Analysis

  • max time kernel
    32s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    23/05/2022, 01:49

General

  • Target

    b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe

  • Size

    589KB

  • MD5

    f04791f80ce74a9702ecda811fca7edf

  • SHA1

    33e5c4fd1858bf56c91586ce72daa6029039e23d

  • SHA256

    b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a

  • SHA512

    6fe47afdc7485b6ae7287070f66a0d3831a8cdc82b0a3c96281ad80a45d9c4361023d61cf2f382fda4d916f5c1681a3359e9a5567270af782bd26a2a08ab7974

Malware Config

Extracted

Family

azorult

C2

http://89.43.107.198/mpom/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
    "C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
      C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
        C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 120
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1248

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\n29e5gb99yuq5sya

          Filesize

          214KB

          MD5

          664dc99256a895e016c2a583aa186011

          SHA1

          d543975302871a614057d02e12c3531698c0b706

          SHA256

          67f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939

          SHA512

          37799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39

        • C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml

          Filesize

          4KB

          MD5

          d794073cea5c25016fc9e10d9d561d3b

          SHA1

          0a864adb3a08b19cbadb52f70281c1a48ef62a90

          SHA256

          850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2

          SHA512

          cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b

        • C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

          Filesize

          171KB

          MD5

          1398f625da2ce1ea75874863a150ed27

          SHA1

          36f3466a87ba1d195658d4fda7dc724b7ccfbca5

          SHA256

          7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

          SHA512

          b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

        • C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

          Filesize

          171KB

          MD5

          1398f625da2ce1ea75874863a150ed27

          SHA1

          36f3466a87ba1d195658d4fda7dc724b7ccfbca5

          SHA256

          7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

          SHA512

          b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

        • C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

          Filesize

          171KB

          MD5

          1398f625da2ce1ea75874863a150ed27

          SHA1

          36f3466a87ba1d195658d4fda7dc724b7ccfbca5

          SHA256

          7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

          SHA512

          b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

        • \Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

          Filesize

          171KB

          MD5

          1398f625da2ce1ea75874863a150ed27

          SHA1

          36f3466a87ba1d195658d4fda7dc724b7ccfbca5

          SHA256

          7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

          SHA512

          b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

        • \Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

          Filesize

          171KB

          MD5

          1398f625da2ce1ea75874863a150ed27

          SHA1

          36f3466a87ba1d195658d4fda7dc724b7ccfbca5

          SHA256

          7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

          SHA512

          b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

        • \Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

          Filesize

          171KB

          MD5

          1398f625da2ce1ea75874863a150ed27

          SHA1

          36f3466a87ba1d195658d4fda7dc724b7ccfbca5

          SHA256

          7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

          SHA512

          b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

        • \Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

          Filesize

          171KB

          MD5

          1398f625da2ce1ea75874863a150ed27

          SHA1

          36f3466a87ba1d195658d4fda7dc724b7ccfbca5

          SHA256

          7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

          SHA512

          b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

        • \Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

          Filesize

          171KB

          MD5

          1398f625da2ce1ea75874863a150ed27

          SHA1

          36f3466a87ba1d195658d4fda7dc724b7ccfbca5

          SHA256

          7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

          SHA512

          b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

        • memory/1432-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

          Filesize

          8KB

        • memory/2024-66-0x0000000000080000-0x00000000000A0000-memory.dmp

          Filesize

          128KB

        • memory/2024-69-0x0000000000080000-0x00000000000A0000-memory.dmp

          Filesize

          128KB

        • memory/2024-64-0x0000000000080000-0x00000000000A0000-memory.dmp

          Filesize

          128KB