Overview

overview

10

Static

static

5

61d6ca8a21...30.exe

windows7-x64

10

61d6ca8a21...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2022 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61d6ca8a21ef7c09e8e5a26c933338b99a94a086e47923cdb96201ada0d4cf30.exe

  • Size

    1.0MB

  • MD5

    e5db0132a6945e6005a9dad8e7078624

  • SHA1

    971b19717dbf7a5fb4fe5e7ef4c6f6b19b8b8228

  • SHA256

    61d6ca8a21ef7c09e8e5a26c933338b99a94a086e47923cdb96201ada0d4cf30

  • SHA512

    e2a5d7c0dc12b6eec7e50f6e1a70a55e2b7ea63ae1ddc0a203460aef5cd497e11c5a7c8558458cbf2360d288cdd9c28715b5c681e7143d7dfcf682163cf30452

Score
10/10
azorultinfostealertrojanupx

Malware Config

Extracted

Family

azorult

C2

http://cp73127.tmweb.ru/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61d6ca8a21ef7c09e8e5a26c933338b99a94a086e47923cdb96201ada0d4cf30.exe
    "C:\Users\Admin\AppData\Local\Temp\61d6ca8a21ef7c09e8e5a26c933338b99a94a086e47923cdb96201ada0d4cf30.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Roaming\Z1190046035\bin_2019-02-04_21-03.exe
      "C:\Users\Admin\AppData\Roaming\Z1190046035\bin_2019-02-04_21-03.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1384
        3⤵
        • Program crash
        PID:3348
    • C:\Users\Admin\AppData\Roaming\Z1190046035\микс.exe
      "C:\Users\Admin\AppData\Roaming\Z1190046035\микс.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C schtasks /create /tn \Defaults\AzureSDKService_Admin /tr "C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe" /st 21:59 /du 9999:59 /sc daily /ri 1 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3592
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn \Defaults\AzureSDKService_Admin /tr "C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe" /st 21:59 /du 9999:59 /sc daily /ri 1 /f
          4⤵
          • Creates scheduled task(s)
          PID:4968
      • C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
        "C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1852
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Z1190046035\микс.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
            PID:2988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2004 -ip 2004
      1⤵
        PID:2528
      • C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
        C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
        1⤵
        • Executes dropped EXE
        PID:4120
      • C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
        C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
        1⤵
        • Executes dropped EXE
        PID:4724

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsLauncher.exe.log
        Filesize

        847B

        MD5

        66a0a4aa01208ed3d53a5e131a8d030a

        SHA1

        ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

        SHA256

        f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

        SHA512

        626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Costura\2A21A13BB3DB4F43B575DC25CB8473C1\costura.dll
        Filesize

        4KB

        MD5

        53fcb5e5c897094cf6780679e61ec6f1

        SHA1

        59feb2af0be9ec4ccec2125d2383e3e282f428a7

        SHA256

        63e40fbde384f1b95e4f887948fb637b0d52cef4f13b8270d3e3a940d6861746

        SHA512

        819fecb5ae2433e4b0be00d38c2ff73a2a241d96d196c8fb844245b8ee9fbfa46595aa79db8e68c01d1150e9ef3a72e49d07a30fc730e3c4410a98f93f900532

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Costura\2A21A13BB3DB4F43B575DC25CB8473C1\datalaunch.dll
        Filesize

        15KB

        MD5

        2874f863f7944a165484fb5662a65311

        SHA1

        28de3b5038da77f1ce7954e0bc5053ed52711f14

        SHA256

        24a7e78cb8602430b5acd9eb63f4cce58d4dc5c8783c2a724f0f3765835d3cc6

        SHA512

        1ae3a6ae7b6077acc3397287070833e43cb76619bd235054ef6ea7e0377c4651249963e8941c7a7ecd28125f6afd8632362acc4d390c0ed9989cf9c93adad09b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Costura\2A21A13BB3DB4F43B575DC25CB8473C1\datalaunch.pdb
        Filesize

        27KB

        MD5

        b9d64d8d24dc0154c4f76dfe398d858a

        SHA1

        d5c393ed3fa52fa4eb95ca526697953ec242d3e5

        SHA256

        1f58cda956bcf4b4127918913ca28e0027bb4b3c28174fb09476ec8330dfc6fd

        SHA512

        691c695135b2687efcb9cac0132e3d55da206fe33884f91bc891e0bdb81813b6091df5c9e23ff55ca06075e477b134cefe555eea6dc2c349f1d5dff28c02bb86

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
        Filesize

        164KB

        MD5

        0aaf905149e68d9c88f2c176b00d2f4d

        SHA1

        1c46d80d4281a9f31f18fa8c1e7a46d67f990f7b

        SHA256

        01414ef72c117453bb6f6e1b5e3ffb06686571a63be39f06e3427626857c5f27

        SHA512

        7946eefdc715113339061f871df8606073265beb8ec1653ef2d1beda6afa1fcda4b42da91a7eeaf78e0cf470abaab6ce7ea0e1fd63e72815c5fab6b1e9fe8bdd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
        Filesize

        164KB

        MD5

        0aaf905149e68d9c88f2c176b00d2f4d

        SHA1

        1c46d80d4281a9f31f18fa8c1e7a46d67f990f7b

        SHA256

        01414ef72c117453bb6f6e1b5e3ffb06686571a63be39f06e3427626857c5f27

        SHA512

        7946eefdc715113339061f871df8606073265beb8ec1653ef2d1beda6afa1fcda4b42da91a7eeaf78e0cf470abaab6ce7ea0e1fd63e72815c5fab6b1e9fe8bdd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
        Filesize

        164KB

        MD5

        0aaf905149e68d9c88f2c176b00d2f4d

        SHA1

        1c46d80d4281a9f31f18fa8c1e7a46d67f990f7b

        SHA256

        01414ef72c117453bb6f6e1b5e3ffb06686571a63be39f06e3427626857c5f27

        SHA512

        7946eefdc715113339061f871df8606073265beb8ec1653ef2d1beda6afa1fcda4b42da91a7eeaf78e0cf470abaab6ce7ea0e1fd63e72815c5fab6b1e9fe8bdd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NetPlatform\WindowsLauncher.exe
        Filesize

        164KB

        MD5

        0aaf905149e68d9c88f2c176b00d2f4d

        SHA1

        1c46d80d4281a9f31f18fa8c1e7a46d67f990f7b

        SHA256

        01414ef72c117453bb6f6e1b5e3ffb06686571a63be39f06e3427626857c5f27

        SHA512

        7946eefdc715113339061f871df8606073265beb8ec1653ef2d1beda6afa1fcda4b42da91a7eeaf78e0cf470abaab6ce7ea0e1fd63e72815c5fab6b1e9fe8bdd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Z1190046035\bin_2019-02-04_21-03.exe
        Filesize

        152KB

        MD5

        928e9df34a22f4381e66621e0bba9f55

        SHA1

        0b79c5d9e748f03daf02997d2ef84c69fa2a0f5e

        SHA256

        135c61627a6717c2cd459c8f7200e5dd44fc446528ca27e6ccdf9a96c491658c

        SHA512

        6ccbba6b40a9b6667b58733e9323e33214496105db4e3561512cbd6377d3337c1957bca3a340b3418c0f9f0b05e53c7a206c9bde1c4b1e07e145fa207910f2f0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Z1190046035\bin_2019-02-04_21-03.exe
        Filesize

        152KB

        MD5

        928e9df34a22f4381e66621e0bba9f55

        SHA1

        0b79c5d9e748f03daf02997d2ef84c69fa2a0f5e

        SHA256

        135c61627a6717c2cd459c8f7200e5dd44fc446528ca27e6ccdf9a96c491658c

        SHA512

        6ccbba6b40a9b6667b58733e9323e33214496105db4e3561512cbd6377d3337c1957bca3a340b3418c0f9f0b05e53c7a206c9bde1c4b1e07e145fa207910f2f0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Z1190046035\микс.exe
        Filesize

        164KB

        MD5

        0aaf905149e68d9c88f2c176b00d2f4d

        SHA1

        1c46d80d4281a9f31f18fa8c1e7a46d67f990f7b

        SHA256

        01414ef72c117453bb6f6e1b5e3ffb06686571a63be39f06e3427626857c5f27

        SHA512

        7946eefdc715113339061f871df8606073265beb8ec1653ef2d1beda6afa1fcda4b42da91a7eeaf78e0cf470abaab6ce7ea0e1fd63e72815c5fab6b1e9fe8bdd

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Z1190046035\микс.exe
        Filesize

        164KB

        MD5

        0aaf905149e68d9c88f2c176b00d2f4d

        SHA1

        1c46d80d4281a9f31f18fa8c1e7a46d67f990f7b

        SHA256

        01414ef72c117453bb6f6e1b5e3ffb06686571a63be39f06e3427626857c5f27

        SHA512

        7946eefdc715113339061f871df8606073265beb8ec1653ef2d1beda6afa1fcda4b42da91a7eeaf78e0cf470abaab6ce7ea0e1fd63e72815c5fab6b1e9fe8bdd

        Download Submit

      • memory/1852-157-0x00007FFD26270000-0x00007FFD26D31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1852-159-0x000000001D900000-0x000000001D93C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1852-158-0x0000000002540000-0x0000000002552000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1852-145-0x0000000000000000-mapping.dmp

        Download

      • memory/1852-154-0x00007FFD26270000-0x00007FFD26D31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2004-142-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2004-141-0x00000000006B3000-0x00000000006C4000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2004-155-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2004-140-0x00000000006B3000-0x00000000006C4000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2004-130-0x0000000000000000-mapping.dmp

        Download

      • memory/2004-137-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2004-156-0x00000000006B3000-0x00000000006C4000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2988-152-0x0000000000000000-mapping.dmp

        Download

      • memory/3104-139-0x00007FFD26270000-0x00007FFD26D31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3104-153-0x00007FFD26270000-0x00007FFD26D31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3104-138-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3104-136-0x0000000000450000-0x000000000047E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3104-133-0x0000000000000000-mapping.dmp

        Download

      • memory/3592-143-0x0000000000000000-mapping.dmp

        Download

      • memory/3960-148-0x0000000000000000-mapping.dmp

        Download

      • memory/4120-161-0x00007FFD26270000-0x00007FFD26D31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4120-162-0x00007FFD26270000-0x00007FFD26D31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4724-165-0x00007FFD26270000-0x00007FFD26D31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4968-144-0x0000000000000000-mapping.dmp

        Download