Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe
-
Size
27KB
-
MD5
4dc3ea5a5834d3dfdb1e539d639bbd40
-
SHA1
adb17342c8af9f6dfca3506ac9da9da886b81d88
-
SHA256
f4a373fc450be3031cd58ed55a1a1e3357851bc25a63c16f0804ea035d3b881d
-
SHA512
1e1c0efdde9aba9b7472d92fdc2f95ea4b4beaec517737d98377b19dcdd2d992040ca32a9c0eea4a5d367040ea9e0acbd3b66a2d582e24d5100a725c84f593e7
-
SSDEEP
384:xXqVQvSX3Ui4EGtI1g4+vU81Q5eBZAvmy8ZpHzGovUJAYkAYMjZB:wHXkTnlxUGQ5S+v7iRPPRMNB
Malware Config
Extracted
azorult
http://141.98.6.75/dike/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exedescription pid process target process PID 4752 set thread context of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exedescription pid process Token: SeDebugPrivilege 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exedescription pid process target process PID 4752 wrote to memory of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe PID 4752 wrote to memory of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe PID 4752 wrote to memory of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe PID 4752 wrote to memory of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe PID 4752 wrote to memory of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe PID 4752 wrote to memory of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe PID 4752 wrote to memory of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe PID 4752 wrote to memory of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe PID 4752 wrote to memory of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4604-133-0x0000000000000000-mapping.dmp
-
memory/4604-134-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4604-136-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4604-137-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4752-132-0x0000000000210000-0x000000000021A000-memory.dmpFilesize
40KB