Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 08:56
Static task
static1
Behavioral task
behavioral1
Sample
3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02.exe
Resource
win10v2004-20220414-en
General
-
Target
3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02.exe
-
Size
1.8MB
-
MD5
b6c77f545813f551ac34090023543a28
-
SHA1
974ac311cc5effc58bc911f4da286bc77884fab4
-
SHA256
3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02
-
SHA512
37f6f90e58010e21fa08b3a3522fe6756b8a93a31c46c5fec12457d70de61b8dad754b1e5dc99c44c4c301365bb0eb7ef577c82549349b54902c1f760e8feb36
Malware Config
Extracted
azorult
http://begurtyut.info/743862/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
TVwrd.exeTVwrd.exepid process 3180 TVwrd.exe 1236 TVwrd.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\TVwrd.exe upx C:\Users\Admin\AppData\Local\TVwrd.exe upx C:\Users\Admin\AppData\Local\TVwrd.exe upx behavioral2/memory/3180-139-0x0000000000400000-0x000000000047A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TVwrd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozhiju = "C:\\Users\\Admin\\AppData\\Local\\ozhiju\\ztqqo.exe" TVwrd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TVwrd.exedescription pid process target process PID 3180 set thread context of 1236 3180 TVwrd.exe TVwrd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
TVwrd.exepid process 3180 TVwrd.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
TVwrd.exepid process 3180 TVwrd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02.exeTVwrd.exedescription pid process target process PID 1484 wrote to memory of 3180 1484 3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02.exe TVwrd.exe PID 1484 wrote to memory of 3180 1484 3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02.exe TVwrd.exe PID 1484 wrote to memory of 3180 1484 3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02.exe TVwrd.exe PID 3180 wrote to memory of 1236 3180 TVwrd.exe TVwrd.exe PID 3180 wrote to memory of 1236 3180 TVwrd.exe TVwrd.exe PID 3180 wrote to memory of 1236 3180 TVwrd.exe TVwrd.exe PID 3180 wrote to memory of 1236 3180 TVwrd.exe TVwrd.exe PID 3180 wrote to memory of 1236 3180 TVwrd.exe TVwrd.exe PID 3180 wrote to memory of 1236 3180 TVwrd.exe TVwrd.exe PID 3180 wrote to memory of 1236 3180 TVwrd.exe TVwrd.exe PID 3180 wrote to memory of 1236 3180 TVwrd.exe TVwrd.exe PID 3180 wrote to memory of 1236 3180 TVwrd.exe TVwrd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02.exe"C:\Users\Admin\AppData\Local\Temp\3c020a1e304915e460a8b1524dacbaac804b9753d3d0fc36d34ded0e3baefb02.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TVwrd.exeC:\Users\Admin\AppData\Local\TVwrd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TVwrd.exeC:\Users\Admin\AppData\Local\TVwrd.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TVwrd.exeFilesize
175KB
MD5cfc18e99d10dcd9599cc2de6f5eb8b08
SHA13073bd62bbac0b08e40de50398aea9ecf2ca8fc4
SHA2561653ebc2ed44e45055407730422b4a77f42e5d70de568515f315849b46ece0d3
SHA51242daf2e80c7e5913095be3318d9f8c0a22569389923ffa73f40af24b729456047c93dd3598575d9b8c0076e232400d0cea46e9a91e9e77bf4bd3ffbc594312c6
-
C:\Users\Admin\AppData\Local\TVwrd.exeFilesize
175KB
MD5cfc18e99d10dcd9599cc2de6f5eb8b08
SHA13073bd62bbac0b08e40de50398aea9ecf2ca8fc4
SHA2561653ebc2ed44e45055407730422b4a77f42e5d70de568515f315849b46ece0d3
SHA51242daf2e80c7e5913095be3318d9f8c0a22569389923ffa73f40af24b729456047c93dd3598575d9b8c0076e232400d0cea46e9a91e9e77bf4bd3ffbc594312c6
-
C:\Users\Admin\AppData\Local\TVwrd.exeFilesize
175KB
MD5cfc18e99d10dcd9599cc2de6f5eb8b08
SHA13073bd62bbac0b08e40de50398aea9ecf2ca8fc4
SHA2561653ebc2ed44e45055407730422b4a77f42e5d70de568515f315849b46ece0d3
SHA51242daf2e80c7e5913095be3318d9f8c0a22569389923ffa73f40af24b729456047c93dd3598575d9b8c0076e232400d0cea46e9a91e9e77bf4bd3ffbc594312c6
-
C:\Users\Admin\AppData\Local\Tm.bmpFilesize
737KB
MD5e03bcd595ea51fd07bf8f98c3007d14a
SHA10dd53bc1469deb44eed0f515b5137a22ace4b652
SHA25619b9b6bdd5424dd135460a5477899f009cffbe42045f829c35645551933e4bb4
SHA512409954a90a764276242a6bbe24abff81ef5df9df0b8e949f23f3044c68e93e76ae9979a2e2696582f25899cb2d0fa10dd1de785b6dc5680381aa8b9ea49479a3
-
memory/1236-135-0x0000000000000000-mapping.dmp
-
memory/1236-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1236-140-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1236-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1236-142-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3180-131-0x0000000000000000-mapping.dmp
-
memory/3180-139-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB