Analysis
-
max time kernel
33s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23/05/2022, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
Resource
win10v2004-20220414-en
General
-
Target
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
-
Size
516KB
-
MD5
a5669a3c8acad2ac38e73306066edecb
-
SHA1
484046726d558f448051e5bb73e2b531c2c45246
-
SHA256
9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94
-
SHA512
e85b2c1df0e8f2652388056b2f72742f073db3588c9167b0e865df43b2f898c615174df240cb4a923d13b6f050f69e33037329dfacb87ac062cc0148ba7313a9
Malware Config
Extracted
azorult
http://mideastclinicsea.us/micr05oft-0n1ine/0a8005f5594bd67041f88c6196192646/a5bfc9e07964f8dddeb95fc584cd965d/df877f3865752637daa540ea9cbc474f/webmai1pr0tected/8efd23a3fe0ec74453bdd0fadb91b0e3/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
pid Process 1856 ydzzl.exe 1228 ydzzl.exe -
Loads dropped DLL 5 IoCs
pid Process 748 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe 1856 ydzzl.exe 980 WerFault.exe 980 WerFault.exe 980 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\miihwsieh = "C:\\Users\\Admin\\AppData\\Roaming\\cchna\\ktqglofa.exe" ydzzl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 980 1228 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 748 wrote to memory of 1856 748 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe 27 PID 748 wrote to memory of 1856 748 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe 27 PID 748 wrote to memory of 1856 748 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe 27 PID 748 wrote to memory of 1856 748 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe 27 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1856 wrote to memory of 1228 1856 ydzzl.exe 28 PID 1228 wrote to memory of 980 1228 ydzzl.exe 29 PID 1228 wrote to memory of 980 1228 ydzzl.exe 29 PID 1228 wrote to memory of 980 1228 ydzzl.exe 29 PID 1228 wrote to memory of 980 1228 ydzzl.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\ydzzl.exeC:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\ydzzl.exeC:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1204⤵
- Loads dropped DLL
- Program crash
PID:980
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5d8a269678720acfc5dc76b53208c3302
SHA12729bad20f6935e5b88489671900ddaa7d22c792
SHA25688e9825f1ba032c3ba70907f767ca5370ee6070f665f05ee83b5af26613b4ecf
SHA512b315c216c26995da4a220335a46f4cddd74e114d876d4f25c9b9f3d36a79bd5ef28c8a66a20002fcffaab19240dd53d0ac7239bf731c58cdd715fd0b9458ba4a
-
Filesize
213KB
MD544623f66bab0f6148c33004e7247387f
SHA1dd457b7633b125d6be1ee9bf9ca242e9e4174451
SHA256a377019e6b43e9a7cc6b3dffb7ac1b98bbf9a8de3399ec44a8caf50ca7ebaaa2
SHA5123c5055e9a88b94ee2e6b623c3c380a612e7444adb81c280e6edf349b0253ef7170d1f59e256c52b60fa57f0a14b9518739105ce4d1a12f5618a19fbab699fec8
-
Filesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
Filesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
Filesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
Filesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
Filesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
Filesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
Filesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1
-
Filesize
171KB
MD5b70d0f4c2d7f34f176ece550d76ce092
SHA1d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1