Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 07:06
Static task
static1
Behavioral task
behavioral1
Sample
3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe
Resource
win10v2004-20220414-en
General
-
Target
3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe
-
Size
1.3MB
-
MD5
29388dce769f383980b9a67a30a2c9b2
-
SHA1
e87e39b343f7c1de03a6ef7caba57d5d21d69211
-
SHA256
3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811
-
SHA512
e7450e193b83a389787af72fd7e2882825e84b2450512ee765ec0a57a82ce4da31eff287e2c9e761c76a0f0630cee91024c9290350575fe3cf61b9f22aee9679
Malware Config
Extracted
azorult
http://noveit.gq/0c1bs/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exedescription pid process target process PID 2480 set thread context of 4764 2480 3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe diskperf.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exedescription pid process target process PID 2480 wrote to memory of 4764 2480 3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe diskperf.exe PID 2480 wrote to memory of 4764 2480 3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe diskperf.exe PID 2480 wrote to memory of 4764 2480 3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe diskperf.exe PID 2480 wrote to memory of 4764 2480 3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe diskperf.exe PID 2480 wrote to memory of 4764 2480 3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe diskperf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe"C:\Users\Admin\AppData\Local\Temp\3e82b2bd3081a1c99fbedb271b00d06d8d48ad8a70466e919f7658cbf1d0d811.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4764-130-0x0000000000000000-mapping.dmp
-
memory/4764-131-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4764-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4764-134-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4764-135-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB