Overview

overview

10

Static

static

1

043c0f35c4...70.exe

windows7-x64

10

043c0f35c4...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    72s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2023 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    043c0f35c48bfc42f8e8aa3684ff7277e9655a0a57d8fc959462bae10652a670.exe

  • Size

    287KB

  • MD5

    0da730fe948ac7f7e696ec547521da93

  • SHA1

    b4df4f154195438c5c7bdcc3d72a71b816cfbd7c

  • SHA256

    043c0f35c48bfc42f8e8aa3684ff7277e9655a0a57d8fc959462bae10652a670

  • SHA512

    d712e52e9128c8e180d47093cd4f3fe1dba844c71183bab5bb992b4e461be25a4996b17b8847213b358a7c5071863749f31b20ebc898c881b2f5b43a19fa5e07

  • SSDEEP

    6144:gYa6oBcDavcqOnPmLBD1K0KAQlUjMRyIkwlqSgcoYk0gd:gYhDRqu+LHK7AeUjJivBpk0U

Score
10/10
azorultinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://85.31.45.29/myoffice/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\043c0f35c48bfc42f8e8aa3684ff7277e9655a0a57d8fc959462bae10652a670.exe
    "C:\Users\Admin\AppData\Local\Temp\043c0f35c48bfc42f8e8aa3684ff7277e9655a0a57d8fc959462bae10652a670.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Users\Admin\AppData\Local\Temp\tousxmpmwh.exe
      "C:\Users\Admin\AppData\Local\Temp\tousxmpmwh.exe" C:\Users\Admin\AppData\Local\Temp\qbzkcposml.yl
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Users\Admin\AppData\Local\Temp\tousxmpmwh.exe
        "C:\Users\Admin\AppData\Local\Temp\tousxmpmwh.exe"
        3⤵
        • Executes dropped EXE
        PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hcrohh.h
    Filesize

    132KB

    MD5

    401d89be89d59a672203d4aa91590c84

    SHA1

    d60c9460c20e4afc982c55cc708e8c3b9b105c7f

    SHA256

    a7a6228fabf92b171367582b6c5c43055db82974da48dca52c8ede5ecd4e9eef

    SHA512

    ebbec0614381f790a41bce37c3eb70c6707a5c14f68d8bb5df72da2c332c3c2854186892accde667f363cdcb36cf50007aff95410bbec159e4cee698de1d3a54

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\qbzkcposml.yl
    Filesize

    5KB

    MD5

    b1f4d0ece6e61376439b6e192fcdb6cb

    SHA1

    68e91da80cdab8d711b8a7ebd8f6dff799a4412b

    SHA256

    510f967ff571259876e69343652e47a9f3682472960801601f8c13bc2a424e93

    SHA512

    92bbe9cff7929ac4ee9816778d6a883feb4cb87e0c4c46128a53072abe5b10338c35520293de6c980dd5652cc635093fb9c42adc58e684f9cb56f6c422b4e646

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tousxmpmwh.exe
    Filesize

    255KB

    MD5

    a1073b1a2a5bb110df27dde4242fd593

    SHA1

    b0ac71198bf3e7e25bd261f064342bd3d3101401

    SHA256

    353e6381e2d02ba8e9cac97f82ba7f4f0f2e70a669e34d510a8683e9eeb07b23

    SHA512

    a13a00341b4feec8d843cd263926e80058a139d5aa8e9c42596f797cf5810c21c17c231184977f3ababdaa6bafe1bc161691a4baffbd5a00e3d1ef407ef042da

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tousxmpmwh.exe
    Filesize

    255KB

    MD5

    a1073b1a2a5bb110df27dde4242fd593

    SHA1

    b0ac71198bf3e7e25bd261f064342bd3d3101401

    SHA256

    353e6381e2d02ba8e9cac97f82ba7f4f0f2e70a669e34d510a8683e9eeb07b23

    SHA512

    a13a00341b4feec8d843cd263926e80058a139d5aa8e9c42596f797cf5810c21c17c231184977f3ababdaa6bafe1bc161691a4baffbd5a00e3d1ef407ef042da

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tousxmpmwh.exe
    Filesize

    255KB

    MD5

    a1073b1a2a5bb110df27dde4242fd593

    SHA1

    b0ac71198bf3e7e25bd261f064342bd3d3101401

    SHA256

    353e6381e2d02ba8e9cac97f82ba7f4f0f2e70a669e34d510a8683e9eeb07b23

    SHA512

    a13a00341b4feec8d843cd263926e80058a139d5aa8e9c42596f797cf5810c21c17c231184977f3ababdaa6bafe1bc161691a4baffbd5a00e3d1ef407ef042da

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tousxmpmwh.exe
    Filesize

    255KB

    MD5

    a1073b1a2a5bb110df27dde4242fd593

    SHA1

    b0ac71198bf3e7e25bd261f064342bd3d3101401

    SHA256

    353e6381e2d02ba8e9cac97f82ba7f4f0f2e70a669e34d510a8683e9eeb07b23

    SHA512

    a13a00341b4feec8d843cd263926e80058a139d5aa8e9c42596f797cf5810c21c17c231184977f3ababdaa6bafe1bc161691a4baffbd5a00e3d1ef407ef042da

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tousxmpmwh.exe
    Filesize

    255KB

    MD5

    a1073b1a2a5bb110df27dde4242fd593

    SHA1

    b0ac71198bf3e7e25bd261f064342bd3d3101401

    SHA256

    353e6381e2d02ba8e9cac97f82ba7f4f0f2e70a669e34d510a8683e9eeb07b23

    SHA512

    a13a00341b4feec8d843cd263926e80058a139d5aa8e9c42596f797cf5810c21c17c231184977f3ababdaa6bafe1bc161691a4baffbd5a00e3d1ef407ef042da

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tousxmpmwh.exe
    Filesize

    255KB

    MD5

    a1073b1a2a5bb110df27dde4242fd593

    SHA1

    b0ac71198bf3e7e25bd261f064342bd3d3101401

    SHA256

    353e6381e2d02ba8e9cac97f82ba7f4f0f2e70a669e34d510a8683e9eeb07b23

    SHA512

    a13a00341b4feec8d843cd263926e80058a139d5aa8e9c42596f797cf5810c21c17c231184977f3ababdaa6bafe1bc161691a4baffbd5a00e3d1ef407ef042da

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tousxmpmwh.exe
    Filesize

    255KB

    MD5

    a1073b1a2a5bb110df27dde4242fd593

    SHA1

    b0ac71198bf3e7e25bd261f064342bd3d3101401

    SHA256

    353e6381e2d02ba8e9cac97f82ba7f4f0f2e70a669e34d510a8683e9eeb07b23

    SHA512

    a13a00341b4feec8d843cd263926e80058a139d5aa8e9c42596f797cf5810c21c17c231184977f3ababdaa6bafe1bc161691a4baffbd5a00e3d1ef407ef042da

    Download Submit
  • memory/540-68-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/540-71-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/540-73-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/540-79-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/540-81-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download