Overview

overview

10

Static

static

MTIR3040.exe

windows7_x64

10

MTIR3040.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MTIR3040.exe

  • Size

    535KB

  • MD5

    79707819022534894896e0c348aaf6f2

  • SHA1

    1efc18e7f5d1f439cba6f4a7b0efd3bddab1d7c8

  • SHA256

    6d2e1786fd467c2e6015b9a1efe0823457c38127822a1b707aa6da5132a3d04a

  • SHA512

    fdadeb54ddd7f2ee1f651b23a392a40f3a7eba9e328ce4eb7500f4dcbace6ad9c4b65940c705c0e5da13626e40454f90967403e8af4305f356325151a0e2c7c2

Score
10/10
azorultpoullightinfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Poullight

    Poullight is an information stealer first seen in March 2020.

    trojanstealerpoullight
  • Poullight Stealer Payload 4 IoCs
  • suricata: ET MALWARE Generic gate .php GET with minimal headers

    suricata: ET MALWARE Generic gate .php GET with minimal headers

    suricata
  • suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata: ET MALWARE Win32/X-Files Stealer Activity

    suricata
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MTIR3040.exe
    "C:\Users\Admin\AppData\Local\Temp\MTIR3040.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5016
      • C:\Users\Admin\AppData\Local\Temp\File.exe
        "C:/Users/Admin/AppData/Local/Temp/File.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        3⤵
          PID:4340
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1496
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
            4⤵
              PID:4100
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
            3⤵
            • NTFS ADS
            PID:4328
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
          2⤵
          • Executes dropped EXE
          PID:3568
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/MTIR3040.exe" "%temp%\FolderN\name.exe" /Y
          2⤵
            PID:4316
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
              3⤵
                PID:3680
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
              2⤵
              • NTFS ADS
              PID:1352

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\File.exe
            Filesize

            353KB

            MD5

            dbbaea111fafe77e0346d6ad59781a89

            SHA1

            233b52dc07c9c45fe26914fa8f33170669b4b5bd

            SHA256

            a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937

            SHA512

            d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\File.exe
            Filesize

            353KB

            MD5

            dbbaea111fafe77e0346d6ad59781a89

            SHA1

            233b52dc07c9c45fe26914fa8f33170669b4b5bd

            SHA256

            a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937

            SHA512

            d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\File.exe
            Filesize

            353KB

            MD5

            dbbaea111fafe77e0346d6ad59781a89

            SHA1

            233b52dc07c9c45fe26914fa8f33170669b4b5bd

            SHA256

            a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937

            SHA512

            d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
            Filesize

            353KB

            MD5

            dbbaea111fafe77e0346d6ad59781a89

            SHA1

            233b52dc07c9c45fe26914fa8f33170669b4b5bd

            SHA256

            a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937

            SHA512

            d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
            Filesize

            353KB

            MD5

            dbbaea111fafe77e0346d6ad59781a89

            SHA1

            233b52dc07c9c45fe26914fa8f33170669b4b5bd

            SHA256

            a935f5bf4303f1cc594d0de199b2c574925de541ccfbaaf074449387e0877937

            SHA512

            d76a3d4d8185a1115f1baac8c176bb966be5f16c25e01c016ddcd77a49fe653c6ec9912e34270fb17e86e16a6f2e3fea19f802c70174e53e6996d81862015858

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk
            Filesize

            1KB

            MD5

            020f46ade80c5ded54d8bffd95cc41e0

            SHA1

            74daafd45f86314f4fbf995951dd3952210d5729

            SHA256

            99b0b8d7097bc478691ae5c499f0f9d936991dc11e0a90bdec484ece55f4f6f2

            SHA512

            4203633c488a02280c54c2d8f974bd3f09a5d68b090c79f0746b75c37785d3346f25f35e61cb8ede0e74a4f0f5da8fe0ca19760154b0e88cb767604910fcb09c

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier
            Filesize

            27B

            MD5

            130a75a932a2fe57bfea6a65b88da8f6

            SHA1

            b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

            SHA256

            f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

            SHA512

            6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            2.5MB

            MD5

            0a7608db01cae07792cea95e792aa866

            SHA1

            71dff876e4d5edb6cea78fee7aa15845d4950e24

            SHA256

            c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

            SHA512

            990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            2.5MB

            MD5

            0a7608db01cae07792cea95e792aa866

            SHA1

            71dff876e4d5edb6cea78fee7aa15845d4950e24

            SHA256

            c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

            SHA512

            990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\tmp.exe
            Filesize

            100KB

            MD5

            14a812d86407bc4b6e420ac74224178f

            SHA1

            2fe1b7bfdd9306e1157f15376344901e30151457

            SHA256

            d4f2502d82d063fa9318ec1f8d93a7913ba923ab6ff0757ac919760cf1fe81a8

            SHA512

            aad79d6e07772ed8e67c0ec90962ca7d4f79998205924dd1e3f4d6b908b967d8d23bcbbcff5bdb57d8a86291ee6c77339e2f1ce6de8583ff7a8e2985e87d621d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\tmp.exe
            Filesize

            100KB

            MD5

            14a812d86407bc4b6e420ac74224178f

            SHA1

            2fe1b7bfdd9306e1157f15376344901e30151457

            SHA256

            d4f2502d82d063fa9318ec1f8d93a7913ba923ab6ff0757ac919760cf1fe81a8

            SHA512

            aad79d6e07772ed8e67c0ec90962ca7d4f79998205924dd1e3f4d6b908b967d8d23bcbbcff5bdb57d8a86291ee6c77339e2f1ce6de8583ff7a8e2985e87d621d

            Download Submit
          • memory/452-135-0x0000000000810000-0x000000000086E000-memory.dmp
            Filesize

            376KB

            Download
          • memory/452-132-0x0000000000000000-mapping.dmp
            Download
          • memory/1352-164-0x0000000000000000-mapping.dmp
            Download
          • memory/1496-157-0x0000000000000000-mapping.dmp
            Download
          • memory/1632-156-0x0000000000000000-mapping.dmp
            Download
          • memory/1664-153-0x0000000004DA0000-0x0000000004E32000-memory.dmp
            Filesize

            584KB

            Download
          • memory/1664-166-0x0000000004FB0000-0x0000000005016000-memory.dmp
            Filesize

            408KB

            Download
          • memory/1664-146-0x0000000000000000-mapping.dmp
            Download
          • memory/1664-173-0x0000000006E40000-0x0000000006E52000-memory.dmp
            Filesize

            72KB

            Download
          • memory/1664-171-0x00000000075B0000-0x0000000007ADC000-memory.dmp
            Filesize

            5.2MB

            Download
          • memory/1664-152-0x0000000005130000-0x00000000056D4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/1664-169-0x0000000006EB0000-0x0000000007072000-memory.dmp
            Filesize

            1.8MB

            Download
          • memory/1664-168-0x0000000005C60000-0x0000000005C6A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/1664-147-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

            Download
          • memory/1664-160-0x0000000004F30000-0x0000000004F3A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2940-131-0x00000000059D0000-0x0000000005A6C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/2940-130-0x0000000000EE0000-0x0000000000F6C000-memory.dmp
            Filesize

            560KB

            Download
          • memory/3568-141-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

            Download
          • memory/3568-137-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

            Download
          • memory/3568-136-0x0000000000000000-mapping.dmp
            Download
          • memory/3568-150-0x0000000000400000-0x0000000000420000-memory.dmp
            Filesize

            128KB

            Download
          • memory/3680-158-0x0000000000000000-mapping.dmp
            Download
          • memory/4100-159-0x0000000000000000-mapping.dmp
            Download
          • memory/4316-142-0x0000000000000000-mapping.dmp
            Download
          • memory/4328-162-0x0000000000000000-mapping.dmp
            Download
          • memory/4340-151-0x0000000000000000-mapping.dmp
            Download
          • memory/5016-148-0x0000024582BB0000-0x0000024582BD0000-memory.dmp
            Filesize

            128KB

            Download
          • memory/5016-170-0x000002459F240000-0x000002459F402000-memory.dmp
            Filesize

            1.8MB

            Download
          • memory/5016-155-0x00007FFEBACB0000-0x00007FFEBB771000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/5016-167-0x0000024582F80000-0x0000024582F8A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/5016-172-0x000002459F940000-0x000002459FE68000-memory.dmp
            Filesize

            5.2MB

            Download
          • memory/5016-174-0x000002459E190000-0x000002459E1A2000-memory.dmp
            Filesize

            72KB

            Download
          • memory/5016-143-0x0000000000000000-mapping.dmp
            Download