Overview

overview

10

Static

static

7

734527aaf0...66.exe

windows7-x64

10

734527aaf0...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 13:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    734527aaf04fdf03ec81f8886e4f1b66.exe

  • Size

    3.1MB

  • MD5

    734527aaf04fdf03ec81f8886e4f1b66

  • SHA1

    8c2180f02b9494dbff83edf5e4b0e0cffabccb96

  • SHA256

    7d120e6aad230faf1811a9ad8876a124ae27fcafa97ddff4c1a3e7b7a19e5a03

  • SHA512

    ba8d192965a89fd3319e0ed09bdee74876aea67c8d89c8370349bf79520ed84030a557b4c76f6c27091ee4c4136dcf69a4d3851aa52b18ad7318b37c637519a8

  • SSDEEP

    98304:zdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:zdNB4ianUstYuUR2CSHsVP8x

Score
10/10
azorultnetwirebotnetinfostealerratstealertrojanupx

Malware Config

Extracted

Family

netwire

C2

174.127.99.159:7882

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    May-B

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        3⤵
        • NTFS ADS
        PID:1664
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1540
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        3⤵
          PID:2944
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
          3⤵
          • Executes dropped EXE
          PID:2828
        • C:\Users\Admin\AppData\Roaming\tmp.exe
          "C:\Users\Admin\AppData\Roaming\tmp.exe"
          3⤵
          • Executes dropped EXE
          PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        2⤵
        • NTFS ADS
        PID:1524
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
        2⤵
          PID:2020
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
          2⤵
          • Executes dropped EXE
          PID:2624
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c test.exe
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2868
      • C:\Users\Admin\AppData\Local\Temp\734527aaf04fdf03ec81f8886e4f1b66.exe
        "C:\Users\Admin\AppData\Local\Temp\734527aaf04fdf03ec81f8886e4f1b66.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2748
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        1⤵
          PID:1372
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
          1⤵
            PID:2760

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • \Users\Admin\AppData\Local\Temp\test.exe
            Filesize

            382KB

            MD5

            5e3647b8f7bddb2e4662d46d966aeb63

            SHA1

            59ac3f2585fcf6b30604e08ea8935f544df61082

            SHA256

            c84e753ed7dcb9677060462d24928781fb614770d27c3bd43da15a53066df1d6

            SHA512

            ee9e226f8d8dc30990dc66ff53c7d8fb7c55588c460a37accff1d67d4809abf4a7ff00e0f727dd90e2efd2d646b7026007b0b6c7bdd7e776bc9617b3710a4cae

            Download Submit

          • memory/2624-58-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2624-56-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2624-30-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2624-67-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2624-37-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2624-44-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2624-48-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2624-25-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2624-66-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2624-39-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2624-52-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/2740-78-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2748-83-0x0000000000400000-0x0000000000B9D000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/2748-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/2748-79-0x0000000000400000-0x0000000000B9D000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/2820-18-0x0000000074B90000-0x000000007527E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2820-16-0x0000000000D80000-0x0000000000DDC000-memory.dmp

            Filesize

            368KB

            Download

          • memory/2820-82-0x0000000074B90000-0x000000007527E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2820-17-0x0000000000420000-0x0000000000444000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2820-19-0x0000000004CE0000-0x0000000004D20000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2828-43-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2828-60-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2828-51-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2828-54-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2828-45-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2828-65-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2828-47-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2880-7-0x0000000004690000-0x00000000046D0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2880-8-0x00000000046D0000-0x0000000004756000-memory.dmp

            Filesize

            536KB

            Download

          • memory/2880-5-0x0000000000390000-0x000000000047E000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2880-80-0x0000000074B90000-0x000000007527E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2880-6-0x0000000074B90000-0x000000007527E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2880-81-0x0000000074B90000-0x000000007527E000-memory.dmp

            Filesize

            6.9MB

            Download