Analysis
-
max time kernel
15s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-06-2021 12:09
Static task
static1
Behavioral task
behavioral1
Sample
huzur seramik dekont.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
huzur seramik dekont.exe
Resource
win10v20210408
General
-
Target
huzur seramik dekont.exe
-
Size
332KB
-
MD5
089710376ee97e0ab5156f9b5fa2c6b5
-
SHA1
3f839a78f01fa4538c233a0cbc123b8e7b779767
-
SHA256
06e10da08255822e522c881ef1cffe6a597811b0aa7188b8bcb04f549104d012
-
SHA512
b58becc4aa21be3ed6a5297bad15b64f84b91c85cc14ff4c244d1a27ecfd3ba15706b3529005b56be5fa60914a976fcbd330109f384bda8ea27606d1183383c0
Malware Config
Extracted
azorult
http://smkn1cilegon.sch.id/huPI/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 2 IoCs
Processes:
huzur seramik dekont.exepid process 808 huzur seramik dekont.exe 808 huzur seramik dekont.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
huzur seramik dekont.exedescription pid process target process PID 808 set thread context of 3852 808 huzur seramik dekont.exe huzur seramik dekont.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
huzur seramik dekont.exepid process 808 huzur seramik dekont.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
huzur seramik dekont.exedescription pid process target process PID 808 wrote to memory of 3852 808 huzur seramik dekont.exe huzur seramik dekont.exe PID 808 wrote to memory of 3852 808 huzur seramik dekont.exe huzur seramik dekont.exe PID 808 wrote to memory of 3852 808 huzur seramik dekont.exe huzur seramik dekont.exe PID 808 wrote to memory of 3852 808 huzur seramik dekont.exe huzur seramik dekont.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\huzur seramik dekont.exe"C:\Users\Admin\AppData\Local\Temp\huzur seramik dekont.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\huzur seramik dekont.exe"C:\Users\Admin\AppData\Local\Temp\huzur seramik dekont.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsmB01E.tmp\System.dllMD5
56a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
\Users\Admin\AppData\Local\Temp\nsmB01E.tmp\System.dllMD5
56a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
memory/3852-116-0x000000000041A684-mapping.dmp
-
memory/3852-117-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB