Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13-01-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
PYMT SUCESSFUL AVIS CREDIT 12012024.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
PYMT SUCESSFUL AVIS CREDIT 12012024.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231222-en
General
-
Target
PYMT SUCESSFUL AVIS CREDIT 12012024.exe
-
Size
444KB
-
MD5
9352bb54fb680c197ef32e2ebe10e6a5
-
SHA1
34745e30c5435a715a7ca3b81f78883f72bfb90f
-
SHA256
b7ff86b6da28a06ee0de3032320ebb3989eb61467e6d40740cfd082444ed9c06
-
SHA512
3939aa3e87a1c26073ca69db4f5fbc80611188e3c16f8a39ba98389df5e28cd83d04ffbf8928100bb7edeb3119353ed378310d2626c81033cd04e6a1709cca74
-
SSDEEP
12288:xiMZHMlRkB3d9eQNjfDypk8D8lK+3pvGxuqTypR6snVWvHSM:xiMZsrkZnHdbyC8olyuqKRnVWL
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 5 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exePYMT SUCESSFUL AVIS CREDIT 12012024.exepid process 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe 2164 PYMT SUCESSFUL AVIS CREDIT 12012024.exe 2164 PYMT SUCESSFUL AVIS CREDIT 12012024.exe 2164 PYMT SUCESSFUL AVIS CREDIT 12012024.exe 2164 PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PYMT SUCESSFUL AVIS CREDIT 12012024.exe Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook PYMT SUCESSFUL AVIS CREDIT 12012024.exe Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exepid process 2164 PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exePYMT SUCESSFUL AVIS CREDIT 12012024.exepid process 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe 2164 PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exedescription pid process target process PID 4064 set thread context of 2164 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Drops file in Program Files directory 1 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exedescription ioc process File opened for modification C:\Program Files (x86)\elvtedelen\calamined.hat PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Drops file in Windows directory 1 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exedescription ioc process File opened for modification C:\Windows\Fonts\snibbed\Voss.fre PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 440 2164 WerFault.exe PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 PYMT SUCESSFUL AVIS CREDIT 12012024.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exepid process 2164 PYMT SUCESSFUL AVIS CREDIT 12012024.exe 2164 PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exepid process 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exedescription pid process target process PID 4064 wrote to memory of 2164 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe PYMT SUCESSFUL AVIS CREDIT 12012024.exe PID 4064 wrote to memory of 2164 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe PYMT SUCESSFUL AVIS CREDIT 12012024.exe PID 4064 wrote to memory of 2164 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe PYMT SUCESSFUL AVIS CREDIT 12012024.exe PID 4064 wrote to memory of 2164 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe PYMT SUCESSFUL AVIS CREDIT 12012024.exe PID 4064 wrote to memory of 2164 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe PYMT SUCESSFUL AVIS CREDIT 12012024.exe PID 4064 wrote to memory of 2164 4064 PYMT SUCESSFUL AVIS CREDIT 12012024.exe PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
outlook_office_path 1 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook PYMT SUCESSFUL AVIS CREDIT 12012024.exe -
outlook_win_path 1 IoCs
Processes:
PYMT SUCESSFUL AVIS CREDIT 12012024.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook PYMT SUCESSFUL AVIS CREDIT 12012024.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PYMT SUCESSFUL AVIS CREDIT 12012024.exe"C:\Users\Admin\AppData\Local\Temp\PYMT SUCESSFUL AVIS CREDIT 12012024.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\PYMT SUCESSFUL AVIS CREDIT 12012024.exe"C:\Users\Admin\AppData\Local\Temp\PYMT SUCESSFUL AVIS CREDIT 12012024.exe"2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 18483⤵
- Program crash
PID:440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2164 -ip 21641⤵PID:1144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
381KB
MD594510b973433b30c7bc41ebbee806e8a
SHA124467a50a4d44246a60a48f2f49e84dd1f98119e
SHA2568e533a2c1429150c1101747213403179768b424cf059b65fb05aa5da196a60a5
SHA5121850b716a9e1a446e11f91e1415c0919e2396db247969ab1f53fccd638e395c9101455cb98b23bdea8560348a785a21c70ac5eeef51ac4f327e2398524b7eca4
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
Filesize
12KB
MD5d968cb2b98b83c03a9f02dd9b8df97dc
SHA1d784c9b7a92dce58a5038beb62a48ff509e166a0
SHA256a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c
SHA5122ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e