Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2023, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe
Resource
win10v2004-20230831-en
General
-
Target
6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe
-
Size
612KB
-
MD5
e8deb5283ad5d23b0837bdec68ba5fd3
-
SHA1
f6b2d51ae637fed40d14e101004150f558dcc7d2
-
SHA256
6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597
-
SHA512
9b6a3b0ea14c4877bc5135cfa304315e19bc043c3c84a3ca4eedd9df060fc5584e3766548d1294adb2e9a3c173a8103221e14bc1c9e1ae3ac22ce739c09d0f72
-
SSDEEP
6144:SgORa6xKTuuuqjL7IMLeSC3cwyOPhcn4H5Gx1+tp2MI4OFiDLBH73E55ag6WqRrJ:Sgm/SOhhcnj8mcBHLzg6WsrwuwHn2
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe -
Loads dropped DLL 8 IoCs
pid Process 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3352 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 3352 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4264 set thread context of 3352 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 98 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\eviler.sst 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4264 wrote to memory of 3352 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 98 PID 4264 wrote to memory of 3352 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 98 PID 4264 wrote to memory of 3352 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 98 PID 4264 wrote to memory of 3352 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 98 PID 4264 wrote to memory of 3352 4264 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe"C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe"C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3352
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD56e55a6e7c3fdbd244042eb15cb1ec739
SHA1070ea80e2192abc42f358d47b276990b5fa285a9
SHA256acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA5122d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
-
Filesize
12KB
MD56e55a6e7c3fdbd244042eb15cb1ec739
SHA1070ea80e2192abc42f358d47b276990b5fa285a9
SHA256acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA5122d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
-
Filesize
12KB
MD56e55a6e7c3fdbd244042eb15cb1ec739
SHA1070ea80e2192abc42f358d47b276990b5fa285a9
SHA256acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA5122d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
-
Filesize
7KB
MD5ec9c99216ef11cdd85965e78bc797d2c
SHA11d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA51235ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1
-
Filesize
7KB
MD5ec9c99216ef11cdd85965e78bc797d2c
SHA11d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA51235ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1
-
Filesize
7KB
MD5ec9c99216ef11cdd85965e78bc797d2c
SHA11d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA51235ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1
-
Filesize
7KB
MD5ec9c99216ef11cdd85965e78bc797d2c
SHA11d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA51235ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1
-
Filesize
7KB
MD5ec9c99216ef11cdd85965e78bc797d2c
SHA11d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA51235ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1
-
Filesize
7KB
MD5ec9c99216ef11cdd85965e78bc797d2c
SHA11d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA51235ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1
-
Filesize
7KB
MD5ec9c99216ef11cdd85965e78bc797d2c
SHA11d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA51235ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1