Analysis
-
max time kernel
101s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 15:53
Static task
static1
Behavioral task
behavioral1
Sample
a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
Resource
win10v2004-20220414-en
General
-
Target
a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
-
Size
3.4MB
-
MD5
eeac6ced2e0a2d0a9d2455d4f510c5c3
-
SHA1
4b7d8d24cf1b39448a8d66cf75ae7786dc4fc075
-
SHA256
a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb
-
SHA512
f3d914b59a56f48b3bcebe9bd8470cf885f2ed868bd19c28b46da84abdf36db5854f9ffbeb55bcf298d7100b9f4573142850cc5d5ead5b70422ff2532e14befe
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 3 IoCs
Processes:
tmp3unl_j.exesetup.exea.exepid process 2032 tmp3unl_j.exe 2044 setup.exe 1960 a.exe -
Drops startup file 1 IoCs
Processes:
tmp3unl_j.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe tmp3unl_j.exe -
Loads dropped DLL 8 IoCs
Processes:
a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exetmp3unl_j.exepid process 1776 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe 1776 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe 1776 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe 1776 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe 1776 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe 2032 tmp3unl_j.exe 2032 tmp3unl_j.exe 2032 tmp3unl_j.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
tmp3unl_j.exepid process 2032 tmp3unl_j.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exea99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exetmp3unl_j.exedescription pid process target process PID 1732 wrote to memory of 1776 1732 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe PID 1732 wrote to memory of 1776 1732 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe PID 1732 wrote to memory of 1776 1732 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe PID 1732 wrote to memory of 1776 1732 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe PID 1776 wrote to memory of 2032 1776 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe tmp3unl_j.exe PID 1776 wrote to memory of 2032 1776 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe tmp3unl_j.exe PID 1776 wrote to memory of 2032 1776 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe tmp3unl_j.exe PID 1776 wrote to memory of 2032 1776 a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe tmp3unl_j.exe PID 2032 wrote to memory of 2044 2032 tmp3unl_j.exe setup.exe PID 2032 wrote to memory of 2044 2032 tmp3unl_j.exe setup.exe PID 2032 wrote to memory of 2044 2032 tmp3unl_j.exe setup.exe PID 2032 wrote to memory of 2044 2032 tmp3unl_j.exe setup.exe PID 2032 wrote to memory of 2044 2032 tmp3unl_j.exe setup.exe PID 2032 wrote to memory of 2044 2032 tmp3unl_j.exe setup.exe PID 2032 wrote to memory of 2044 2032 tmp3unl_j.exe setup.exe PID 2032 wrote to memory of 1960 2032 tmp3unl_j.exe a.exe PID 2032 wrote to memory of 1960 2032 tmp3unl_j.exe a.exe PID 2032 wrote to memory of 1960 2032 tmp3unl_j.exe a.exe PID 2032 wrote to memory of 1960 2032 tmp3unl_j.exe a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe"C:\Users\Admin\AppData\Local\Temp\a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe"C:\Users\Admin\AppData\Local\Temp\a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\appdata\local\temp\tmp3unl_j.exe"C:\Users\Admin\appdata\local\temp\tmp3unl_j.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a.exeC:\Users\Admin\AppData\Local\Temp\a.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI17322\DiscordSpamTool.exe.manifestFilesize
1KB
MD5570e2cfa11950537cc9f707dfc47e3c0
SHA1016ddd6fcc2f6e8dcd8529c8b4c2b34d6d782ca2
SHA25685e55e56044ddce3b0f126ba052d305edcfde2d219e3e434f7aa129fe1a95a28
SHA512ed25b9cb7c66b7fa385ca7bb9ea5a04529653d64711f78ac971fa624ce1b5500fab2928790967b44805ca344095454824f79779ed4d348dc5fa6146cee1ab535
-
C:\Users\Admin\AppData\Local\Temp\_MEI17322\python27.dllFilesize
92KB
MD5c9611d45beafd6dc948c9875acbc74be
SHA118be61415ea07763da4ebc38f53ef9248827b00c
SHA256e8a92bd0730b2e5eb54ae91b5ab0e0452469a549055e61aac27f94d1947d0a3f
SHA512090934a1c6c55a1a0c25471f0ae0ab3b963f997b649b9c62cf5fdce7cc0f3aeb33f06c704e8a6ca20a2857244f6c0d4d7c71a21bcc22f92e6ee2a913b12dbbfc
-
C:\Users\Admin\AppData\Local\Temp\_MEI17~1\_ctypes.pyd
-
C:\Users\Admin\AppData\Local\Temp\_MEI17~1\_hashlib.pyd
-
C:\Users\Admin\AppData\Local\Temp\a.exe
-
C:\Users\Admin\AppData\Local\Temp\setup.exe
-
C:\Users\Admin\AppData\Local\Temp\setup.exe
-
C:\Users\Admin\AppData\Local\Temp\tmp3unl_j.exe
-
C:\Users\Admin\appdata\local\temp\tmp3unl_j.exe
-
\Users\Admin\AppData\Local\Temp\_MEI17322\python27.dllFilesize
92KB
MD5c9611d45beafd6dc948c9875acbc74be
SHA118be61415ea07763da4ebc38f53ef9248827b00c
SHA256e8a92bd0730b2e5eb54ae91b5ab0e0452469a549055e61aac27f94d1947d0a3f
SHA512090934a1c6c55a1a0c25471f0ae0ab3b963f997b649b9c62cf5fdce7cc0f3aeb33f06c704e8a6ca20a2857244f6c0d4d7c71a21bcc22f92e6ee2a913b12dbbfc
-
\Users\Admin\AppData\Local\Temp\_MEI17~1\_ctypes.pyd
-
\Users\Admin\AppData\Local\Temp\_MEI17~1\_hashlib.pyd
-
\Users\Admin\AppData\Local\Temp\a.exe
-
\Users\Admin\AppData\Local\Temp\a.exe
-
\Users\Admin\AppData\Local\Temp\setup.exe
-
\Users\Admin\AppData\Local\Temp\tmp3unl_j.exe
-
\Users\Admin\AppData\Local\Temp\tmp3unl_j.exe
-
memory/1776-54-0x0000000000000000-mapping.dmp
-
memory/1776-58-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1960-78-0x0000000000000000-mapping.dmp
-
memory/2032-65-0x0000000000000000-mapping.dmp
-
memory/2044-70-0x0000000000000000-mapping.dmp
-
memory/2044-74-0x00000000003A0000-0x0000000000462000-memory.dmpFilesize
776KB
-
memory/2044-75-0x00000000007E5000-0x00000000007F6000-memory.dmpFilesize
68KB