bd76d7476935996fb5d4fdd6782675c5d7c872533b7f024ac6e4e1b0f3dc031a

General

Target

1f6a82e4863210782bdd19c1b84e2d88.exe
Size

400KB
MD5

1f6a82e4863210782bdd19c1b84e2d88
SHA1

2817db55b0ef87efdef00ccc217f1949fbd985a9
SHA256

bd76d7476935996fb5d4fdd6782675c5d7c872533b7f024ac6e4e1b0f3dc031a
SHA512

690cb2bc1d968f3c00ac8e51c0cd97f88191ba55e02fd6d70675d31238e419154c64d1320aef6dfd71508c4572405951430b3bb0a5d93d792d6314c8ea72cd03
SSDEEP

12288:nV5FZPZutwhz6vRgAaGQvpRpR5gC5Zo+GrgoRFB4YXRSDD:nv6Jal7lNARB4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2236 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

azastczgr.exe

pid process

2268 azastczgr.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeazastczgr.exe

pid process

2236 cmd.exe
2236 cmd.exe
2268 azastczgr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3012 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2548 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 3012 taskkill.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

azastczgr.exe

pid process

2268 azastczgr.exe
2268 azastczgr.exe
2268 azastczgr.exe
2268 azastczgr.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

azastczgr.exe

pid process

2268 azastczgr.exe
2268 azastczgr.exe
2268 azastczgr.exe
2268 azastczgr.exe

pid	process
2236	cmd.exe

pid	process
2268	azastczgr.exe

pid	process
2236	cmd.exe
2236	cmd.exe
2268	azastczgr.exe

pid	process
3012	taskkill.exe

pid	process
2548	PING.EXE

description	pid	process
Token: SeDebugPrivilege	3012	taskkill.exe

pid	process
2268	azastczgr.exe
2268	azastczgr.exe
2268	azastczgr.exe
2268	azastczgr.exe

pid	process
2268	azastczgr.exe
2268	azastczgr.exe
2268	azastczgr.exe
2268	azastczgr.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1f6a82e4863210782bdd19c1b84e2d88.execmd.exe

description	pid	process	target process
PID 2356 wrote to memory of 2236	2356	1f6a82e4863210782bdd19c1b84e2d88.exe	cmd.exe
PID 2356 wrote to memory of 2236	2356	1f6a82e4863210782bdd19c1b84e2d88.exe	cmd.exe
PID 2356 wrote to memory of 2236	2356	1f6a82e4863210782bdd19c1b84e2d88.exe	cmd.exe
PID 2356 wrote to memory of 2236	2356	1f6a82e4863210782bdd19c1b84e2d88.exe	cmd.exe
PID 2236 wrote to memory of 3012	2236	cmd.exe	taskkill.exe
PID 2236 wrote to memory of 3012	2236	cmd.exe	taskkill.exe
PID 2236 wrote to memory of 3012	2236	cmd.exe	taskkill.exe
PID 2236 wrote to memory of 3012	2236	cmd.exe	taskkill.exe
PID 2236 wrote to memory of 2548	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 2548	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 2548	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 2548	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 2268	2236	cmd.exe	azastczgr.exe
PID 2236 wrote to memory of 2268	2236	cmd.exe	azastczgr.exe
PID 2236 wrote to memory of 2268	2236	cmd.exe	azastczgr.exe
PID 2236 wrote to memory of 2268	2236	cmd.exe	azastczgr.exe

C:\Users\Admin\AppData\Local\Temp\1f6a82e4863210782bdd19c1b84e2d88.exe
"C:\Users\Admin\AppData\Local\Temp\1f6a82e4863210782bdd19c1b84e2d88.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 2356 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1f6a82e4863210782bdd19c1b84e2d88.exe" & start C:\Users\Admin\AppData\Local\AZASTC~1.EXE -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\azastczgr.exe
C:\Users\Admin\AppData\Local\AZASTC~1.EXE -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 2356
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
1⤵
- Runs ping.exe
PID:2548

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\azastczgr.exe
Filesize
195KB

MD5
c3d66607a2d155d7ba7075dc0180b8be

SHA1
005946f435c0f8b7b880957348faf9e8cee4e9ef

SHA256
5f7dfbdfef30e453be7a30680121cb03bf8edb087f3cc45c9a20d03512b9fdea

SHA512
16cf2c5bd36c114fee67218e75e5d3cc9bf552f1bea3d0fb45c0945853aed46675b18387121e3e85326d7f3cba3ba50027375c1e5ec63625b698378f1886124f

Download Submit
C:\Users\Admin\AppData\Local\azastczgr.exe
Filesize
161KB

MD5
2321e5108eca6a82024608acfc970124

SHA1
3d3f26ae133ff8e11e2824acab64f5cbcc59e9b2

SHA256
94eb7852412b1decc5749d239da5b0a4c8160dfec8637f3b9a7084e718338ff4

SHA512
f95ca0c581626373edfbf80541add02e20b98833ba481f164a9e1051c520e1554752c9783e490c14ed9d38904a7fe01f1c740dc877c878d84c0179e7546a51bc

Download Submit
\Users\Admin\AppData\Local\azastczgr.exe
Filesize
208KB

MD5
4c6ebe2d550d032212b96005ffefc0b6

SHA1
4780f56a7fe657a4ad089a3d2134039fbc18136e

SHA256
6cf72d063c76c8743bd87967567362aeb0a90146a119bac1e1373abfb4c81420

SHA512
57344f5f870a1eb66497d8da5d461468293354dc8dd5f9e41f0a019a630ff2d7c794206cb0bb7f5bcdfda2c3c44fa8c44459c1397125eafa1cefe05437bff4b5

Download Submit
\Users\Admin\AppData\Local\azastczgr.exe
Filesize
201KB

MD5
6099b4fcfa06a694ce6cc3fb4da33189

SHA1
b4d5b3fd03c779cb3913a4ad686e932ee65a940f

SHA256
049a2cdb9ce4e374e8baf30ebb9291f32d00803a9af1bb90b45ea7490a9e42e5

SHA512
e5bafe940b414ec382deb1c813e5504d6395e1e8a59199d57a6645dff7b128dc80300445d6a50e6d747f6cf84860d0f4fa164b1382b81afc85f4445a07206944

Download Submit
\Users\Admin\AppData\Local\azastczgr.exe
Filesize
177KB

MD5
48f2ecfdb7f3daba2643ce2b24e8e737

SHA1
078a65c74e39461b822468ebaf5e99aa23fb5a8e

SHA256
56ebd945bdbb9593e74439d4acceed473fb3c0f0e94b2de5990a89432eb6a24b

SHA512
3e108ce6b5c915318e15f341542d1d6c814b6e83027868c0b07d2e109d72899cd1729638838a927ac244966bcf624d7ca4ef6a6691a45ce2df34a8185594e263

Download Submit
memory/2268-15-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2268-14-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2268-9-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2268-20-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2268-10-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2268-19-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2268-18-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2268-13-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2268-12-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2268-17-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2268-16-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2356-0-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download
memory/2356-2-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2356-4-0x0000000001000000-0x00000000010CB000-memory.dmp

Filesize
812KB

Download

Analysis

Sharing