Analysis
-
max time kernel
115s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:48
Static task
static1
Behavioral task
behavioral1
Sample
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
Resource
win10v2004-20220414-en
General
-
Target
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
-
Size
589KB
-
MD5
f04791f80ce74a9702ecda811fca7edf
-
SHA1
33e5c4fd1858bf56c91586ce72daa6029039e23d
-
SHA256
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a
-
SHA512
6fe47afdc7485b6ae7287070f66a0d3831a8cdc82b0a3c96281ad80a45d9c4361023d61cf2f382fda4d916f5c1681a3359e9a5567270af782bd26a2a08ab7974
Malware Config
Extracted
azorult
http://89.43.107.198/mpom/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
ufzxfyzp.exeufzxfyzp.exepid process 2744 ufzxfyzp.exe 2700 ufzxfyzp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exeufzxfyzp.exedescription pid process target process PID 2120 wrote to memory of 2744 2120 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe ufzxfyzp.exe PID 2120 wrote to memory of 2744 2120 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe ufzxfyzp.exe PID 2120 wrote to memory of 2744 2120 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe PID 2744 wrote to memory of 2700 2744 ufzxfyzp.exe ufzxfyzp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeC:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeC:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\n29e5gb99yuq5syaFilesize
214KB
MD5664dc99256a895e016c2a583aa186011
SHA1d543975302871a614057d02e12c3531698c0b706
SHA25667f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939
SHA51237799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39
-
C:\Users\Admin\AppData\Local\Temp\qdsxhjzcmlFilesize
4KB
MD5d794073cea5c25016fc9e10d9d561d3b
SHA10a864adb3a08b19cbadb52f70281c1a48ef62a90
SHA256850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2
SHA512cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeFilesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
memory/2700-135-0x0000000000000000-mapping.dmp
-
memory/2700-137-0x0000000000D50000-0x0000000000D70000-memory.dmpFilesize
128KB
-
memory/2700-139-0x0000000000D50000-0x0000000000D70000-memory.dmpFilesize
128KB
-
memory/2700-142-0x0000000000D50000-0x0000000000D70000-memory.dmpFilesize
128KB
-
memory/2744-130-0x0000000000000000-mapping.dmp