Analysis
-
max time kernel
157s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe
Resource
win10v2004-20220414-en
General
-
Target
56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe
-
Size
334KB
-
MD5
42639236c1ca97250de87dcde78f7644
-
SHA1
5dadcb3d8b5723a92dc1d89d7be1a264b1cb9c23
-
SHA256
56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6
-
SHA512
d9eea40eb53af409ec4ee204eba57a733ae78632924d951c543ead32e8c7624136debdab25681ca616d38f7b1c0cc367b883c359d978d6f6a1b11bd53ddbc832
Malware Config
Extracted
azorult
http://2.56.59.31/myown/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
-
Executes dropped EXE 2 IoCs
Processes:
ywazffher.exeywazffher.exepid process 3564 ywazffher.exe 4640 ywazffher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exeywazffher.exedescription pid process target process PID 3888 wrote to memory of 3564 3888 56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe ywazffher.exe PID 3888 wrote to memory of 3564 3888 56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe ywazffher.exe PID 3888 wrote to memory of 3564 3888 56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe PID 3564 wrote to memory of 4640 3564 ywazffher.exe ywazffher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe"C:\Users\Admin\AppData\Local\Temp\56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ywazffher.exeC:\Users\Admin\AppData\Local\Temp\ywazffher.exe C:\Users\Admin\AppData\Local\Temp\irnxafuxa2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ywazffher.exeC:\Users\Admin\AppData\Local\Temp\ywazffher.exe C:\Users\Admin\AppData\Local\Temp\irnxafuxa3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\irnxafuxaFilesize
4KB
MD5f8ee716f57cda999998dbd7305d441d4
SHA1b140aad0ff9fcaec6c0049718e7c7fc8d3afb203
SHA2563df94ca7c6d557878f87a10ccfa218085fbf1ae3bac24b73d761fb7c813d5647
SHA512f775b5a89a3363b4ce4d4a1f7abf6af7a44ac5f31af6f10501323b82cbed775524bb3126d4d62a5be62a88a3d584d06c9aa61ddc90793e71ce81c057817eaffe
-
C:\Users\Admin\AppData\Local\Temp\pehmgcrtqx2kbcFilesize
210KB
MD52e431dd2a1d51b85c97a51363ccdfed9
SHA1155964866dfc8bff22f3c40de307a307b9333115
SHA25672850a625327e09ede65dd8adf513974b923656366bb06d83c9b3c88a8d5eea0
SHA51257d794f8cd30ff7a6d4ba71f24768e6261803281de247440bec9c6291a125e179d8aa29294eeecff2c11c30d2e9aa71b55eb8e159b692ca3f227c626356e4976
-
C:\Users\Admin\AppData\Local\Temp\ywazffher.exeFilesize
162KB
MD5ef9193e0462fcf1fd016952f58e2b749
SHA148d90f8fcd61ea6423056ace4627cece3ce879dc
SHA25632c76da994a20f40bae3b97dee9b4a47d23855ee716736348d29a653ee4e62ee
SHA5126be39b59a0d5d57b848bc0de74beba1dbce153275dc235b1f872af08f1b2b4d6f3cdd25d636835a386817f59d9d94c176357fb6623b9d9e936d6cfe4a7bf90af
-
C:\Users\Admin\AppData\Local\Temp\ywazffher.exeFilesize
162KB
MD5ef9193e0462fcf1fd016952f58e2b749
SHA148d90f8fcd61ea6423056ace4627cece3ce879dc
SHA25632c76da994a20f40bae3b97dee9b4a47d23855ee716736348d29a653ee4e62ee
SHA5126be39b59a0d5d57b848bc0de74beba1dbce153275dc235b1f872af08f1b2b4d6f3cdd25d636835a386817f59d9d94c176357fb6623b9d9e936d6cfe4a7bf90af
-
C:\Users\Admin\AppData\Local\Temp\ywazffher.exeFilesize
162KB
MD5ef9193e0462fcf1fd016952f58e2b749
SHA148d90f8fcd61ea6423056ace4627cece3ce879dc
SHA25632c76da994a20f40bae3b97dee9b4a47d23855ee716736348d29a653ee4e62ee
SHA5126be39b59a0d5d57b848bc0de74beba1dbce153275dc235b1f872af08f1b2b4d6f3cdd25d636835a386817f59d9d94c176357fb6623b9d9e936d6cfe4a7bf90af
-
memory/3564-130-0x0000000000000000-mapping.dmp
-
memory/4640-135-0x0000000000000000-mapping.dmp
-
memory/4640-137-0x0000000000F80000-0x0000000000FA0000-memory.dmpFilesize
128KB
-
memory/4640-139-0x0000000000F80000-0x0000000000FA0000-memory.dmpFilesize
128KB
-
memory/4640-142-0x0000000000F80000-0x0000000000FA0000-memory.dmpFilesize
128KB