 YTLoader.exe Token: SeDebugPrivilege 1500 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exeYTLoader.exedescription pid process target process PID 336 wrote to memory of 1300 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe busshost.exe PID 336 wrote to memory of 1300 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe busshost.exe PID 336 wrote to memory of 1300 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe busshost.exe PID 336 wrote to memory of 1300 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe busshost.exe PID 336 wrote to memory of 1556 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe YTLoader.exe PID 336 wrote to memory of 1556 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe YTLoader.exe PID 336 wrote to memory of 1556 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe YTLoader.exe PID 336 wrote to memory of 1556 336 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe YTLoader.exe PID 1556 wrote to memory of 1500 1556 YTLoader.exe WerFault.exe PID 1556 wrote to memory of 1500 1556 YTLoader.exe WerFault.exe PID 1556 wrote to memory of 1500 1556 YTLoader.exe WerFault.exe PID 1556 wrote to memory of 1500 1556 YTLoader.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe"C:\Users\Admin\AppData\Local\Temp\8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 10843⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeMD5
c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeMD5
c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
C:\Program Files (x86)\LetsSee!\busshost.exeMD5
c0fb247ef64ec4b9cf799a6fcd18180e
SHA192870e3882380df04aba8ff5a8f2458928b980e9
SHA2563c984137c3731017497bddcb5b7dcd920a765bdb80e8af77f4ef61a925a9f0b9
SHA512a7fc31296334519be557c329ff2ca4a13290b5c81d978940370da8c962bc162077fcaa21b484c9c9ce55b89f49ffb2ea44ec74193d7b4d91d84eca96740f18d4
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
\Program Files (x86)\LetsSee!\busshost.exeMD5
c0fb247ef64ec4b9cf799a6fcd18180e
SHA192870e3882380df04aba8ff5a8f2458928b980e9
SHA2563c984137c3731017497bddcb5b7dcd920a765bdb80e8af77f4ef61a925a9f0b9
SHA512a7fc31296334519be557c329ff2ca4a13290b5c81d978940370da8c962bc162077fcaa21b484c9c9ce55b89f49ffb2ea44ec74193d7b4d91d84eca96740f18d4
-
\Program Files (x86)\LetsSee!\busshost.exeMD5
c0fb247ef64ec4b9cf799a6fcd18180e
SHA192870e3882380df04aba8ff5a8f2458928b980e9
SHA2563c984137c3731017497bddcb5b7dcd920a765bdb80e8af77f4ef61a925a9f0b9
SHA512a7fc31296334519be557c329ff2ca4a13290b5c81d978940370da8c962bc162077fcaa21b484c9c9ce55b89f49ffb2ea44ec74193d7b4d91d84eca96740f18d4
-
memory/336-59-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/1300-69-0x0000000000400000-0x0000000000533000-memory.dmpFilesize
1.2MB
-
memory/1300-62-0x0000000000000000-mapping.dmp
-
memory/1500-93-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/1500-87-0x0000000000000000-mapping.dmp
-
memory/1556-77-0x0000000000720000-0x0000000000725000-memory.dmpFilesize
20KB
-
memory/1556-86-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/1556-79-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/1556-80-0x00000000007C0000-0x00000000007C8000-memory.dmpFilesize
32KB
-
memory/1556-81-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/1556-82-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/1556-83-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/1556-84-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/1556-85-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/1556-78-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/1556-76-0x0000000000730000-0x0000000000735000-memory.dmpFilesize
20KB
-
memory/1556-75-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/1556-74-0x0000000005090000-0x00000000054E5000-memory.dmpFilesize
4.3MB
-
memory/1556-73-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/1556-72-0x0000000000220000-0x0000000000224000-memory.dmpFilesize
16KB
-
memory/1556-70-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/1556-66-0x0000000000000000-mapping.dmp