Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
Resource
win10v2004-20220414-en
General
-
Target
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
-
Size
516KB
-
MD5
a5669a3c8acad2ac38e73306066edecb
-
SHA1
484046726d558f448051e5bb73e2b531c2c45246
-
SHA256
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94
-
SHA512
e85b2c1df0e8f2652388056b2f72742f073db3588c9167b0e865df43b2f898c615174df240cb4a923d13b6f050f69e33037329dfacb87ac062cc0148ba7313a9
Malware Config
Extracted
azorult
http://mideastclinicsea.us/micr05oft-0n1ine/0a8005f5594bd67041f88c6196192646/a5bfc9e07964f8dddeb95fc584cd965d/df877f3865752637daa540ea9cbc474f/webmai1pr0tected/8efd23a3fe0ec74453bdd0fadb91b0e3/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
ydzzl.exeydzzl.exepid process 1092 ydzzl.exe 936 ydzzl.exe -
Loads dropped DLL 5 IoCs
Processes:
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exeydzzl.exeWerFault.exepid process 1928 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe 1092 ydzzl.exe 952 WerFault.exe 952 WerFault.exe 952 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ydzzl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\miihwsieh = "C:\\Users\\Admin\\AppData\\Roaming\\cchna\\ktqglofa.exe" ydzzl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 952 936 WerFault.exe ydzzl.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exeydzzl.exeydzzl.exedescription pid process target process PID 1928 wrote to memory of 1092 1928 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe ydzzl.exe PID 1928 wrote to memory of 1092 1928 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe ydzzl.exe PID 1928 wrote to memory of 1092 1928 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe ydzzl.exe PID 1928 wrote to memory of 1092 1928 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 1092 wrote to memory of 936 1092 ydzzl.exe ydzzl.exe PID 936 wrote to memory of 952 936 ydzzl.exe WerFault.exe PID 936 wrote to memory of 952 936 ydzzl.exe WerFault.exe PID 936 wrote to memory of 952 936 ydzzl.exe WerFault.exe PID 936 wrote to memory of 952 936 ydzzl.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ydzzl.exeC:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ydzzl.exeC:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1204⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wyjxuFilesize
7KB
MD5d8a269678720acfc5dc76b53208c3302
SHA12729bad20f6935e5b88489671900ddaa7d22c792
SHA25688e9825f1ba032c3ba70907f767ca5370ee6070f665f05ee83b5af26613b4ecf
SHA512b315c216c26995da4a220335a46f4cddd74e114d876d4f25c9b9f3d36a79bd5ef28c8a66a20002fcffaab19240dd53d0ac7239bf731c58cdd715fd0b9458ba4a
-
C:\Users\Admin\AppData\Local\Temp\xjewya0f8z6q4cvbu82lFilesize
213KB
MD544623f66bab0f6148c33004e7247387f
SHA1dd457b7633b125d6be1ee9bf9ca242e9e4174451
SHA256a377019e6b43e9a7cc6b3dffb7ac1b98bbf9a8de3399ec44a8caf50ca7ebaaa2
SHA5123c5055e9a88b94ee2e6b623c3c380a612e7444adb81c280e6edf349b0253ef7170d1f59e256c52b60fa57f0a14b9518739105ce4d1a12f5618a19fbab699fec8
-
C:\Users\Admin\AppData\Local\Temp\ydzzl.exeFilesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
C:\Users\Admin\AppData\Local\Temp\ydzzl.exeFilesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
C:\Users\Admin\AppData\Local\Temp\ydzzl.exeFilesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
\Users\Admin\AppData\Local\Temp\ydzzl.exeFilesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
\Users\Admin\AppData\Local\Temp\ydzzl.exeFilesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
\Users\Admin\AppData\Local\Temp\ydzzl.exeFilesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
\Users\Admin\AppData\Local\Temp\ydzzl.exeFilesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
\Users\Admin\AppData\Local\Temp\ydzzl.exeFilesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
memory/936-63-0x0000000000000000-mapping.dmp
-
memory/936-67-0x00000000000C0000-0x00000000000E0000-memory.dmpFilesize
128KB
-
memory/936-70-0x00000000000C0000-0x00000000000E0000-memory.dmpFilesize
128KB
-
memory/936-65-0x00000000000C0000-0x00000000000E0000-memory.dmpFilesize
128KB
-
memory/952-71-0x0000000000000000-mapping.dmp
-
memory/1092-56-0x0000000000000000-mapping.dmp
-
memory/1928-54-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB