Analysis
-
max time kernel
32s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23/05/2022, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
Resource
win10v2004-20220414-en
General
-
Target
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
-
Size
589KB
-
MD5
f04791f80ce74a9702ecda811fca7edf
-
SHA1
33e5c4fd1858bf56c91586ce72daa6029039e23d
-
SHA256
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a
-
SHA512
6fe47afdc7485b6ae7287070f66a0d3831a8cdc82b0a3c96281ad80a45d9c4361023d61cf2f382fda4d916f5c1681a3359e9a5567270af782bd26a2a08ab7974
Malware Config
Extracted
azorult
http://89.43.107.198/mpom/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
pid Process 1984 ufzxfyzp.exe 2024 ufzxfyzp.exe -
Loads dropped DLL 5 IoCs
pid Process 1432 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe 1984 ufzxfyzp.exe 1248 WerFault.exe 1248 WerFault.exe 1248 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1248 2024 WerFault.exe 29 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1432 wrote to memory of 1984 1432 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe 28 PID 1432 wrote to memory of 1984 1432 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe 28 PID 1432 wrote to memory of 1984 1432 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe 28 PID 1432 wrote to memory of 1984 1432 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe 28 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 1984 wrote to memory of 2024 1984 ufzxfyzp.exe 29 PID 2024 wrote to memory of 1248 2024 ufzxfyzp.exe 30 PID 2024 wrote to memory of 1248 2024 ufzxfyzp.exe 30 PID 2024 wrote to memory of 1248 2024 ufzxfyzp.exe 30 PID 2024 wrote to memory of 1248 2024 ufzxfyzp.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeC:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exeC:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1204⤵
- Loads dropped DLL
- Program crash
PID:1248
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD5664dc99256a895e016c2a583aa186011
SHA1d543975302871a614057d02e12c3531698c0b706
SHA25667f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939
SHA51237799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39
-
Filesize
4KB
MD5d794073cea5c25016fc9e10d9d561d3b
SHA10a864adb3a08b19cbadb52f70281c1a48ef62a90
SHA256850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2
SHA512cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e
-
Filesize
171KB
MD51398f625da2ce1ea75874863a150ed27
SHA136f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA2567ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e