Analysis
-
max time kernel
91s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:13
Static task
static1
Behavioral task
behavioral1
Sample
MTIR3040.exe
Resource
win7-20220414-en
General
-
Target
MTIR3040.exe
-
Size
535KB
-
MD5
79707819022534894896e0c348aaf6f2
-
SHA1
1efc18e7f5d1f439cba6f4a7b0efd3bddab1d7c8
-
SHA256
6d2e1786fd467c2e6015b9a1efe0823457c38127822a1b707aa6da5132a3d04a
-
SHA512
fdadeb54ddd7f2ee1f651b23a392a40f3a7eba9e328ce4eb7500f4dcbace6ad9c4b65940c705c0e5da13626e40454f90967403e8af4305f356325151a0e2c7c2
Malware Config
Extracted
azorult
https://gemateknindoperkasa.co.id/imag/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Poullight Stealer Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp.exe family_poullight C:\Users\Admin\AppData\Local\Temp\tmp.exe family_poullight behavioral2/memory/1664-147-0x0000000000400000-0x0000000000420000-memory.dmp family_poullight behavioral2/memory/5016-148-0x0000024582BB0000-0x0000024582BD0000-memory.dmp family_poullight -
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
-
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
-
Executes dropped EXE 4 IoCs
Processes:
File.exesvhost.exetmp.exeFile.exepid process 452 File.exe 3568 svhost.exe 5016 tmp.exe 1664 File.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
File.exeMTIR3040.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation File.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation MTIR3040.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
MTIR3040.exeFile.exedescription pid process target process PID 2940 set thread context of 3568 2940 MTIR3040.exe svhost.exe PID 452 set thread context of 1664 452 File.exe File.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
MTIR3040.exeFile.exetmp.exeFile.exepid process 2940 MTIR3040.exe 452 File.exe 2940 MTIR3040.exe 452 File.exe 5016 tmp.exe 1664 File.exe 5016 tmp.exe 1664 File.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
MTIR3040.exeFile.exetmp.exeFile.exedescription pid process Token: SeDebugPrivilege 2940 MTIR3040.exe Token: SeDebugPrivilege 452 File.exe Token: SeDebugPrivilege 5016 tmp.exe Token: SeDebugPrivilege 1664 File.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
MTIR3040.exeFile.execmd.execmd.exedescription pid process target process PID 2940 wrote to memory of 452 2940 MTIR3040.exe File.exe PID 2940 wrote to memory of 452 2940 MTIR3040.exe File.exe PID 2940 wrote to memory of 452 2940 MTIR3040.exe File.exe PID 2940 wrote to memory of 3568 2940 MTIR3040.exe svhost.exe PID 2940 wrote to memory of 3568 2940 MTIR3040.exe svhost.exe PID 2940 wrote to memory of 3568 2940 MTIR3040.exe svhost.exe PID 2940 wrote to memory of 3568 2940 MTIR3040.exe svhost.exe PID 2940 wrote to memory of 3568 2940 MTIR3040.exe svhost.exe PID 2940 wrote to memory of 3568 2940 MTIR3040.exe svhost.exe PID 2940 wrote to memory of 3568 2940 MTIR3040.exe svhost.exe PID 2940 wrote to memory of 3568 2940 MTIR3040.exe svhost.exe PID 2940 wrote to memory of 3568 2940 MTIR3040.exe svhost.exe PID 2940 wrote to memory of 4316 2940 MTIR3040.exe cmd.exe PID 2940 wrote to memory of 4316 2940 MTIR3040.exe cmd.exe PID 2940 wrote to memory of 4316 2940 MTIR3040.exe cmd.exe PID 452 wrote to memory of 5016 452 File.exe tmp.exe PID 452 wrote to memory of 5016 452 File.exe tmp.exe PID 452 wrote to memory of 1664 452 File.exe File.exe PID 452 wrote to memory of 1664 452 File.exe File.exe PID 452 wrote to memory of 1664 452 File.exe File.exe PID 452 wrote to memory of 1664 452 File.exe File.exe PID 452 wrote to memory of 1664 452 File.exe File.exe PID 452 wrote to memory of 1664 452 File.exe File.exe PID 452 wrote to memory of 1664 452 File.exe File.exe PID 452 wrote to memory of 1664 452 File.exe File.exe PID 452 wrote to memory of 4340 452 File.exe cmd.exe PID 452 wrote to memory of 4340 452 File.exe cmd.exe PID 452 wrote to memory of 4340 452 File.exe cmd.exe PID 2940 wrote to memory of 1632 2940 MTIR3040.exe cmd.exe PID 2940 wrote to memory of 1632 2940 MTIR3040.exe cmd.exe PID 2940 wrote to memory of 1632 2940 MTIR3040.exe cmd.exe PID 452 wrote to memory of 1496 452 File.exe cmd.exe PID 452 wrote to memory of 1496 452 File.exe cmd.exe PID 452 wrote to memory of 1496 452 File.exe cmd.exe PID 1632 wrote to memory of 3680 1632 cmd.exe reg.exe PID 1632 wrote to memory of 3680 1632 cmd.exe reg.exe PID 1632 wrote to memory of 3680 1632 cmd.exe reg.exe PID 1496 wrote to memory of 4100 1496 cmd.exe reg.exe PID 1496 wrote to memory of 4100 1496 cmd.exe reg.exe PID 1496 wrote to memory of 4100 1496 cmd.exe reg.exe PID 452 wrote to memory of 4328 452 File.exe cmd.exe PID 452 wrote to memory of 4328 452 File.exe cmd.exe PID 452 wrote to memory of 4328 452 File.exe cmd.exe PID 2940 wrote to memory of 1352 2940 MTIR3040.exe cmd.exe PID 2940 wrote to memory of 1352 2940 MTIR3040.exe cmd.exe PID 2940 wrote to memory of 1352 2940 MTIR3040.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MTIR3040.exe"C:\Users\Admin\AppData\Local\Temp\MTIR3040.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\File.exe"C:/Users/Admin/AppData/Local/Temp/File.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y3⤵PID:4340
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f4⤵PID:4100
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier3⤵
- NTFS ADS
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/MTIR3040.exe" "%temp%\FolderN\name.exe" /Y2⤵PID:4316
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f3⤵PID:3680
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
PID:1352
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\File.exeFilesize
353KB
MD5dbbaea111fafe77e0346d6ad59781a89
SHA1233b52dc07c9c45fe26914fa8f33170669b4b5bd
SHA256a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937
SHA512d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858
-
C:\Users\Admin\AppData\Local\Temp\File.exeFilesize
353KB
MD5dbbaea111fafe77e0346d6ad59781a89
SHA1233b52dc07c9c45fe26914fa8f33170669b4b5bd
SHA256a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937
SHA512d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858
-
C:\Users\Admin\AppData\Local\Temp\File.exeFilesize
353KB
MD5dbbaea111fafe77e0346d6ad59781a89
SHA1233b52dc07c9c45fe26914fa8f33170669b4b5bd
SHA256a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937
SHA512d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
353KB
MD5dbbaea111fafe77e0346d6ad59781a89
SHA1233b52dc07c9c45fe26914fa8f33170669b4b5bd
SHA256a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937
SHA512d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exeFilesize
353KB
MD5dbbaea111fafe77e0346d6ad59781a89
SHA1233b52dc07c9c45fe26914fa8f33170669b4b5bd
SHA256a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937
SHA512d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnkFilesize
1KB
MD5020f46ade80c5ded54d8bffd95cc41e0
SHA174daafd45f86314f4fbf995951dd3952210d5729
SHA25699b0b8d7097bc478691ae5c499f0f9d936991dc11e0a90bdec484ece55f4f6f2
SHA5124203633c488a02280c54c2d8f974bd3f09a5d68b090c79f0746b75c37785d3346f25f35e61cb8ede0e74a4f0f5da8fe0ca19760154b0e88cb767604910fcb09c
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.IdentifierFilesize
27B
MD5130a75a932a2fe57bfea6a65b88da8f6
SHA1b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c
SHA256f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e
SHA5126cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
2.5MB
MD50a7608db01cae07792cea95e792aa866
SHA171dff876e4d5edb6cea78fee7aa15845d4950e24
SHA256c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e
SHA512990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
2.5MB
MD50a7608db01cae07792cea95e792aa866
SHA171dff876e4d5edb6cea78fee7aa15845d4950e24
SHA256c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e
SHA512990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
100KB
MD514a812d86407bc4b6e420ac74224178f
SHA12fe1b7bfdd9306e1157f15376344901e30151457
SHA256d4f2502d82d063fa9318ec1f8d93a7913ba923ab6ff0757ac919760cf1fe81a8
SHA512aad79d6e07772ed8e67c0ec90962ca7d4f79998205924dd1e3f4d6b908b967d8d23bcbbcff5bdb57d8a86291ee6c77339e2f1ce6de8583ff7a8e2985e87d621d
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
100KB
MD514a812d86407bc4b6e420ac74224178f
SHA12fe1b7bfdd9306e1157f15376344901e30151457
SHA256d4f2502d82d063fa9318ec1f8d93a7913ba923ab6ff0757ac919760cf1fe81a8
SHA512aad79d6e07772ed8e67c0ec90962ca7d4f79998205924dd1e3f4d6b908b967d8d23bcbbcff5bdb57d8a86291ee6c77339e2f1ce6de8583ff7a8e2985e87d621d
-
memory/452-135-0x0000000000810000-0x000000000086E000-memory.dmpFilesize
376KB
-
memory/452-132-0x0000000000000000-mapping.dmp
-
memory/1352-164-0x0000000000000000-mapping.dmp
-
memory/1496-157-0x0000000000000000-mapping.dmp
-
memory/1632-156-0x0000000000000000-mapping.dmp
-
memory/1664-153-0x0000000004DA0000-0x0000000004E32000-memory.dmpFilesize
584KB
-
memory/1664-166-0x0000000004FB0000-0x0000000005016000-memory.dmpFilesize
408KB
-
memory/1664-146-0x0000000000000000-mapping.dmp
-
memory/1664-173-0x0000000006E40000-0x0000000006E52000-memory.dmpFilesize
72KB
-
memory/1664-171-0x00000000075B0000-0x0000000007ADC000-memory.dmpFilesize
5.2MB
-
memory/1664-152-0x0000000005130000-0x00000000056D4000-memory.dmpFilesize
5.6MB
-
memory/1664-169-0x0000000006EB0000-0x0000000007072000-memory.dmpFilesize
1.8MB
-
memory/1664-168-0x0000000005C60000-0x0000000005C6A000-memory.dmpFilesize
40KB
-
memory/1664-147-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1664-160-0x0000000004F30000-0x0000000004F3A000-memory.dmpFilesize
40KB
-
memory/2940-131-0x00000000059D0000-0x0000000005A6C000-memory.dmpFilesize
624KB
-
memory/2940-130-0x0000000000EE0000-0x0000000000F6C000-memory.dmpFilesize
560KB
-
memory/3568-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3568-137-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3568-136-0x0000000000000000-mapping.dmp
-
memory/3568-150-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3680-158-0x0000000000000000-mapping.dmp
-
memory/4100-159-0x0000000000000000-mapping.dmp
-
memory/4316-142-0x0000000000000000-mapping.dmp
-
memory/4328-162-0x0000000000000000-mapping.dmp
-
memory/4340-151-0x0000000000000000-mapping.dmp
-
memory/5016-148-0x0000024582BB0000-0x0000024582BD0000-memory.dmpFilesize
128KB
-
memory/5016-170-0x000002459F240000-0x000002459F402000-memory.dmpFilesize
1.8MB
-
memory/5016-155-0x00007FFEBACB0000-0x00007FFEBB771000-memory.dmpFilesize
10.8MB
-
memory/5016-167-0x0000024582F80000-0x0000024582F8A000-memory.dmpFilesize
40KB
-
memory/5016-172-0x000002459F940000-0x000002459FE68000-memory.dmpFilesize
5.2MB
-
memory/5016-174-0x000002459E190000-0x000002459E1A2000-memory.dmpFilesize
72KB
-
memory/5016-143-0x0000000000000000-mapping.dmp