Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15/09/2023, 12:59
Static task
static1
Behavioral task
behavioral1
Sample
7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe
-
Size
389KB
-
MD5
62b4021de4dfbdfd7f7be8272cbfc2c7
-
SHA1
5060bb5bb232f2064b9bdcccacf99463248a9305
-
SHA256
7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c
-
SHA512
79fac5b4b8483a8d1b3d522ab396fd7ed7ef6f45a859f20e9d85804ae2e492f6202318f9f3800366f98278b093bcb9b993ddc8530e5cd0baffc0a7d1008b318e
-
SSDEEP
6144:iYa6HIhVJ9et8OgP+UQitXPDyzPtVg8612Q9J63z/6cS:iYRwFebgWU9tbyYX1t9J63b6t
Malware Config
Extracted
azorult
http://185.29.11.60/roth3/Panel/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
pid Process 1960 lxemyukmfl.exe 2364 lxemyukmfl.exe -
Loads dropped DLL 2 IoCs
pid Process 1512 7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe 1960 lxemyukmfl.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1960 set thread context of 2364 1960 lxemyukmfl.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1960 lxemyukmfl.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1960 1512 7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe 29 PID 1512 wrote to memory of 1960 1512 7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe 29 PID 1512 wrote to memory of 1960 1512 7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe 29 PID 1512 wrote to memory of 1960 1512 7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe 29 PID 1960 wrote to memory of 2364 1960 lxemyukmfl.exe 30 PID 1960 wrote to memory of 2364 1960 lxemyukmfl.exe 30 PID 1960 wrote to memory of 2364 1960 lxemyukmfl.exe 30 PID 1960 wrote to memory of 2364 1960 lxemyukmfl.exe 30 PID 1960 wrote to memory of 2364 1960 lxemyukmfl.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe"C:\Users\Admin\AppData\Local\Temp\7d866f33d86d517e58175b598f292c82bce331c511091472ea8249998cbe5b8c_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\lxemyukmfl.exe"C:\Users\Admin\AppData\Local\Temp\lxemyukmfl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\lxemyukmfl.exe"C:\Users\Admin\AppData\Local\Temp\lxemyukmfl.exe"3⤵
- Executes dropped EXE
PID:2364
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5519f7ccde705b37f8106c1fa6da5c674
SHA1dbf81fd45511d2ee76c4b01cb714af1dfa2686a5
SHA256e0ca894ac3c86af132989856491a0d2429f4695f4a505760780a69a2400b0c65
SHA51291ff71073aad7824804434dfac6f7ae4804390e036bd4c16521f14ee6baa2a9b3eab3fad1c3954a1d8f3c578e2d028d23932d351be9a70401996a0f8f0d899ad
-
Filesize
164KB
MD5adbf55bf115a8450541d6ce07a4132f3
SHA1ca34cd2bd070070dc642e2af471aec27c38896dc
SHA2561134f96d07e5ee5206ffbacce888cb5abece3112f8cd0513b79753dd6543d9ad
SHA51278fc336fff322e722b5684892199a1906ee3077a6634e1d25d527f31d37291f547ba376d338786a4e4628f1801947bc7c332290a4fad8b308b97ed2b1fdbd7cc
-
Filesize
164KB
MD5adbf55bf115a8450541d6ce07a4132f3
SHA1ca34cd2bd070070dc642e2af471aec27c38896dc
SHA2561134f96d07e5ee5206ffbacce888cb5abece3112f8cd0513b79753dd6543d9ad
SHA51278fc336fff322e722b5684892199a1906ee3077a6634e1d25d527f31d37291f547ba376d338786a4e4628f1801947bc7c332290a4fad8b308b97ed2b1fdbd7cc
-
Filesize
164KB
MD5adbf55bf115a8450541d6ce07a4132f3
SHA1ca34cd2bd070070dc642e2af471aec27c38896dc
SHA2561134f96d07e5ee5206ffbacce888cb5abece3112f8cd0513b79753dd6543d9ad
SHA51278fc336fff322e722b5684892199a1906ee3077a6634e1d25d527f31d37291f547ba376d338786a4e4628f1801947bc7c332290a4fad8b308b97ed2b1fdbd7cc
-
Filesize
164KB
MD5adbf55bf115a8450541d6ce07a4132f3
SHA1ca34cd2bd070070dc642e2af471aec27c38896dc
SHA2561134f96d07e5ee5206ffbacce888cb5abece3112f8cd0513b79753dd6543d9ad
SHA51278fc336fff322e722b5684892199a1906ee3077a6634e1d25d527f31d37291f547ba376d338786a4e4628f1801947bc7c332290a4fad8b308b97ed2b1fdbd7cc
-
Filesize
164KB
MD5adbf55bf115a8450541d6ce07a4132f3
SHA1ca34cd2bd070070dc642e2af471aec27c38896dc
SHA2561134f96d07e5ee5206ffbacce888cb5abece3112f8cd0513b79753dd6543d9ad
SHA51278fc336fff322e722b5684892199a1906ee3077a6634e1d25d527f31d37291f547ba376d338786a4e4628f1801947bc7c332290a4fad8b308b97ed2b1fdbd7cc