Analysis
-
max time kernel
56s -
max time network
63s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
12-03-2023 08:37
Static task
static1
Behavioral task
behavioral1
Sample
NLBrute 1.2 Crack x64/NLB_Licenz/NLB_Licenz/NLBrute 1.2 x64 & VPN - KeyGen.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
NLBrute 1.2 Crack x64/NLB_Licenz/NLB_Licenz/NLBrute 1.2 x64 & VPN - KeyGen.exe
Resource
win10v2004-20230221-en
General
-
Target
NLBrute 1.2 Crack x64/NLB_Licenz/NLB_Licenz/NLBrute 1.2 x64 & VPN - KeyGen.exe
-
Size
9.7MB
-
MD5
1b5675c93a01b5086a60aa3856a4e4f8
-
SHA1
4147f00569cb6dbcc2e7787663bcefb4b30243e2
-
SHA256
1db16882d923db80879a7d8d3fa724414e043b91ab160608c99a11df0651280f
-
SHA512
1ba9903c1d8ca5073abc94301286e71b3126252eb9e77c0b692c042aecd23977d1ff90ee2e203bcba090ffc12cd4fab00d406d998da288ecc64c5f60c708211a
-
SSDEEP
196608:7CKGs7lPGbFRoaNhBv5IFNW0Y0G6zZ7UAuAxid8Om6:eopoucRiK0Yq73xgP
Malware Config
Extracted
azorult
http://updateinstall.xyz/6616a.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
gazcrypt.vmp.exeNLBrute 1.2 x64 & VPN - KeyGen.exepid process 3564 gazcrypt.vmp.exe 460 NLBrute 1.2 x64 & VPN - KeyGen.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\autBCFC.tmp vmprotect C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe vmprotect C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe vmprotect behavioral1/memory/3564-159-0x0000000000130000-0x0000000000C59000-memory.dmp vmprotect -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/3564-159-0x0000000000130000-0x0000000000C59000-memory.dmp autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
gazcrypt.vmp.exeNLBrute 1.2 x64 & VPN - KeyGen.exepid process 3564 gazcrypt.vmp.exe 460 NLBrute 1.2 x64 & VPN - KeyGen.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gazcrypt.vmp.exedescription pid process target process PID 3564 set thread context of 1104 3564 gazcrypt.vmp.exe WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
NLBrute 1.2 x64 & VPN - KeyGen.exegazcrypt.vmp.exepid process 460 NLBrute 1.2 x64 & VPN - KeyGen.exe 460 NLBrute 1.2 x64 & VPN - KeyGen.exe 3564 gazcrypt.vmp.exe 3564 gazcrypt.vmp.exe 3564 gazcrypt.vmp.exe 3564 gazcrypt.vmp.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
gazcrypt.vmp.exepid process 3564 gazcrypt.vmp.exe 3564 gazcrypt.vmp.exe 3564 gazcrypt.vmp.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
gazcrypt.vmp.exepid process 3564 gazcrypt.vmp.exe 3564 gazcrypt.vmp.exe 3564 gazcrypt.vmp.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
NLBrute 1.2 x64 & VPN - KeyGen.exegazcrypt.vmp.exedescription pid process target process PID 3272 wrote to memory of 3564 3272 NLBrute 1.2 x64 & VPN - KeyGen.exe gazcrypt.vmp.exe PID 3272 wrote to memory of 3564 3272 NLBrute 1.2 x64 & VPN - KeyGen.exe gazcrypt.vmp.exe PID 3272 wrote to memory of 3564 3272 NLBrute 1.2 x64 & VPN - KeyGen.exe gazcrypt.vmp.exe PID 3272 wrote to memory of 460 3272 NLBrute 1.2 x64 & VPN - KeyGen.exe NLBrute 1.2 x64 & VPN - KeyGen.exe PID 3272 wrote to memory of 460 3272 NLBrute 1.2 x64 & VPN - KeyGen.exe NLBrute 1.2 x64 & VPN - KeyGen.exe PID 3272 wrote to memory of 460 3272 NLBrute 1.2 x64 & VPN - KeyGen.exe NLBrute 1.2 x64 & VPN - KeyGen.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe PID 3564 wrote to memory of 1104 3564 gazcrypt.vmp.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NLBrute 1.2 Crack x64\NLB_Licenz\NLB_Licenz\NLBrute 1.2 x64 & VPN - KeyGen.exe"C:\Users\Admin\AppData\Local\Temp\NLBrute 1.2 Crack x64\NLB_Licenz\NLB_Licenz\NLBrute 1.2 x64 & VPN - KeyGen.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe"C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\SysWOW64\WerFault.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exe"C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\autBCFC.tmpFilesize
6.4MB
MD5b1650cdb13624dba5987826fd2d392b9
SHA162bec6f5d788addd2c283eb797cc4ed238922d48
SHA256e7a38781ced5e8b231088febeaff2d727d6dfc510e793b5709d205202db1d51d
SHA512c6f6002be7ad8f52aa4853396f0e0a72c24dd788706ba0021cfbd9dd7e6b47aeef721fcc1887fb471ed2c908d01a10476c530f599596dfb9742630af9b8c758f
-
C:\Users\Admin\AppData\Local\Temp\autD13F.tmpFilesize
108KB
MD5fbf51fdf1bca703c86d1c33e579d3ea6
SHA162e1920158012842cfde52e12554a11a924a60ca
SHA256b9ce3c6fbb683c935bbb67f0f94e9721dafe8508a74a9383690fefcea35be424
SHA512f874b52e1bdd06f6e15fac27b278765331328f3b86064cd2607a7ec0c22e88896ef5475e5336b4091845607a03e23404ba18834f039cb7ac8417e99346d08830
-
C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exeFilesize
2.5MB
MD562b039b2af7bf5f6abf35ef903024300
SHA14ae220e451482e839619c2e927752468e0eda8d5
SHA25683d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5
SHA5128abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e
-
C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exeFilesize
2.5MB
MD562b039b2af7bf5f6abf35ef903024300
SHA14ae220e451482e839619c2e927752468e0eda8d5
SHA25683d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5
SHA5128abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e
-
C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exeFilesize
2.5MB
MD562b039b2af7bf5f6abf35ef903024300
SHA14ae220e451482e839619c2e927752468e0eda8d5
SHA25683d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5
SHA5128abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e
-
C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exeFilesize
6.4MB
MD5b1650cdb13624dba5987826fd2d392b9
SHA162bec6f5d788addd2c283eb797cc4ed238922d48
SHA256e7a38781ced5e8b231088febeaff2d727d6dfc510e793b5709d205202db1d51d
SHA512c6f6002be7ad8f52aa4853396f0e0a72c24dd788706ba0021cfbd9dd7e6b47aeef721fcc1887fb471ed2c908d01a10476c530f599596dfb9742630af9b8c758f
-
C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exeFilesize
6.4MB
MD5b1650cdb13624dba5987826fd2d392b9
SHA162bec6f5d788addd2c283eb797cc4ed238922d48
SHA256e7a38781ced5e8b231088febeaff2d727d6dfc510e793b5709d205202db1d51d
SHA512c6f6002be7ad8f52aa4853396f0e0a72c24dd788706ba0021cfbd9dd7e6b47aeef721fcc1887fb471ed2c908d01a10476c530f599596dfb9742630af9b8c758f
-
memory/460-167-0x0000000003710000-0x00000000037E6000-memory.dmpFilesize
856KB
-
memory/460-144-0x0000000077F60000-0x0000000077F61000-memory.dmpFilesize
4KB
-
memory/460-143-0x0000000003C90000-0x0000000003DA2000-memory.dmpFilesize
1.1MB
-
memory/460-141-0x0000000000400000-0x0000000001B3C000-memory.dmpFilesize
23.2MB
-
memory/460-160-0x0000000003710000-0x00000000037E6000-memory.dmpFilesize
856KB
-
memory/460-165-0x0000000003710000-0x00000000037E6000-memory.dmpFilesize
856KB
-
memory/460-155-0x0000000003C90000-0x0000000003DA2000-memory.dmpFilesize
1.1MB
-
memory/460-157-0x0000000003C90000-0x0000000003DA2000-memory.dmpFilesize
1.1MB
-
memory/1104-177-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1104-176-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3564-153-0x00000000014E0000-0x00000000014E1000-memory.dmpFilesize
4KB
-
memory/3564-156-0x0000000001500000-0x0000000001501000-memory.dmpFilesize
4KB
-
memory/3564-158-0x0000000001510000-0x0000000001511000-memory.dmpFilesize
4KB
-
memory/3564-159-0x0000000000130000-0x0000000000C59000-memory.dmpFilesize
11.2MB
-
memory/3564-154-0x00000000014F0000-0x00000000014F1000-memory.dmpFilesize
4KB
-
memory/3564-150-0x00000000014D0000-0x00000000014D1000-memory.dmpFilesize
4KB
-
memory/3564-145-0x0000000001480000-0x0000000001481000-memory.dmpFilesize
4KB
-
memory/3564-148-0x00000000014B0000-0x00000000014B1000-memory.dmpFilesize
4KB
-
memory/3564-147-0x00000000014A0000-0x00000000014A1000-memory.dmpFilesize
4KB