Analysis
-
max time kernel
119s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23/05/2022, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
Resource
win10v2004-20220414-en
General
-
Target
67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
-
Size
341KB
-
MD5
a8c8c9f845755c28d970990ac073386d
-
SHA1
ff23867b93b68d1feefcbea5fb5a96fc2b5870d1
-
SHA256
67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126
-
SHA512
80a358958a39fed9fcf79d3b885a446f727ee89aad5e236074909a5677464c5cdabc8c3129bfb8c228556b8012a5cc54db46c28faf89ed3dff3e900c17ed2d2b
Malware Config
Extracted
azorult
http://2.56.59.31/purelogs/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
pid Process 1560 ibjyf.exe 2012 ibjyf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2624 wrote to memory of 1560 2624 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe 81 PID 2624 wrote to memory of 1560 2624 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe 81 PID 2624 wrote to memory of 1560 2624 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe 81 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82 PID 1560 wrote to memory of 2012 1560 ibjyf.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\ibjyf.exeC:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\ibjyf.exeC:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl3⤵
- Executes dropped EXE
PID:2012
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD5d68efd53b46be72c468deb58e648d035
SHA12f7ce2bd0076bf6530905ee8863a93eed5feab56
SHA256e9db77d19a967335c3408db51f4c693cf663ed1d4c5c4f193b6d0bafe9049af5
SHA512ec67672126fcf2a47ae4b845396121185c35791a6c5b024c33162ab0370f70fa6e7e101897c083b09b6c95ab36bf977abdb9f04e9cfbec4b98fff1c80c842c57
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
172KB
MD53ce2e03927cfb19ced6be0d1a4df16b9
SHA167812421bfad08fa0d0ec9a6fa7341cab5687860
SHA25623b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA5120d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc
-
Filesize
5KB
MD5ad4a34c660bd08739bde04685d83743c
SHA18930ea55e26562c033dca1c6aab8d50fb4bf786b
SHA256584c5e9c39032e13e4a22e10f6810c5a16eebd4e6176b7b10f60125de48946e2
SHA512ecd73bd232804a7940e2c211923fe504ff0ad857456f9cb68ebb0c164ead9f9c475c38c784a383461059dc355b7977d18b18078320332b32d2b99f7822351f4f