Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
61s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2022, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
Einkaufsangebot CVE6535.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Einkaufsangebot CVE6535.exe
Resource
win10v2004-20220901-en
General
-
Target
Einkaufsangebot CVE6535.exe
-
Size
611KB
-
MD5
a6518b17fc95da854411bd7aad66b086
-
SHA1
cce92811b63765fe200a25e198c779f44a4fe3fa
-
SHA256
e2be18a1837126e8b30cebe2e5db877405b7b7b3a5c81f47a6158f029cd5e534
-
SHA512
dfa5380c236918a157da9d62fe8b0ed2dd62056af246c2985f0d03f52469bdd268d3c2da54643280697d6f06e6ef5bf1baae63dbc4822e75ffa8467f31d60d4e
-
SSDEEP
12288:z9s5ELXBIyM65vIzO1ReDP9GHo8yHNz4BqsADYsiN:B+usSgzgI9tExAYtN
Malware Config
Extracted
azorult
http://141.98.6.75/dike/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 4 IoCs
pid Process 3816 aspnet_compiler.exe 3816 aspnet_compiler.exe 3816 aspnet_compiler.exe 3816 aspnet_compiler.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook aspnet_compiler.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3724 set thread context of 3816 3724 Einkaufsangebot CVE6535.exe 89 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aspnet_compiler.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3816 aspnet_compiler.exe 3816 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3724 wrote to memory of 3816 3724 Einkaufsangebot CVE6535.exe 89 PID 3724 wrote to memory of 3816 3724 Einkaufsangebot CVE6535.exe 89 PID 3724 wrote to memory of 3816 3724 Einkaufsangebot CVE6535.exe 89 PID 3724 wrote to memory of 3816 3724 Einkaufsangebot CVE6535.exe 89 PID 3724 wrote to memory of 3816 3724 Einkaufsangebot CVE6535.exe 89 PID 3724 wrote to memory of 3816 3724 Einkaufsangebot CVE6535.exe 89 PID 3724 wrote to memory of 3816 3724 Einkaufsangebot CVE6535.exe 89 PID 3724 wrote to memory of 3816 3724 Einkaufsangebot CVE6535.exe 89 PID 3724 wrote to memory of 3816 3724 Einkaufsangebot CVE6535.exe 89 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook aspnet_compiler.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Einkaufsangebot CVE6535.exe"C:\Users\Admin\AppData\Local\Temp\Einkaufsangebot CVE6535.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:3816
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f