Overview

overview

10

Static

static

60187f0561...2b.exe

windows7-x64

10

60187f0561...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2022 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe

  • Size

    3.3MB

  • MD5

    fb46fcac2d17b14c30e8d68a0f0a0023

  • SHA1

    2e1d44ac241843f02b7b190902928e1acce27d4c

  • SHA256

    60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b

  • SHA512

    e6e7ed6be686a0ef9a6d1e6f930a88260fd8c27cf06aea51934efc027bec75d2066b7ab8b95b9ed8f7a6cf0bd98cbe7a3a15e87c9cf464ac404b3d04196f9dfb

Score
10/10
azorultdiscoveryinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://licilucapiluca.rocks/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe
    "C:\Users\Admin\AppData\Local\Temp\60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Program Files (x86)\LetsSee!\busshost.exe
      "C:\Program Files (x86)\LetsSee!\busshost.exe"
      2⤵
      • Executes dropped EXE
      PID:1288
    • C:\Program Files (x86)\LetsSee!\YTLoader.exe
      "C:\Program Files (x86)\LetsSee!\YTLoader.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1172
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\LetsSee!\YTLoader.exe
    Filesize

    3.0MB

    MD5

    c53d2de8becdaf58caba89a297455c65

    SHA1

    c60da079393025e63475683375e0a045cefa3473

    SHA256

    7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

    SHA512

    a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

    Download Submit

  • C:\Program Files (x86)\LetsSee!\YTLoader.exe
    Filesize

    3.0MB

    MD5

    c53d2de8becdaf58caba89a297455c65

    SHA1

    c60da079393025e63475683375e0a045cefa3473

    SHA256

    7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

    SHA512

    a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

    Download Submit

  • C:\Program Files (x86)\LetsSee!\busshost.exe
    Filesize

    406KB

    MD5

    d6422d74934d39845e107a25e16a2146

    SHA1

    87b7bb22fd16e36ed34476b8660af1f8b831a76b

    SHA256

    9b664cd4a3de25b2b3955b5984cd5f191cb364e0b25c53e01712f4c59fa48bf4

    SHA512

    baa642e5143f8bea715a35da98e0421ea0efcb5175407965f135fb7af134788528af3e6ecff02231901bf40f7e52e4b6174f529a823200d560598349f894e5f1

    Download Submit

  • \Program Files (x86)\LetsSee!\YTLoader.exe
    Filesize

    3.0MB

    MD5

    c53d2de8becdaf58caba89a297455c65

    SHA1

    c60da079393025e63475683375e0a045cefa3473

    SHA256

    7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

    SHA512

    a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

    Download Submit

  • \Program Files (x86)\LetsSee!\YTLoader.exe
    Filesize

    3.0MB

    MD5

    c53d2de8becdaf58caba89a297455c65

    SHA1

    c60da079393025e63475683375e0a045cefa3473

    SHA256

    7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

    SHA512

    a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

    Download Submit

  • \Program Files (x86)\LetsSee!\YTLoader.exe
    Filesize

    3.0MB

    MD5

    c53d2de8becdaf58caba89a297455c65

    SHA1

    c60da079393025e63475683375e0a045cefa3473

    SHA256

    7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

    SHA512

    a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

    Download Submit

  • \Program Files (x86)\LetsSee!\YTLoader.exe
    Filesize

    3.0MB

    MD5

    c53d2de8becdaf58caba89a297455c65

    SHA1

    c60da079393025e63475683375e0a045cefa3473

    SHA256

    7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

    SHA512

    a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

    Download Submit

  • \Program Files (x86)\LetsSee!\YTLoader.exe
    Filesize

    3.0MB

    MD5

    c53d2de8becdaf58caba89a297455c65

    SHA1

    c60da079393025e63475683375e0a045cefa3473

    SHA256

    7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

    SHA512

    a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

    Download Submit

  • \Program Files (x86)\LetsSee!\YTLoader.exe
    Filesize

    3.0MB

    MD5

    c53d2de8becdaf58caba89a297455c65

    SHA1

    c60da079393025e63475683375e0a045cefa3473

    SHA256

    7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

    SHA512

    a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

    Download Submit

  • \Program Files (x86)\LetsSee!\busshost.exe
    Filesize

    406KB

    MD5

    d6422d74934d39845e107a25e16a2146

    SHA1

    87b7bb22fd16e36ed34476b8660af1f8b831a76b

    SHA256

    9b664cd4a3de25b2b3955b5984cd5f191cb364e0b25c53e01712f4c59fa48bf4

    SHA512

    baa642e5143f8bea715a35da98e0421ea0efcb5175407965f135fb7af134788528af3e6ecff02231901bf40f7e52e4b6174f529a823200d560598349f894e5f1

    Download Submit

  • \Program Files (x86)\LetsSee!\busshost.exe
    Filesize

    406KB

    MD5

    d6422d74934d39845e107a25e16a2146

    SHA1

    87b7bb22fd16e36ed34476b8660af1f8b831a76b

    SHA256

    9b664cd4a3de25b2b3955b5984cd5f191cb364e0b25c53e01712f4c59fa48bf4

    SHA512

    baa642e5143f8bea715a35da98e0421ea0efcb5175407965f135fb7af134788528af3e6ecff02231901bf40f7e52e4b6174f529a823200d560598349f894e5f1

    Download Submit

  • memory/1200-81-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1200-75-0x00000000007F0000-0x00000000007F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1200-68-0x0000000000270000-0x000000000027A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1200-70-0x0000000005080000-0x00000000054DA000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1200-77-0x0000000000850000-0x0000000000858000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1200-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1200-82-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1200-80-0x0000000000B10000-0x0000000000B18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1200-79-0x0000000000870000-0x0000000000878000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1200-78-0x0000000000860000-0x0000000000868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1200-76-0x0000000000800000-0x000000000080E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1200-67-0x0000000000290000-0x0000000000598000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1200-74-0x00000000007E0000-0x00000000007EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1200-73-0x00000000006C0000-0x00000000006CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1200-72-0x00000000006B0000-0x00000000006BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1200-71-0x00000000006A0000-0x00000000006B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1288-83-0x0000000000400000-0x0000000000943000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/1288-66-0x0000000000400000-0x0000000000943000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/1288-65-0x0000000000A86000-0x0000000000A97000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1288-59-0x0000000000A86000-0x0000000000A97000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1288-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1372-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1724-84-0x0000000000000000-mapping.dmp

    Download