Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23/05/2022, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
Resource
win10v2004-20220414-en
General
-
Target
67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
-
Size
341KB
-
MD5
a8c8c9f845755c28d970990ac073386d
-
SHA1
ff23867b93b68d1feefcbea5fb5a96fc2b5870d1
-
SHA256
67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126
-
SHA512
80a358958a39fed9fcf79d3b885a446f727ee89aad5e236074909a5677464c5cdabc8c3129bfb8c228556b8012a5cc54db46c28faf89ed3dff3e900c17ed2d2b
Malware Config
Extracted
azorult
http://2.56.59.31/purelogs/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
pid Process 1516 ibjyf.exe 1652 ibjyf.exe -
Loads dropped DLL 5 IoCs
pid Process 1004 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe 1516 ibjyf.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2000 1652 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1004 wrote to memory of 1516 1004 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe 27 PID 1004 wrote to memory of 1516 1004 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe 27 PID 1004 wrote to memory of 1516 1004 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe 27 PID 1004 wrote to memory of 1516 1004 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe 27 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1516 wrote to memory of 1652 1516 ibjyf.exe 28 PID 1652 wrote to memory of 2000 1652 ibjyf.exe 29 PID 1652 wrote to memory of 2000 1652 ibjyf.exe 29 PID 1652 wrote to memory of 2000 1652 ibjyf.exe 29 PID 1652 wrote to memory of 2000 1652 ibjyf.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\ibjyf.exeC:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\ibjyf.exeC:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1204⤵
- Loads dropped DLL
- Program crash
PID:2000
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD5d68efd53b46be72c468deb58e648d035
SHA12f7ce2bd0076bf6530905ee8863a93eed5feab56
SHA256e9db77d19a967335c3408db51f4c693cf663ed1d4c5c4f193b6d0bafe9049af5
SHA512ec67672126fcf2a47ae4b845396121185c35791a6c5b024c33162ab0370f70fa6e7e101897c083b09b6c95ab36bf977abdb9f04e9cfbec4b98fff1c80c842c57
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
5KB
MD5ad4a34c660bd08739bde04685d83743c
SHA18930ea55e26562c033dca1c6aab8d50fb4bf786b
SHA256584c5e9c39032e13e4a22e10f6810c5a16eebd4e6176b7b10f60125de48946e2
SHA512ecd73bd232804a7940e2c211923fe504ff0ad857456f9cb68ebb0c164ead9f9c475c38c784a383461059dc355b7977d18b18078320332b32d2b99f7822351f4f
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc