Overview

overview

10

Static

static

7

54032544a9...ee.exe

windows7-x64

10

54032544a9...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54032544a980d08bd975132873c52dee.exe

  • Size

    3.1MB

  • MD5

    54032544a980d08bd975132873c52dee

  • SHA1

    7d7fc5587816b1d1669068dc9286b220f4d21e45

  • SHA256

    739a134a3d71b82e09236c25ebe711824150ab07e5e2260cbdc1b9bca48bf5cc

  • SHA512

    6ebd88cdbd96832642cef9f72781fb8b3a6e641303281906dd5269044aa77c49a8c6aabd64c4f7c69d939c201c71c2b80448cae127a11ba74d39b67d8205f8ef

  • SSDEEP

    98304:QdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8l:QdNB4ianUstYuUR2CSHsVP8l

Score
10/10
azorultnetwirebotnetinfostealerratstealertrojanupx

Malware Config

Extracted

Family

netwire

C2

174.127.99.159:7882

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    May-B

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54032544a980d08bd975132873c52dee.exe
    "C:\Users\Admin\AppData\Local\Temp\54032544a980d08bd975132873c52dee.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c test.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        test.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:384
        • C:\Users\Admin\AppData\Local\Temp\File.exe
          "C:\Users\Admin\AppData\Local\Temp\File.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Users\Admin\AppData\Roaming\tmp.exe
            "C:\Users\Admin\AppData\Roaming\tmp.exe"
            5⤵
            • Executes dropped EXE
            PID:588
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
            5⤵
            • Executes dropped EXE
            PID:844
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
            5⤵
              PID:4792
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4352
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
                6⤵
                  PID:3992
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
                5⤵
                • NTFS ADS
                PID:3620
            • C:\Users\Admin\AppData\Local\Temp\svhost.exe
              "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
              4⤵
              • Executes dropped EXE
              PID:1636
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
              4⤵
                PID:4344
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3984
                • C:\Windows\SysWOW64\reg.exe
                  reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
                  5⤵
                    PID:4772
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
                  4⤵
                  • NTFS ADS
                  PID:4504

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\File.exe
            Filesize

            342KB

            MD5

            37c82e15058e2f8f5e9525b956e6440d

            SHA1

            3bf20d00bd7a7943c4066d534f5b276cac5ae39f

            SHA256

            80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7

            SHA512

            5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            2.5MB

            MD5

            634d751508999683ba8b0e0836849f74

            SHA1

            d19a0a3896481cf9bfc3da3281ec5df0dc8c049d

            SHA256

            fb9560c3f88eedf5d20657b84e9568ea916e84ce26c31ac213eb30c0796a1930

            SHA512

            a04f351d830d2bce098763a8c961320dbd32db58ac3c5beaa08f14da3f50a0b8cb72e505cda485fa1168db7da64bca80f8643a8e082498e423e1692dddec80fe

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            2.5MB

            MD5

            0a7608db01cae07792cea95e792aa866

            SHA1

            71dff876e4d5edb6cea78fee7aa15845d4950e24

            SHA256

            c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

            SHA512

            990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            2.3MB

            MD5

            90a38fbd086a9d579a5a5803d96e584e

            SHA1

            adf251ca62535f6265456f4c35274795750fa0bb

            SHA256

            a4fc8e60c685f85cb5069b8153364e98a5780c78a572eb9f6f5a2a6cee24132a

            SHA512

            ad445fa9bec1853e50196902f97ef9ff0068d63e585e4f4f88ecef4bf7b557eef236e1a91c3bba37b289a9aa248c6cde19d46e71289cf17129249fef4d42e777

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\test.exe
            Filesize

            931KB

            MD5

            836cda1d8a9718485cc9f9653530c2d9

            SHA1

            fca85ff9aa624547d9a315962d82388c300edac1

            SHA256

            d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72

            SHA512

            07ca078d79f622706d08a534f6b5e2c896152fb0d0e452781fa6be5dc90028fdf074b3b78acac438f2acf5b3f5522e70afb7db4551874a3083860213e2790481

            Download Submit

          • C:\Users\Admin\AppData\Roaming\tmp.exe
            Filesize

            112KB

            MD5

            bae2b04e1160950e570661f55d7cd6f8

            SHA1

            f4abc073a091292547dda85d0ba044cab231c8da

            SHA256

            ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

            SHA512

            1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

            Download Submit

          • memory/384-10-0x00000000053D0000-0x0000000005456000-memory.dmp

            Filesize

            536KB

            Download

          • memory/384-7-0x0000000000950000-0x0000000000A3E000-memory.dmp

            Filesize

            952KB

            Download

          • memory/384-9-0x0000000005470000-0x0000000005480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/384-67-0x0000000074E00000-0x00000000755B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/384-50-0x0000000005470000-0x0000000005480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/384-5-0x0000000074E00000-0x00000000755B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/384-28-0x0000000074E00000-0x00000000755B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/384-8-0x0000000005480000-0x000000000551C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/588-53-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/844-41-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/844-49-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/844-51-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/952-61-0x0000000074E00000-0x00000000755B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/952-26-0x0000000005590000-0x00000000055B4000-memory.dmp

            Filesize

            144KB

            Download

          • memory/952-25-0x0000000005790000-0x00000000057A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/952-24-0x0000000074E00000-0x00000000755B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/952-63-0x0000000005790000-0x00000000057A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/952-23-0x0000000000D00000-0x0000000000D5C000-memory.dmp

            Filesize

            368KB

            Download

          • memory/952-66-0x0000000074E00000-0x00000000755B0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1636-52-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/1636-43-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/1636-69-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4836-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4836-6-0x0000000000400000-0x0000000000B9D000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/4836-68-0x0000000000400000-0x0000000000B9D000-memory.dmp

            Filesize

            7.6MB

            Download