Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:48
Static task
static1
Behavioral task
behavioral1
Sample
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
Resource
win10v2004-20220414-en
General
-
Target
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
-
Size
589KB
-
MD5
f04791f80ce74a9702ecda811fca7edf
-
SHA1
33e5c4fd1858bf56c91586ce72daa6029039e23d
-
SHA256
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a
-
SHA512
6fe47afdc7485b6ae7287070f66a0d3831a8cdc82b0a3c96281ad80a45d9c4361023d61cf2f382fda4d916f5c1681a3359e9a5567270af782bd26a2a08ab7974
Malware Config
Extracted
azorult
http://89.43.107.198/mpom/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
ufzxfyzp.exeufzxfyzp.exepid process 1656 ufzxfyzp.exe 1744 ufzxfyzp.exe -
Loads dropped DLL 5 IoCs
Processes:
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exeufzxfyzp.exeWerFault.exepid process 1984 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe 1656 ufzxfyzp.exe 1044 WerFault.exe 1044 WerFault.exe 1044 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1044 1744 WerFault.exe ufzxfyzp.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exeufzxfyzp.exeufzxfyzp.exedescription pid process target process PID 1984 wrote to memory of 1656 1984 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe ufzxfyzp.exe PID 1984 wrote to memory of 1656 1984 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe ufzxfyzp.exe PID 1984 wrote to memory of 1656 1984 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe ufzxfyzp.exe PID 1984 wrote to memory of 1656 1984 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1656 wrote to memory of 1744 1656 ufzxfyzp.exe ufzxfyzp.exe PID 1744 wrote to memory of 1044 1744 ufzxfyzp.exe WerFault.exe PID 1744 wrote to memory of 1044 1744 ufzxfyzp.exe WerFault.exe PID 1744 wrote to memory of 1044 1744 ufzxfyzp.exe WerFault.exe PID 1744 wrote to memory of 1044 1744 ufzxfyzp.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeC:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeC:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1204⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\n29e5gb99yuq5syaFilesize
214KB
MD5664dc99256a895e016c2a583aa186011
SHA1d543975302871a614057d02e12c3531698c0b706
SHA25667f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939
SHA51237799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39
-
C:\Users\Admin\AppData\Local\Temp\qdsxhjzcmlFilesize
4KB
MD5d794073cea5c25016fc9e10d9d561d3b
SHA10a864adb3a08b19cbadb52f70281c1a48ef62a90
SHA256850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2
SHA512cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
memory/1044-70-0x0000000000000000-mapping.dmp
-
memory/1656-56-0x0000000000000000-mapping.dmp
-
memory/1744-66-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1744-69-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1744-64-0x0000000000080000-0x00000000000A0000-memory.dmpFilesize
128KB
-
memory/1744-62-0x0000000000000000-mapping.dmp
-
memory/1984-54-0x00000000753C1000-0x00000000753C3000-memory.dmpFilesize
8KB