Analysis
-
max time kernel
41s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23/05/2022, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
Resource
win10v2004-20220414-en
General
-
Target
3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
-
Size
337KB
-
MD5
bce638f50587c46faa3c3e1798100251
-
SHA1
7b354d3902b1af13cc17cf4ec0c4da111309956d
-
SHA256
3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b
-
SHA512
18445d9cd7bf41946817dae07652e2f4e9c0f14e98c90941c30b304fb70667aa79f4b5603f60d73bcd7bcca611bee7ac1d0601b278121c311de917b8e26e5c9f
Malware Config
Extracted
azorult
http://89.43.107.198/mpom/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
pid Process 1008 ucxgm.exe 1336 ucxgm.exe -
Loads dropped DLL 5 IoCs
pid Process 812 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe 1008 ucxgm.exe 1328 WerFault.exe 1328 WerFault.exe 1328 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1328 1336 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 812 wrote to memory of 1008 812 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe 27 PID 812 wrote to memory of 1008 812 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe 27 PID 812 wrote to memory of 1008 812 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe 27 PID 812 wrote to memory of 1008 812 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe 27 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1008 wrote to memory of 1336 1008 ucxgm.exe 28 PID 1336 wrote to memory of 1328 1336 ucxgm.exe 29 PID 1336 wrote to memory of 1328 1336 ucxgm.exe 29 PID 1336 wrote to memory of 1328 1336 ucxgm.exe 29 PID 1336 wrote to memory of 1328 1336 ucxgm.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe"C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\ucxgm.exeC:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\ucxgm.exeC:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1204⤵
- Loads dropped DLL
- Program crash
PID:1328
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5a5a523f60a17756e61e17ba513ff59d1
SHA1d03b444c7c2d4ffb34d483427e69ec2116d90951
SHA2565519ce10c332d304d521a15d902d84e2feac7827a148284713402de837fd4755
SHA51299af33e2deb545c902c8663a67643b18ae2ee09924c8dee23c4ed93a6ff55305c020e3fd4e2d3781144450b14468c08799a3c59dfd1151893ec1a7e8352ef08d
-
Filesize
211KB
MD5664cb163be98c1035799694e2585cb16
SHA130984822dc25b065f6476557361396282906c551
SHA256466b28f6c18c530ac94410a111fe1feb84b2363b03831cb3e39af96d37ad56cd
SHA512e723882a67c072413357da1d9950a363ffcdb38fd1554cfede3acc75a16b6b78497a736fed7c32a5b8431a4ce591d3610da561ebbfee03ce04d6661e32612985
-
Filesize
179KB
MD578673699f5e78cf7ecfbb9ef42f3cc20
SHA17d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA25685f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA5121f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016
-
Filesize
179KB
MD578673699f5e78cf7ecfbb9ef42f3cc20
SHA17d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA25685f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA5121f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016
-
Filesize
179KB
MD578673699f5e78cf7ecfbb9ef42f3cc20
SHA17d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA25685f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA5121f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016
-
Filesize
179KB
MD578673699f5e78cf7ecfbb9ef42f3cc20
SHA17d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA25685f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA5121f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016
-
Filesize
179KB
MD578673699f5e78cf7ecfbb9ef42f3cc20
SHA17d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA25685f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA5121f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016
-
Filesize
179KB
MD578673699f5e78cf7ecfbb9ef42f3cc20
SHA17d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA25685f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA5121f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016
-
Filesize
179KB
MD578673699f5e78cf7ecfbb9ef42f3cc20
SHA17d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA25685f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA5121f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016
-
Filesize
179KB
MD578673699f5e78cf7ecfbb9ef42f3cc20
SHA17d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA25685f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA5121f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016