Analysis
-
max time kernel
16s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-07-2021 18:03
Static task
static1
Behavioral task
behavioral1
Sample
f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe
Resource
win7v20210410
General
-
Target
f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe
-
Size
112KB
-
MD5
ccfa4bb4bfc83ec85f370fcd133a695c
-
SHA1
19a334983c90cacd6fd1dbebaf4b5239bf66e2c1
-
SHA256
f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5
-
SHA512
43e3c3bc4e247ec1c9d4e72f568bb72d4098084387d158d5f34bb04055f13d6e0041ceec0373c58af31d06f12e92470b7076a66834461e316fc2e59511b6f3b9
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 4 IoCs
Processes:
f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exepid process 3716 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe 3716 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe 3716 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe 3716 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1364 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exepid process 3716 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe 3716 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.execmd.exedescription pid process target process PID 3716 wrote to memory of 192 3716 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe cmd.exe PID 3716 wrote to memory of 192 3716 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe cmd.exe PID 3716 wrote to memory of 192 3716 f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe cmd.exe PID 192 wrote to memory of 1364 192 cmd.exe timeout.exe PID 192 wrote to memory of 1364 192 cmd.exe timeout.exe PID 192 wrote to memory of 1364 192 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe"C:\Users\Admin\AppData\Local\Temp\f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "f53fa02c452f1b8314f3d53d6dff4cceae98a7b9b1b45f9d3d954380fc93a1c5.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 33⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\6E3C648E\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\6E3C648E\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\6E3C648E\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\6E3C648E\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
memory/192-118-0x0000000000000000-mapping.dmp
-
memory/1364-119-0x0000000000000000-mapping.dmp