Analysis
-
max time kernel
559s -
max time network
485s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 06:22
Static task
static1
Behavioral task
behavioral1
Sample
RfQ urgente_AP65425652_032421.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
RfQ urgente_AP65425652_032421.exe
Resource
win10v2004-20220812-en
General
-
Target
RfQ urgente_AP65425652_032421.exe
-
Size
426KB
-
MD5
41f1ae227bcf937eb3503819f5fbeebd
-
SHA1
c73f5ec3b1fdc30867763f413e0646a53f5d7503
-
SHA256
dcc410a5a4caecdc8ff2d863df50fae3adec46f391b50705e2f4ee59235d7af3
-
SHA512
b065fc4f56fdf388231a3b8e23e60ca15371c0a775aef90608e5dc419a46b1a2041c1e56bd1bf568bc3ff4623a8316d2bc1f590e55c78e72568f63f4d087b4eb
-
SSDEEP
6144:ATouKrWBEu3/Z2lpGDHU3ykJkUDmC/21qnbaItq+1mxwYeqgmaf:AToPWBv/cpGrU3yFUiG2MzBSwx
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 1 IoCs
Processes:
btgwc.exepid process 4576 btgwc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RfQ urgente_AP65425652_032421.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation RfQ urgente_AP65425652_032421.exe -
Loads dropped DLL 2 IoCs
Processes:
btgwc.exebtgwc.exepid process 2000 btgwc.exe 260 btgwc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
btgwc.exedescription pid process target process PID 4576 set thread context of 2000 4576 btgwc.exe btgwc.exe PID 4576 set thread context of 260 4576 btgwc.exe btgwc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3628 4576 WerFault.exe btgwc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RfQ urgente_AP65425652_032421.exebtgwc.exedescription pid process target process PID 4660 wrote to memory of 4576 4660 RfQ urgente_AP65425652_032421.exe btgwc.exe PID 4660 wrote to memory of 4576 4660 RfQ urgente_AP65425652_032421.exe btgwc.exe PID 4660 wrote to memory of 4576 4660 RfQ urgente_AP65425652_032421.exe btgwc.exe PID 4576 wrote to memory of 2000 4576 btgwc.exe btgwc.exe PID 4576 wrote to memory of 2000 4576 btgwc.exe btgwc.exe PID 4576 wrote to memory of 2000 4576 btgwc.exe btgwc.exe PID 4576 wrote to memory of 2000 4576 btgwc.exe btgwc.exe PID 4576 wrote to memory of 260 4576 btgwc.exe btgwc.exe PID 4576 wrote to memory of 260 4576 btgwc.exe btgwc.exe PID 4576 wrote to memory of 260 4576 btgwc.exe btgwc.exe PID 4576 wrote to memory of 260 4576 btgwc.exe btgwc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RfQ urgente_AP65425652_032421.exe"C:\Users\Admin\AppData\Local\Temp\RfQ urgente_AP65425652_032421.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\btgwc.exe"C:\Users\Admin\AppData\Local\Temp\btgwc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\btgwc.exe"C:\Users\Admin\AppData\Local\Temp\btgwc.exe"3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\btgwc.exe"C:\Users\Admin\AppData\Local\Temp\btgwc.exe"3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 5923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4576 -ip 45761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\btgwc.exeFilesize
56KB
MD5890373d650ed8dd50c9ec3c3810a6735
SHA1d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c
SHA25614953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c
SHA5123330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478
-
C:\Users\Admin\AppData\Local\Temp\btgwc.exeFilesize
56KB
MD5890373d650ed8dd50c9ec3c3810a6735
SHA1d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c
SHA25614953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c
SHA5123330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478
-
C:\Users\Admin\AppData\Local\Temp\btgwc.exeFilesize
56KB
MD5890373d650ed8dd50c9ec3c3810a6735
SHA1d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c
SHA25614953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c
SHA5123330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478
-
C:\Users\Admin\AppData\Local\Temp\btgwc.exeFilesize
56KB
MD5890373d650ed8dd50c9ec3c3810a6735
SHA1d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c
SHA25614953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c
SHA5123330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478
-
C:\Users\Admin\AppData\Local\Temp\iduqnmxlqz.agdFilesize
112KB
MD5b38a944979745d6f219bc27f8f18c386
SHA14dbc863add82130fa78bb6b713c5da57a636502b
SHA25625d502a904053b724bf0fd456900311c4c5e186c645b4127698e41ac133fdc02
SHA5123483486e75c871ce6b79f09492d8772839e82bf602fe4a69d8f4a8e9913de8e404fc9cc70425f1e277572fe47c4b7ec6a873cf2e6a430ec234a1e0c82ac09a41
-
C:\Users\Admin\AppData\Local\Temp\latjgmqbzpm.vFilesize
4KB
MD5984564f070f9bc6d12afa48496da12df
SHA1ee02702166ba94915454401b8905ad10b31f511c
SHA2561d751e623004c3243bd2fb6d5cecf57fc78ad0de6ebff4a83491214b4644b692
SHA5128013cb62eb14dbe7c2074f983354d414a3ac9b2979e053e56dd0a45507d6e6d0132ddde24fd27e1db5417342f302e16329d1e5b4f52facbbf71fbd39dd814784
-
memory/260-139-0x0000000000000000-mapping.dmp
-
memory/2000-137-0x0000000000000000-mapping.dmp
-
memory/4576-132-0x0000000000000000-mapping.dmp