Overview

overview

10

Static

static

7

14a8c2f67d...8d.exe

windows7-x64

10

14a8c2f67d...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14a8c2f67d92486c89eac26af4d2018d.exe

  • Size

    3.1MB

  • MD5

    14a8c2f67d92486c89eac26af4d2018d

  • SHA1

    0e3ac0615936d2f2b371b751ddc60396c134c0b1

  • SHA256

    e561b6430b7eada808e069b7d7eb49c573e1f68007e3c87c4320039a5d599c52

  • SHA512

    55f366abda35de1a6af889543e68bc1a56ed2ddcddab1d29387edd3fb552e14fb2c08cc6ee50f7f58b85ab329bb1173b5590fa7f2d70165e716ef0846b17d86c

  • SSDEEP

    98304:adNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf85:adNB4ianUstYuUR2CSHsVP85

Score
10/10
azorultinfostealertrojanupx

Malware Config

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14a8c2f67d92486c89eac26af4d2018d.exe
    "C:\Users\Admin\AppData\Local\Temp\14a8c2f67d92486c89eac26af4d2018d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c test.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        test.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Users\Admin\AppData\Local\Temp\File.exe
          "C:\Users\Admin\AppData\Local\Temp\File.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
            5⤵
              PID:2284
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
              5⤵
              • NTFS ADS
              PID:2028
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2996
            • C:\Users\Admin\AppData\Roaming\tmp.exe
              "C:\Users\Admin\AppData\Roaming\tmp.exe"
              5⤵
              • Executes dropped EXE
              PID:3036
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3016
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
            4⤵
            • NTFS ADS
            PID:800
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
            4⤵
              PID:1984
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        1⤵
          PID:2304
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
          1⤵
            PID:2296

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\test.exe
            Filesize

            85KB

            MD5

            e7b1f5d590a48593db5446f3d95de314

            SHA1

            d7dfc0cf91682da7648f26ed68600a0bdf7de186

            SHA256

            482e8dd34456be6d4b9270f1a88ae9777d51629035c9320dfc553cfbe285376d

            SHA512

            f2f324ae9d1e6bbabf75da6e403aabfa1fc3f6c2f4e3998562066b8abab64b4562c231b29a6234ae879e95bf69900db0d97ad62a82a12d7b8c7635fccae05274

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\test.exe
            Filesize

            347KB

            MD5

            27cf55b5cccee67651d9470673d97eea

            SHA1

            5b056f390dcce7126f0c74ad7fac099bda8a0295

            SHA256

            27d092afeba4c1b27df1dade365f78deef789627bc80c7ff7692eab5eb8811c4

            SHA512

            ae27ad3061731226fbcfb2c34255ab265c55e66fafa003cc046c63d21f0b67566232dfa09b2e1754293a0983bde994fb1feebb6ab11fc09898818f4f911e7bd5

            Download Submit

          • \Users\Admin\AppData\Local\Temp\test.exe
            Filesize

            92KB

            MD5

            b14a170e8ce123d0c0233ee9b4c8682e

            SHA1

            0a332bd23e108aea4dba88a969d8e5c7af101902

            SHA256

            dc57abd6afc62d9913d160336310909d44cce02dbbd422d22f3477b9ece4c8d9

            SHA512

            69a120d6979e0951180019be6c08add6b39411d379a9fcbbe81fa99da645a32e04efe93c2a75bb9fc15595f237cfa2b7059ab8f4b52e2502432ee04503428f03

            Download Submit

          • memory/1716-46-0x0000000000400000-0x0000000000B9E000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1716-0-0x0000000000400000-0x0000000000B9E000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1716-50-0x0000000000400000-0x0000000000B9E000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/1964-6-0x0000000074E00000-0x00000000754EE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1964-5-0x0000000000F20000-0x000000000100E000-memory.dmp

            Filesize

            952KB

            Download

          • memory/1964-7-0x0000000004AE0000-0x0000000004B20000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1964-8-0x0000000000E80000-0x0000000000F06000-memory.dmp

            Filesize

            536KB

            Download

          • memory/1964-47-0x0000000074E00000-0x00000000754EE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2896-16-0x0000000000E00000-0x0000000000E5C000-memory.dmp

            Filesize

            368KB

            Download

          • memory/2896-17-0x0000000074E00000-0x00000000754EE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2896-19-0x0000000004DF0000-0x0000000004E30000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2896-48-0x0000000074E00000-0x00000000754EE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2896-18-0x0000000000310000-0x0000000000334000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3036-36-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download