f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3

General

Target

f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
Size

328KB
MD5

366d97157eac76fd1e06a2845e24a5b1
SHA1

53374813284e934e7a57f590fbf44cd97a2af3ee
SHA256

f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3
SHA512

404fbbe5cfee174f2d21071d8bbc0e61ab1e9f69604b898f0645817e0f4655d21df0de2139b4bae76127c1384c39532e719f756d53d5e0310d552e6a2b4154d2
SSDEEP

6144:5NyF/LMHaCjQNiOKzHkVF8C+zV5qEiiYGZSVQg6GreDBSBcnTSbYqm:HytLCBkBKmF8TzkcEeQBGEm

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

azuc.exeazuc.exe

pid process

668 azuc.exe
1160 azuc.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

344 cmd.exe

pid	process
668	azuc.exe
1160	azuc.exe

pid	process
344	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exeazuc.exe

pid	process
2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
668	azuc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

azuc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	azuc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Azuc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Buyh\\azuc.exe"	azuc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exeazuc.exe

description	pid	process	target process
PID 1668 set thread context of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 668 set thread context of 1160	668	azuc.exe	azuc.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exef4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exeazuc.exeazuc.exe

pid	process
1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
668	azuc.exe
668	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe
1160	azuc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exeazuc.exe

pid	process
1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
668	azuc.exe
668	azuc.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exef4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exeazuc.exeazuc.exe

description	pid	process	target process
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 1668 wrote to memory of 2008	1668	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
PID 2008 wrote to memory of 668	2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	azuc.exe
PID 2008 wrote to memory of 668	2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	azuc.exe
PID 2008 wrote to memory of 668	2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	azuc.exe
PID 2008 wrote to memory of 668	2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 668 wrote to memory of 1160	668	azuc.exe	azuc.exe
PID 2008 wrote to memory of 344	2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	cmd.exe
PID 2008 wrote to memory of 344	2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	cmd.exe
PID 2008 wrote to memory of 344	2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	cmd.exe
PID 2008 wrote to memory of 344	2008	f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe	cmd.exe
PID 1160 wrote to memory of 1116	1160	azuc.exe	taskhost.exe
PID 1160 wrote to memory of 1116	1160	azuc.exe	taskhost.exe
PID 1160 wrote to memory of 1116	1160	azuc.exe	taskhost.exe
PID 1160 wrote to memory of 1116	1160	azuc.exe	taskhost.exe
PID 1160 wrote to memory of 1116	1160	azuc.exe	taskhost.exe
PID 1160 wrote to memory of 1168	1160	azuc.exe	Dwm.exe
PID 1160 wrote to memory of 1168	1160	azuc.exe	Dwm.exe
PID 1160 wrote to memory of 1168	1160	azuc.exe	Dwm.exe
PID 1160 wrote to memory of 1168	1160	azuc.exe	Dwm.exe
PID 1160 wrote to memory of 1168	1160	azuc.exe	Dwm.exe
PID 1160 wrote to memory of 1224	1160	azuc.exe	Explorer.EXE
PID 1160 wrote to memory of 1224	1160	azuc.exe	Explorer.EXE
PID 1160 wrote to memory of 1224	1160	azuc.exe	Explorer.EXE
PID 1160 wrote to memory of 1224	1160	azuc.exe	Explorer.EXE
PID 1160 wrote to memory of 1224	1160	azuc.exe	Explorer.EXE

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
"C:\Users\Admin\AppData\Local\Temp\f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
C:\Users\Admin\AppData\Local\Temp\f4c3fbcb0cb49eb172a787d7f28e9498314a4eb4e816adfdb1fe21442ab75eb3.exe
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe
"C:\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe
C:\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MIU878A.bat"
4⤵
- Deletes itself
PID:344

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe

Filesize
328KB

MD5
686721b42303d2edddd7bcdbcf020dc0

SHA1
c60fc44ba90c2ed470f996882b2e65eb0319d286

SHA256
ba552441aa98a3b884c79cb6fffe1d92a5c1a61e4fb7a5af00c631f81fef5645

SHA512
5b1b18aeb8f6b48c16ba923ab347658a0196e2d23255307095c5ce7c87252e3a11b67818cf4ade45c3416eaaffc49bc67fd123ee44d1f93670375fdb643f7b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe

Filesize
328KB

MD5
686721b42303d2edddd7bcdbcf020dc0

SHA1
c60fc44ba90c2ed470f996882b2e65eb0319d286

SHA256
ba552441aa98a3b884c79cb6fffe1d92a5c1a61e4fb7a5af00c631f81fef5645

SHA512
5b1b18aeb8f6b48c16ba923ab347658a0196e2d23255307095c5ce7c87252e3a11b67818cf4ade45c3416eaaffc49bc67fd123ee44d1f93670375fdb643f7b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe

Filesize
328KB

MD5
686721b42303d2edddd7bcdbcf020dc0

SHA1
c60fc44ba90c2ed470f996882b2e65eb0319d286

SHA256
ba552441aa98a3b884c79cb6fffe1d92a5c1a61e4fb7a5af00c631f81fef5645

SHA512
5b1b18aeb8f6b48c16ba923ab347658a0196e2d23255307095c5ce7c87252e3a11b67818cf4ade45c3416eaaffc49bc67fd123ee44d1f93670375fdb643f7b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIU878A.bat

Filesize
280B

MD5
118812e10e07fca12e272b0d837a10be

SHA1
76bd1c612adfbfa0ef739fad7098365c38a5a25f

SHA256
5f503bf7633c3b3206b8538d520cb94099e0cda3e1f9be2faa58329c6b47c3ed

SHA512
4ab419168cf7362445c05733d5d5cf878999825d71fdcd23050add7afa7bbae3a6a3868b4d65ccce104d3395e5f638934d1a3b34018bd29b0da3cb523f621600

Download Submit
\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe

Filesize
328KB

MD5
686721b42303d2edddd7bcdbcf020dc0

SHA1
c60fc44ba90c2ed470f996882b2e65eb0319d286

SHA256
ba552441aa98a3b884c79cb6fffe1d92a5c1a61e4fb7a5af00c631f81fef5645

SHA512
5b1b18aeb8f6b48c16ba923ab347658a0196e2d23255307095c5ce7c87252e3a11b67818cf4ade45c3416eaaffc49bc67fd123ee44d1f93670375fdb643f7b9d

Download Submit
\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe

Filesize
328KB

MD5
686721b42303d2edddd7bcdbcf020dc0

SHA1
c60fc44ba90c2ed470f996882b2e65eb0319d286

SHA256
ba552441aa98a3b884c79cb6fffe1d92a5c1a61e4fb7a5af00c631f81fef5645

SHA512
5b1b18aeb8f6b48c16ba923ab347658a0196e2d23255307095c5ce7c87252e3a11b67818cf4ade45c3416eaaffc49bc67fd123ee44d1f93670375fdb643f7b9d

Download Submit
\Users\Admin\AppData\Local\Temp\Buyh\azuc.exe

Filesize
328KB

MD5
686721b42303d2edddd7bcdbcf020dc0

SHA1
c60fc44ba90c2ed470f996882b2e65eb0319d286

SHA256
ba552441aa98a3b884c79cb6fffe1d92a5c1a61e4fb7a5af00c631f81fef5645

SHA512
5b1b18aeb8f6b48c16ba923ab347658a0196e2d23255307095c5ce7c87252e3a11b67818cf4ade45c3416eaaffc49bc67fd123ee44d1f93670375fdb643f7b9d

Download Submit
memory/344-95-0x0000000000000000-mapping.dmp

Download
memory/668-74-0x0000000000000000-mapping.dmp

Download
memory/1116-100-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1116-99-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1116-101-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1116-102-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1160-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1160-88-0x0000000000426135-mapping.dmp

Download
memory/1168-108-0x0000000001AF0000-0x0000000001B32000-memory.dmp

Filesize
264KB

Download
memory/1168-107-0x0000000001AF0000-0x0000000001B32000-memory.dmp

Filesize
264KB

Download
memory/1168-106-0x0000000001AF0000-0x0000000001B32000-memory.dmp

Filesize
264KB

Download
memory/1168-105-0x0000000001AF0000-0x0000000001B32000-memory.dmp

Filesize
264KB

Download
memory/1224-111-0x0000000002B00000-0x0000000002B42000-memory.dmp

Filesize
264KB

Download
memory/1224-112-0x0000000002B00000-0x0000000002B42000-memory.dmp

Filesize
264KB

Download
memory/1224-113-0x0000000002B00000-0x0000000002B42000-memory.dmp

Filesize
264KB

Download
memory/1224-114-0x0000000002B00000-0x0000000002B42000-memory.dmp

Filesize
264KB

Download
memory/1668-65-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/1668-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/2008-64-0x0000000000426135-mapping.dmp

Download
memory/2008-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads