Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2023 07:13
Static task
static1
Behavioral task
behavioral1
Sample
Подтверждение оплаты.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Подтверждение оплаты.exe
Resource
win10v2004-20230220-en
General
-
Target
Подтверждение оплаты.exe
-
Size
183KB
-
MD5
f99952ddfded19b9ee7c0fd893bc67c3
-
SHA1
68674af1e9ca690a3e2f2c693b2b1b8601a86aa9
-
SHA256
35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50
-
SHA512
759b8956572877261e4676485e1a498227e07b796924e323cdfb0d7c7f5a9f779d5f4528b8006348b7f6302fecbf9683dbe6159163b90b85ee3b0b178d7eac8d
-
SSDEEP
3072:GfY/TU9fE9PEtuMTSkvV0bM6/vS1RrSs3HT+1ze/8kP6uVeYxqJwTT7AbLPNZgVK:wYa60BAnSHrJy6RAJwTaYVK
Malware Config
Extracted
azorult
http://85.31.45.29/office/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
jfzyw.exejfzyw.exepid process 1816 jfzyw.exe 676 jfzyw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jfzyw.exedescription pid process target process PID 1816 set thread context of 676 1816 jfzyw.exe jfzyw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
jfzyw.exepid process 1816 jfzyw.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Подтверждение оплаты.exejfzyw.exedescription pid process target process PID 4900 wrote to memory of 1816 4900 Подтверждение оплаты.exe jfzyw.exe PID 4900 wrote to memory of 1816 4900 Подтверждение оплаты.exe jfzyw.exe PID 4900 wrote to memory of 1816 4900 Подтверждение оплаты.exe jfzyw.exe PID 1816 wrote to memory of 676 1816 jfzyw.exe jfzyw.exe PID 1816 wrote to memory of 676 1816 jfzyw.exe jfzyw.exe PID 1816 wrote to memory of 676 1816 jfzyw.exe jfzyw.exe PID 1816 wrote to memory of 676 1816 jfzyw.exe jfzyw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Подтверждение оплаты.exe"C:\Users\Admin\AppData\Local\Temp\Подтверждение оплаты.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfzyw.exe"C:\Users\Admin\AppData\Local\Temp\jfzyw.exe" C:\Users\Admin\AppData\Local\Temp\efgylqxlyw.k2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfzyw.exe"C:\Users\Admin\AppData\Local\Temp\jfzyw.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\efgylqxlyw.kFilesize
5KB
MD5ff1412be3f6dbfbbdcc65e17c619a8cc
SHA1db58131c09eb548c3d317ab46975d28e414e8e68
SHA25689894df471a72ecc008d3764d46acd9955fb55ddb0db6674ec037fdb134823a7
SHA5124ee69782b6e0aa92ed96fb3c96fe7586a96fb80d6891cddcc6407a91bdb78229c7f0826715db37ff3f8995373c06aeb7e980bdcfc2f0a313cf646d2bfc603508
-
C:\Users\Admin\AppData\Local\Temp\jfzyw.exeFilesize
8KB
MD590bfe50257437f0a580ec7077dfa8555
SHA1712735363da21a29025f4bab8ab2865fef609968
SHA2563346a27bd201cb33b49ea9f769f003ec8126b46a299aae4c4b096682f2f675e9
SHA5128ffe679945dd259db8a272047914dfbf813aa9e8323f454ead94aabbadaadaaa2b3fd316eee37e84910dd490a8ba3e792259165bfaea391ac7d3d6c6c448e603
-
C:\Users\Admin\AppData\Local\Temp\jfzyw.exeFilesize
8KB
MD590bfe50257437f0a580ec7077dfa8555
SHA1712735363da21a29025f4bab8ab2865fef609968
SHA2563346a27bd201cb33b49ea9f769f003ec8126b46a299aae4c4b096682f2f675e9
SHA5128ffe679945dd259db8a272047914dfbf813aa9e8323f454ead94aabbadaadaaa2b3fd316eee37e84910dd490a8ba3e792259165bfaea391ac7d3d6c6c448e603
-
C:\Users\Admin\AppData\Local\Temp\jfzyw.exeFilesize
8KB
MD590bfe50257437f0a580ec7077dfa8555
SHA1712735363da21a29025f4bab8ab2865fef609968
SHA2563346a27bd201cb33b49ea9f769f003ec8126b46a299aae4c4b096682f2f675e9
SHA5128ffe679945dd259db8a272047914dfbf813aa9e8323f454ead94aabbadaadaaa2b3fd316eee37e84910dd490a8ba3e792259165bfaea391ac7d3d6c6c448e603
-
C:\Users\Admin\AppData\Local\Temp\qfnfsac.vlFilesize
132KB
MD5a0a683ed99da1122981071a32f132ff8
SHA1f585ce727e0a8ddca66d68fc7ca506b4c59faabd
SHA2566d4fda9fd0da10b893eb5a9c18b702b97c58e098191e21b7ce45b4255cd9613d
SHA512b7caecdfc4f96d4beeca23eae49439706ee830130d4a847eb10c3242c7c731fd7f4cea20ac14b4d36997519e126becb61aa479d6a5d4242d9cc50232973eb7b4
-
memory/676-145-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/676-142-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/676-147-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/676-148-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB