Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-10-2021 09:21
Static task
static1
Behavioral task
behavioral1
Sample
bin.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
bin.exe
Resource
win10v20210408
General
-
Target
bin.exe
-
Size
117KB
-
MD5
5f68d298eedf5b2282272382e32bb1f4
-
SHA1
95efb5facd86a2214e0a01d5be0f9a4136726049
-
SHA256
35987dceb08da0c9948d5298a60dc0d9f75f6d6534369f4edf17592af7946b5f
-
SHA512
0f33c084bbf3f6eb9452f74463ac4bc2dc76c9007511ab895ed5b99809a36046151683694fe171123407bf3c55f3b8f337965183d5c5629b1abb2cfe8218b2bd
Malware Config
Extracted
azorult
http://anwarmarshallgenesh.com/fem/deww/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 4 IoCs
Processes:
bin.exepid process 1060 bin.exe 1060 bin.exe 1060 bin.exe 1060 bin.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
bin.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook bin.exe Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook bin.exe Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook bin.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
bin.exepid process 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe 808 bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bin.exedescription pid process target process PID 808 set thread context of 1060 808 bin.exe bin.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2340 808 WerFault.exe bin.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
bin.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bin.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
bin.exeWerFault.exebin.exepid process 808 bin.exe 808 bin.exe 808 bin.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 2340 WerFault.exe 1060 bin.exe 1060 bin.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
bin.exeWerFault.exedescription pid process Token: SeDebugPrivilege 808 bin.exe Token: SeRestorePrivilege 2340 WerFault.exe Token: SeBackupPrivilege 2340 WerFault.exe Token: SeDebugPrivilege 2340 WerFault.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
bin.exedescription pid process target process PID 808 wrote to memory of 1060 808 bin.exe bin.exe PID 808 wrote to memory of 1060 808 bin.exe bin.exe PID 808 wrote to memory of 1060 808 bin.exe bin.exe PID 808 wrote to memory of 1060 808 bin.exe bin.exe PID 808 wrote to memory of 1060 808 bin.exe bin.exe PID 808 wrote to memory of 1060 808 bin.exe bin.exe PID 808 wrote to memory of 1060 808 bin.exe bin.exe PID 808 wrote to memory of 1060 808 bin.exe bin.exe PID 808 wrote to memory of 1060 808 bin.exe bin.exe PID 808 wrote to memory of 1060 808 bin.exe bin.exe -
outlook_office_path 1 IoCs
Processes:
bin.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook bin.exe -
outlook_win_path 1 IoCs
Processes:
bin.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 17282⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dllMD5
9e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\Users\Admin\AppData\Local\Temp\2fda\nss3.dllMD5
556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
memory/808-114-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/808-116-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/808-117-0x0000000004FA0000-0x0000000004FCE000-memory.dmpFilesize
184KB
-
memory/808-118-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/808-119-0x0000000006050000-0x0000000006051000-memory.dmpFilesize
4KB
-
memory/1060-120-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1060-121-0x000000000041A1F8-mapping.dmp
-
memory/1060-122-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB