Analysis
-
max time kernel
43s -
max time network
103s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice scan copy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proforma Invoice scan copy.exe
Resource
win10v2004-20220414-en
General
-
Target
Proforma Invoice scan copy.exe
-
Size
391KB
-
MD5
2763355e57b326d3b984f0ac394f7ac6
-
SHA1
ceb54e6f4b044fe78e4acd5e2935831118d57baf
-
SHA256
dcbd6522b7ba8bfb856038cf4dcb24782cab61a9e3ce15bbf9afcdff9c6c4f4a
-
SHA512
6b402d5ee4ab1213ddd054f4478ff5cd81a01f75b9327fc8e3d09309cf42b811a998ae96ad0c3fe8ee8e2b9fce994f227ed3bdc74a1e7ae9658108061628e13a
Malware Config
Extracted
azorult
https://www.nirjhara.com/mine/32/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult Variant.4 Checkin M2
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proforma Invoice scan copy.exedescription pid process target process PID 1784 set thread context of 652 1784 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Proforma Invoice scan copy.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Proforma Invoice scan copy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Proforma Invoice scan copy.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Proforma Invoice scan copy.exepid process 652 Proforma Invoice scan copy.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Proforma Invoice scan copy.exepid process 1784 Proforma Invoice scan copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Proforma Invoice scan copy.exedescription pid process Token: SeDebugPrivilege 1784 Proforma Invoice scan copy.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Proforma Invoice scan copy.exedescription pid process target process PID 1784 wrote to memory of 652 1784 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe PID 1784 wrote to memory of 652 1784 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe PID 1784 wrote to memory of 652 1784 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe PID 1784 wrote to memory of 652 1784 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe PID 1784 wrote to memory of 652 1784 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice scan copy.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice scan copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice scan copy.exe"Proforma Invoice scan copy.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/652-57-0x000000000041A1F8-mapping.dmp
-
memory/652-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1784-54-0x00000000010C0000-0x0000000001128000-memory.dmpFilesize
416KB
-
memory/1784-55-0x00000000001E0000-0x000000000020A000-memory.dmpFilesize
168KB
-
memory/1784-56-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/1784-58-0x0000000000260000-0x0000000000263000-memory.dmpFilesize
12KB