Overview

overview

10

Static

static

1

swift mesa...04.exe

windows7-x64

10

swift mesa...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2023 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    swift mesaj 2023.12.04.exe

  • Size

    935KB

  • MD5

    8f64113dc9e19be7417016a0baf25656

  • SHA1

    e86967e1246b3197d1140a85322795d8a1d59641

  • SHA256

    48927c22a54bd0c732fa641f180bd3a5dd5f85566c6e63f4def63a99f0aa71ce

  • SHA512

    576da16f367ca0aff047fcf01c52818ee653845bbace7984fe7aecdf140e7671f08115d8d9c4312bae7d77540209ce71c01e62db5a00f08b21fa30b92a77461c

  • SSDEEP

    24576:Xpp4VFAqWu63LfK8Gx6ajNlHgKUKV3hIgnY:5pOauoG1weNl15Cgn

Score
10/10
azorultguloaderdownloaderinfostealertrojan

Malware Config

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\swift mesaj 2023.12.04.exe
    "C:\Users\Admin\AppData\Local\Temp\swift mesaj 2023.12.04.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\swift mesaj 2023.12.04.exe
      "C:\Users\Admin\AppData\Local\Temp\swift mesaj 2023.12.04.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\netkortet.ini
    Filesize

    44B

    MD5

    ad691854b5e0587ed7af25c249a68fd5

    SHA1

    60a4465cfe7b6b663b9993fe958f8306de76d556

    SHA256

    b20bf1c3b7b6a17271b6a463eaac81ac8d2debc47950479047cf14ac51ca04c8

    SHA512

    2018e53a9c97641be6313912d3277f7aedc7788c74c0bd4574504892dc8ddeff9a206d59aa302c971a9a9e227a28055e790a94f747f3d5ab7762d2f64fb3d9b3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nso7003.tmp\System.dll
    Filesize

    12KB

    MD5

    0d7ad4f45dc6f5aa87f606d0331c6901

    SHA1

    48df0911f0484cbe2a8cdd5362140b63c41ee457

    SHA256

    3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    SHA512

    c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    Download Submit

  • memory/1844-39-0x0000000077420000-0x00000000775C9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1844-44-0x00000000729A0000-0x0000000073A02000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1844-43-0x00000000004F0000-0x0000000002242000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/1844-41-0x00000000004F0000-0x0000000002242000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/1844-40-0x00000000729A0000-0x0000000073A02000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1844-38-0x00000000004F0000-0x0000000002242000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/2132-34-0x0000000077420000-0x00000000775C9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2132-37-0x0000000074E80000-0x0000000074E87000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2132-36-0x0000000077610000-0x00000000776E6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2132-35-0x0000000003230000-0x0000000004F82000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/2132-33-0x0000000003230000-0x0000000004F82000-memory.dmp

    Filesize

    29.3MB

    Download