Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
Inkooporders voor factuur 28-09-22.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Inkooporders voor factuur 28-09-22.exe
Resource
win10v2004-20220812-en
General
-
Target
Inkooporders voor factuur 28-09-22.exe
-
Size
428KB
-
MD5
5ce3b1bbcb5e6de79fdf2b4bbf9a8c65
-
SHA1
25e9d8e5a31913b28b9bcaf64574ef135e0fa3e9
-
SHA256
390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521
-
SHA512
ed6c8de8791bdec42641b730896675e24d77d67b48c396f04b9b2f537cfa72f7b66a76813ffbf621bdc52e26cfb28c53bdba55acb9e255d3cd021a3e07227af3
-
SSDEEP
6144:uTouKrWBEu3/Z2lpGDHU3ykJF1Mai/nsSL2pNUn+/V6QcjX5P6uE:uToPWBv/cpGrU3ywtmnsSL6u+/Eg
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 1 IoCs
Processes:
uwmldfjccru.exepid process 3292 uwmldfjccru.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Inkooporders voor factuur 28-09-22.exeuwmldfjccru.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Inkooporders voor factuur 28-09-22.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation uwmldfjccru.exe -
Loads dropped DLL 6 IoCs
Processes:
uwmldfjccru.exepid process 5072 uwmldfjccru.exe 5072 uwmldfjccru.exe 5072 uwmldfjccru.exe 5072 uwmldfjccru.exe 5072 uwmldfjccru.exe 5072 uwmldfjccru.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
uwmldfjccru.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook uwmldfjccru.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook uwmldfjccru.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook uwmldfjccru.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
uwmldfjccru.exedescription pid process target process PID 3292 set thread context of 5072 3292 uwmldfjccru.exe uwmldfjccru.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4932 3292 WerFault.exe uwmldfjccru.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
uwmldfjccru.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 uwmldfjccru.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString uwmldfjccru.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2020 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
uwmldfjccru.exepid process 5072 uwmldfjccru.exe 5072 uwmldfjccru.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Inkooporders voor factuur 28-09-22.exeuwmldfjccru.exeuwmldfjccru.execmd.exedescription pid process target process PID 3564 wrote to memory of 3292 3564 Inkooporders voor factuur 28-09-22.exe uwmldfjccru.exe PID 3564 wrote to memory of 3292 3564 Inkooporders voor factuur 28-09-22.exe uwmldfjccru.exe PID 3564 wrote to memory of 3292 3564 Inkooporders voor factuur 28-09-22.exe uwmldfjccru.exe PID 3292 wrote to memory of 5072 3292 uwmldfjccru.exe uwmldfjccru.exe PID 3292 wrote to memory of 5072 3292 uwmldfjccru.exe uwmldfjccru.exe PID 3292 wrote to memory of 5072 3292 uwmldfjccru.exe uwmldfjccru.exe PID 3292 wrote to memory of 5072 3292 uwmldfjccru.exe uwmldfjccru.exe PID 5072 wrote to memory of 3424 5072 uwmldfjccru.exe cmd.exe PID 5072 wrote to memory of 3424 5072 uwmldfjccru.exe cmd.exe PID 5072 wrote to memory of 3424 5072 uwmldfjccru.exe cmd.exe PID 3424 wrote to memory of 2020 3424 cmd.exe timeout.exe PID 3424 wrote to memory of 2020 3424 cmd.exe timeout.exe PID 3424 wrote to memory of 2020 3424 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
uwmldfjccru.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook uwmldfjccru.exe -
outlook_win_path 1 IoCs
Processes:
uwmldfjccru.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook uwmldfjccru.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inkooporders voor factuur 28-09-22.exe"C:\Users\Admin\AppData\Local\Temp\Inkooporders voor factuur 28-09-22.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe"C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe"C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe"3⤵
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "uwmldfjccru.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 35⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 2403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3292 -ip 32921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C6D72293\mozglue.dllFilesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
C:\Users\Admin\AppData\Local\Temp\C6D72293\msvcp140.dllFilesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
C:\Users\Admin\AppData\Local\Temp\C6D72293\nss3.dllFilesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
C:\Users\Admin\AppData\Local\Temp\C6D72293\vcruntime140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\C6D72293\vcruntime140.dllFilesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
C:\Users\Admin\AppData\Local\Temp\dwhwq.yalFilesize
112KB
MD5d27c158245078509fd55786ac41510be
SHA1932a72ab2591fdad28538a8c81fc38d05c00e655
SHA256a07db9f703d4ab31316375030ca37bb25c1a4b3be9db559d5e9a897e54df7188
SHA512e1337346d3c5732324378d5e23d57f06caf19e8d65a55404d1764915998c176ad56f1ec2fe4918562de95e30eb44b3e35ef3b8395ebf7fc208c827d803ebe20a
-
C:\Users\Admin\AppData\Local\Temp\nvbvc.wiFilesize
4KB
MD5e854155a021d9bc03e4b3d9021551ea7
SHA1d8ed02e8cd8747a4933d5512f977ca531c5a3aea
SHA2561f185fb5b1ceeb00eac1ec67c1c8c894d670c478fbe03157987ebbafaf4874dd
SHA512b8171f24589195fc004beae5d67d45cc81a216ec95cebabd36f7ca25e0d7303eb04a734afafb309c06b39b99ca75ea0d3a9b313e9e7d20830f1040219e08ca62
-
C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exeFilesize
58KB
MD5728abee2e95f1c9854d5153832c21a24
SHA19b4f0b702c2e0f2d548782b2d314708dbf362ff6
SHA256782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b
SHA5121a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e
-
C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exeFilesize
58KB
MD5728abee2e95f1c9854d5153832c21a24
SHA19b4f0b702c2e0f2d548782b2d314708dbf362ff6
SHA256782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b
SHA5121a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e
-
C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exeFilesize
58KB
MD5728abee2e95f1c9854d5153832c21a24
SHA19b4f0b702c2e0f2d548782b2d314708dbf362ff6
SHA256782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b
SHA5121a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e
-
memory/2020-145-0x0000000000000000-mapping.dmp
-
memory/3292-132-0x0000000000000000-mapping.dmp
-
memory/3424-144-0x0000000000000000-mapping.dmp
-
memory/5072-137-0x0000000000000000-mapping.dmp