Analysis
-
max time kernel
141s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 14:47
Static task
static1
Behavioral task
behavioral1
Sample
ATTACHEM.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ATTACHEM.exe
Resource
win10v2004-20220414-en
General
-
Target
ATTACHEM.exe
-
Size
529KB
-
MD5
84a9e3f3782f6c6e8a8d53ea4822bce7
-
SHA1
fdf97e6f3455ebd935e56da73c7a181f4ffe0212
-
SHA256
38a689e3cfe024cf53d07e3f6830da32c836c4c06c96478fda9a36e22d540a9c
-
SHA512
288e884e274ad365d75334e59a8e97839f608525f7af7854c69c5e0c6665157aec3b4b4034e6c4f7e8338191a72f0df1865f3d248aea14ff2f6474c97d0fef42
Malware Config
Extracted
azorult
http://lawantumorotak.com/img/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
asfasddsfasf.exeasfasddsfasf.exepid process 2032 asfasddsfasf.exe 920 asfasddsfasf.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ATTACHEM.exeasfasddsfasf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ATTACHEM.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation asfasddsfasf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
asfasddsfasf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ascfsafsf = "C:\\Users\\Admin\\AppData\\Roaming\\asfasddsfasf.exe -boot" asfasddsfasf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
asfasddsfasf.exedescription pid process target process PID 2032 set thread context of 920 2032 asfasddsfasf.exe asfasddsfasf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 5 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\ATTACHEM.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe\:Zone.Identifier:$DATA cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Local\Temp\ATTACHEM.exe:Zone.Identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ATTACHEM.exeasfasddsfasf.exedescription pid process Token: SeDebugPrivilege 4188 ATTACHEM.exe Token: SeDebugPrivilege 2032 asfasddsfasf.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
ATTACHEM.execmd.exeasfasddsfasf.exedescription pid process target process PID 4188 wrote to memory of 4604 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 4604 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 4604 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 4268 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 4268 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 4268 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 4912 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 4912 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 4912 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 3368 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 3368 4188 ATTACHEM.exe cmd.exe PID 4188 wrote to memory of 3368 4188 ATTACHEM.exe cmd.exe PID 3368 wrote to memory of 2032 3368 cmd.exe asfasddsfasf.exe PID 3368 wrote to memory of 2032 3368 cmd.exe asfasddsfasf.exe PID 3368 wrote to memory of 2032 3368 cmd.exe asfasddsfasf.exe PID 2032 wrote to memory of 2544 2032 asfasddsfasf.exe cmd.exe PID 2032 wrote to memory of 2544 2032 asfasddsfasf.exe cmd.exe PID 2032 wrote to memory of 2544 2032 asfasddsfasf.exe cmd.exe PID 2032 wrote to memory of 3384 2032 asfasddsfasf.exe cmd.exe PID 2032 wrote to memory of 3384 2032 asfasddsfasf.exe cmd.exe PID 2032 wrote to memory of 3384 2032 asfasddsfasf.exe cmd.exe PID 2032 wrote to memory of 920 2032 asfasddsfasf.exe asfasddsfasf.exe PID 2032 wrote to memory of 920 2032 asfasddsfasf.exe asfasddsfasf.exe PID 2032 wrote to memory of 920 2032 asfasddsfasf.exe asfasddsfasf.exe PID 2032 wrote to memory of 920 2032 asfasddsfasf.exe asfasddsfasf.exe PID 2032 wrote to memory of 920 2032 asfasddsfasf.exe asfasddsfasf.exe PID 2032 wrote to memory of 920 2032 asfasddsfasf.exe asfasddsfasf.exe PID 2032 wrote to memory of 920 2032 asfasddsfasf.exe asfasddsfasf.exe PID 2032 wrote to memory of 920 2032 asfasddsfasf.exe asfasddsfasf.exe PID 2032 wrote to memory of 920 2032 asfasddsfasf.exe asfasddsfasf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ATTACHEM.exe"C:\Users\Admin\AppData\Local\Temp\ATTACHEM.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\ATTACHEM.exe:Zone.Identifier"2⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\ATTACHEM.exe:Zone.Identifier"2⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\ATTACHEM.exe" "C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe"2⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe"C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe:Zone.Identifier"4⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe:Zone.Identifier"4⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe"C:\Users\Admin\AppData\Roaming\asfasddsfasf.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\asfasddsfasf.exeFilesize
529KB
MD584a9e3f3782f6c6e8a8d53ea4822bce7
SHA1fdf97e6f3455ebd935e56da73c7a181f4ffe0212
SHA25638a689e3cfe024cf53d07e3f6830da32c836c4c06c96478fda9a36e22d540a9c
SHA512288e884e274ad365d75334e59a8e97839f608525f7af7854c69c5e0c6665157aec3b4b4034e6c4f7e8338191a72f0df1865f3d248aea14ff2f6474c97d0fef42
-
C:\Users\Admin\AppData\Roaming\asfasddsfasf.exeFilesize
529KB
MD584a9e3f3782f6c6e8a8d53ea4822bce7
SHA1fdf97e6f3455ebd935e56da73c7a181f4ffe0212
SHA25638a689e3cfe024cf53d07e3f6830da32c836c4c06c96478fda9a36e22d540a9c
SHA512288e884e274ad365d75334e59a8e97839f608525f7af7854c69c5e0c6665157aec3b4b4034e6c4f7e8338191a72f0df1865f3d248aea14ff2f6474c97d0fef42
-
C:\Users\Admin\AppData\Roaming\asfasddsfasf.exeFilesize
529KB
MD584a9e3f3782f6c6e8a8d53ea4822bce7
SHA1fdf97e6f3455ebd935e56da73c7a181f4ffe0212
SHA25638a689e3cfe024cf53d07e3f6830da32c836c4c06c96478fda9a36e22d540a9c
SHA512288e884e274ad365d75334e59a8e97839f608525f7af7854c69c5e0c6665157aec3b4b4034e6c4f7e8338191a72f0df1865f3d248aea14ff2f6474c97d0fef42
-
memory/920-152-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/920-151-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/920-150-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/920-147-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/920-146-0x0000000000000000-mapping.dmp
-
memory/2032-145-0x0000000005C80000-0x0000000005D1C000-memory.dmpFilesize
624KB
-
memory/2032-140-0x0000000000000000-mapping.dmp
-
memory/2544-143-0x0000000000000000-mapping.dmp
-
memory/3368-139-0x0000000000000000-mapping.dmp
-
memory/3384-144-0x0000000000000000-mapping.dmp
-
memory/4188-130-0x0000000000590000-0x0000000000618000-memory.dmpFilesize
544KB
-
memory/4188-137-0x0000000005A70000-0x0000000005B02000-memory.dmpFilesize
584KB
-
memory/4188-135-0x00000000062A0000-0x0000000006844000-memory.dmpFilesize
5.6MB
-
memory/4188-134-0x0000000005B20000-0x0000000005CE2000-memory.dmpFilesize
1.8MB
-
memory/4188-132-0x00000000053E0000-0x0000000005446000-memory.dmpFilesize
408KB
-
memory/4188-131-0x0000000005000000-0x0000000005022000-memory.dmpFilesize
136KB
-
memory/4268-136-0x0000000000000000-mapping.dmp
-
memory/4604-133-0x0000000000000000-mapping.dmp
-
memory/4912-138-0x0000000000000000-mapping.dmp