Analysis

  • max time kernel
    105s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23/05/2022, 01:49

General

  • Target

    9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe

  • Size

    516KB

  • MD5

    a5669a3c8acad2ac38e73306066edecb

  • SHA1

    484046726d558f448051e5bb73e2b531c2c45246

  • SHA256

    9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94

  • SHA512

    e85b2c1df0e8f2652388056b2f72742f073db3588c9167b0e865df43b2f898c615174df240cb4a923d13b6f050f69e33037329dfacb87ac062cc0148ba7313a9

Malware Config

Extracted

Family

azorult

C2

http://mideastclinicsea.us/micr05oft-0n1ine/0a8005f5594bd67041f88c6196192646/a5bfc9e07964f8dddeb95fc584cd965d/df877f3865752637daa540ea9cbc474f/webmai1pr0tected/8efd23a3fe0ec74453bdd0fadb91b0e3/PL341/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13

    suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
    "C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
      C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
        C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu
        3⤵
        • Executes dropped EXE
        PID:1008

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\wyjxu

          Filesize

          7KB

          MD5

          d8a269678720acfc5dc76b53208c3302

          SHA1

          2729bad20f6935e5b88489671900ddaa7d22c792

          SHA256

          88e9825f1ba032c3ba70907f767ca5370ee6070f665f05ee83b5af26613b4ecf

          SHA512

          b315c216c26995da4a220335a46f4cddd74e114d876d4f25c9b9f3d36a79bd5ef28c8a66a20002fcffaab19240dd53d0ac7239bf731c58cdd715fd0b9458ba4a

        • C:\Users\Admin\AppData\Local\Temp\xjewya0f8z6q4cvbu82l

          Filesize

          213KB

          MD5

          44623f66bab0f6148c33004e7247387f

          SHA1

          dd457b7633b125d6be1ee9bf9ca242e9e4174451

          SHA256

          a377019e6b43e9a7cc6b3dffb7ac1b98bbf9a8de3399ec44a8caf50ca7ebaaa2

          SHA512

          3c5055e9a88b94ee2e6b623c3c380a612e7444adb81c280e6edf349b0253ef7170d1f59e256c52b60fa57f0a14b9518739105ce4d1a12f5618a19fbab699fec8

        • C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

          Filesize

          171KB

          MD5

          b70d0f4c2d7f34f176ece550d76ce092

          SHA1

          d6ef987a7e62cc591daa3ac2054bc171dec9a159

          SHA256

          a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039

          SHA512

          d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

        • C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

          Filesize

          171KB

          MD5

          b70d0f4c2d7f34f176ece550d76ce092

          SHA1

          d6ef987a7e62cc591daa3ac2054bc171dec9a159

          SHA256

          a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039

          SHA512

          d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

        • C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

          Filesize

          171KB

          MD5

          b70d0f4c2d7f34f176ece550d76ce092

          SHA1

          d6ef987a7e62cc591daa3ac2054bc171dec9a159

          SHA256

          a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039

          SHA512

          d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

        • memory/1008-137-0x00000000003C0000-0x00000000003E0000-memory.dmp

          Filesize

          128KB

        • memory/1008-139-0x00000000003C0000-0x00000000003E0000-memory.dmp

          Filesize

          128KB

        • memory/1008-142-0x00000000003C0000-0x00000000003E0000-memory.dmp

          Filesize

          128KB