Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-01-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
DOCS-1600017889PO400121-2024.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
DOCS-1600017889PO400121-2024.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
General
-
Target
DOCS-1600017889PO400121-2024.exe
-
Size
439KB
-
MD5
e701d67db9d3705ede459a111ccf89c6
-
SHA1
f08495fb38e4be8bf6bc445bf7296791d6c4db81
-
SHA256
4e77b03fc9937ac68121e3121cf062ba0994ba4aa06d2ccde468ce2a91cda61f
-
SHA512
eec6c54dda15ed582985ff875a091e1b09da7f1965b4fd9febf2eaa4701b73acf671b9a4226c3cd7c725c5eeaab91d144209f0fc12efc35d5e6d3673ccee1869
-
SSDEEP
12288:EiMpilGo/x8uusxz4Yypk8D8lK+3pvGxuqTypR6snVWvHSb:EiMSGo/x8uus2YyC8olyuqKRnVWu
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1404 cmd.exe -
Loads dropped DLL 17 IoCs
Processes:
DOCS-1600017889PO400121-2024.exeDOCS-1600017889PO400121-2024.exepid process 2196 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DOCS-1600017889PO400121-2024.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DOCS-1600017889PO400121-2024.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook DOCS-1600017889PO400121-2024.exe Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DOCS-1600017889PO400121-2024.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
DOCS-1600017889PO400121-2024.exepid process 2076 DOCS-1600017889PO400121-2024.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
DOCS-1600017889PO400121-2024.exeDOCS-1600017889PO400121-2024.exepid process 2196 DOCS-1600017889PO400121-2024.exe 2076 DOCS-1600017889PO400121-2024.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOCS-1600017889PO400121-2024.exedescription pid process target process PID 2196 set thread context of 2076 2196 DOCS-1600017889PO400121-2024.exe DOCS-1600017889PO400121-2024.exe -
Drops file in Program Files directory 1 IoCs
Processes:
DOCS-1600017889PO400121-2024.exedescription ioc process File opened for modification C:\Program Files (x86)\elvtedelen\calamined.hat DOCS-1600017889PO400121-2024.exe -
Drops file in Windows directory 1 IoCs
Processes:
DOCS-1600017889PO400121-2024.exedescription ioc process File opened for modification C:\Windows\Fonts\snibbed\Voss.fre DOCS-1600017889PO400121-2024.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
DOCS-1600017889PO400121-2024.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 DOCS-1600017889PO400121-2024.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DOCS-1600017889PO400121-2024.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2244 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
DOCS-1600017889PO400121-2024.exepid process 2076 DOCS-1600017889PO400121-2024.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
DOCS-1600017889PO400121-2024.exepid process 2196 DOCS-1600017889PO400121-2024.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DOCS-1600017889PO400121-2024.exeDOCS-1600017889PO400121-2024.execmd.exedescription pid process target process PID 2196 wrote to memory of 2076 2196 DOCS-1600017889PO400121-2024.exe DOCS-1600017889PO400121-2024.exe PID 2196 wrote to memory of 2076 2196 DOCS-1600017889PO400121-2024.exe DOCS-1600017889PO400121-2024.exe PID 2196 wrote to memory of 2076 2196 DOCS-1600017889PO400121-2024.exe DOCS-1600017889PO400121-2024.exe PID 2196 wrote to memory of 2076 2196 DOCS-1600017889PO400121-2024.exe DOCS-1600017889PO400121-2024.exe PID 2196 wrote to memory of 2076 2196 DOCS-1600017889PO400121-2024.exe DOCS-1600017889PO400121-2024.exe PID 2196 wrote to memory of 2076 2196 DOCS-1600017889PO400121-2024.exe DOCS-1600017889PO400121-2024.exe PID 2196 wrote to memory of 2076 2196 DOCS-1600017889PO400121-2024.exe DOCS-1600017889PO400121-2024.exe PID 2076 wrote to memory of 1404 2076 DOCS-1600017889PO400121-2024.exe cmd.exe PID 2076 wrote to memory of 1404 2076 DOCS-1600017889PO400121-2024.exe cmd.exe PID 2076 wrote to memory of 1404 2076 DOCS-1600017889PO400121-2024.exe cmd.exe PID 2076 wrote to memory of 1404 2076 DOCS-1600017889PO400121-2024.exe cmd.exe PID 1404 wrote to memory of 2244 1404 cmd.exe timeout.exe PID 1404 wrote to memory of 2244 1404 cmd.exe timeout.exe PID 1404 wrote to memory of 2244 1404 cmd.exe timeout.exe PID 1404 wrote to memory of 2244 1404 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
DOCS-1600017889PO400121-2024.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook DOCS-1600017889PO400121-2024.exe -
outlook_win_path 1 IoCs
Processes:
DOCS-1600017889PO400121-2024.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook DOCS-1600017889PO400121-2024.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOCS-1600017889PO400121-2024.exe"C:\Users\Admin\AppData\Local\Temp\DOCS-1600017889PO400121-2024.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\DOCS-1600017889PO400121-2024.exe"C:\Users\Admin\AppData\Local\Temp\DOCS-1600017889PO400121-2024.exe"2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "DOCS-1600017889PO400121-2024.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- Delays execution with timeout.exe
PID:2244
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5c751dfce8d66eb8db03ced9c33241885
SHA14f23a41faf0409e035f5b1f2c1d58d819a2c8f75
SHA25691e6147b6eaed0f1167425b0e2606bebee39449e94f01637d9dc5814266341d0
SHA512d8725a68540dbef3f12d91e0dce47933e05bfd356b0357114e17276341f42667f61031039551f6db98f324d3284d04c8007f74459538f030459fd024dd7218ac
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
92KB
MD54edc319662a5e96cd4e79ce73dfad085
SHA1ec50c43ba3530a71457cbf5571c7f505f3e56eb5
SHA256b3eadc2fa6c40607d00c87e3cb2e6405864507d5d608210ce17525629a05f285
SHA512aaf918ee0b5e9ad3da982ee3b5945e027197f77700420cbd4a258fb029549f786712ff2f28581601fbeff6cb69b730e315da1509497e04000239b7af1b9e2319
-
Filesize
12KB
MD5d968cb2b98b83c03a9f02dd9b8df97dc
SHA1d784c9b7a92dce58a5038beb62a48ff509e166a0
SHA256a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c
SHA5122ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e