Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17-01-2024 11:52
Behavioral task
behavioral1
Sample
629151c519ea438d8c8f1123eb71e751.exe
Resource
win7-20231215-en
General
-
Target
629151c519ea438d8c8f1123eb71e751.exe
-
Size
3.1MB
-
MD5
629151c519ea438d8c8f1123eb71e751
-
SHA1
5b6c259947cce3501afb81393890157f1d1fb87f
-
SHA256
8b80621cf6ee6cfef0091af3fd0f2c39a92f0c4efe2d6ec9dc5986d519628d07
-
SHA512
8f592cedbc824a6820c0f37de614fd0f00492bcedd20468e5af00e91f3f06fbe0016421aa87a3f7d68512413226f1ae5e5b82ba4feae19f0a6a0b9f5a296be88
-
SSDEEP
98304:XdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:XdNB4ianUstYuUR2CSHsVP8x
Malware Config
Extracted
azorult
https://gemateknindoperkasa.co.id/imag/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 3 IoCs
Processes:
test.exeFile.exetmp.exepid process 2736 test.exe 2728 File.exe 2692 tmp.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exetest.exeFile.exepid process 3068 cmd.exe 2736 test.exe 2728 File.exe 2728 File.exe 2736 test.exe 2728 File.exe -
Processes:
resource yara_rule behavioral1/memory/2400-1-0x0000000000400000-0x0000000000B9D000-memory.dmp upx behavioral1/memory/2400-46-0x0000000000400000-0x0000000000B9D000-memory.dmp upx behavioral1/memory/2400-49-0x0000000000400000-0x0000000000B9D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 2 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
test.exeFile.exepid process 2736 test.exe 2728 File.exe 2736 test.exe 2728 File.exe 2736 test.exe 2728 File.exe 2736 test.exe 2728 File.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
test.exeFile.exedescription pid process Token: SeDebugPrivilege 2736 test.exe Token: SeDebugPrivilege 2728 File.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
629151c519ea438d8c8f1123eb71e751.execmd.exetest.exeFile.execmd.execmd.exedescription pid process target process PID 2400 wrote to memory of 3068 2400 629151c519ea438d8c8f1123eb71e751.exe cmd.exe PID 2400 wrote to memory of 3068 2400 629151c519ea438d8c8f1123eb71e751.exe cmd.exe PID 2400 wrote to memory of 3068 2400 629151c519ea438d8c8f1123eb71e751.exe cmd.exe PID 2400 wrote to memory of 3068 2400 629151c519ea438d8c8f1123eb71e751.exe cmd.exe PID 3068 wrote to memory of 2736 3068 cmd.exe test.exe PID 3068 wrote to memory of 2736 3068 cmd.exe test.exe PID 3068 wrote to memory of 2736 3068 cmd.exe test.exe PID 3068 wrote to memory of 2736 3068 cmd.exe test.exe PID 3068 wrote to memory of 2736 3068 cmd.exe test.exe PID 3068 wrote to memory of 2736 3068 cmd.exe test.exe PID 3068 wrote to memory of 2736 3068 cmd.exe test.exe PID 2736 wrote to memory of 2728 2736 test.exe File.exe PID 2736 wrote to memory of 2728 2736 test.exe File.exe PID 2736 wrote to memory of 2728 2736 test.exe File.exe PID 2736 wrote to memory of 2728 2736 test.exe File.exe PID 2736 wrote to memory of 2728 2736 test.exe File.exe PID 2736 wrote to memory of 2728 2736 test.exe File.exe PID 2736 wrote to memory of 2728 2736 test.exe File.exe PID 2728 wrote to memory of 2692 2728 File.exe tmp.exe PID 2728 wrote to memory of 2692 2728 File.exe tmp.exe PID 2728 wrote to memory of 2692 2728 File.exe tmp.exe PID 2728 wrote to memory of 2692 2728 File.exe tmp.exe PID 2736 wrote to memory of 2560 2736 test.exe cmd.exe PID 2736 wrote to memory of 2560 2736 test.exe cmd.exe PID 2736 wrote to memory of 2560 2736 test.exe cmd.exe PID 2736 wrote to memory of 2560 2736 test.exe cmd.exe PID 2736 wrote to memory of 2952 2736 test.exe cmd.exe PID 2736 wrote to memory of 2952 2736 test.exe cmd.exe PID 2736 wrote to memory of 2952 2736 test.exe cmd.exe PID 2736 wrote to memory of 2952 2736 test.exe cmd.exe PID 2728 wrote to memory of 1440 2728 File.exe cmd.exe PID 2728 wrote to memory of 1440 2728 File.exe cmd.exe PID 2728 wrote to memory of 1440 2728 File.exe cmd.exe PID 2728 wrote to memory of 1440 2728 File.exe cmd.exe PID 2952 wrote to memory of 1532 2952 cmd.exe reg.exe PID 2952 wrote to memory of 1532 2952 cmd.exe reg.exe PID 2952 wrote to memory of 1532 2952 cmd.exe reg.exe PID 2952 wrote to memory of 1532 2952 cmd.exe reg.exe PID 2728 wrote to memory of 1252 2728 File.exe cmd.exe PID 2728 wrote to memory of 1252 2728 File.exe cmd.exe PID 2728 wrote to memory of 1252 2728 File.exe cmd.exe PID 2728 wrote to memory of 1252 2728 File.exe cmd.exe PID 1252 wrote to memory of 2760 1252 cmd.exe reg.exe PID 1252 wrote to memory of 2760 1252 cmd.exe reg.exe PID 1252 wrote to memory of 2760 1252 cmd.exe reg.exe PID 1252 wrote to memory of 2760 1252 cmd.exe reg.exe PID 2736 wrote to memory of 296 2736 test.exe cmd.exe PID 2736 wrote to memory of 296 2736 test.exe cmd.exe PID 2736 wrote to memory of 296 2736 test.exe cmd.exe PID 2736 wrote to memory of 296 2736 test.exe cmd.exe PID 2728 wrote to memory of 2448 2728 File.exe cmd.exe PID 2728 wrote to memory of 2448 2728 File.exe cmd.exe PID 2728 wrote to memory of 2448 2728 File.exe cmd.exe PID 2728 wrote to memory of 2448 2728 File.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe"C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier5⤵
- NTFS ADS
PID:2448
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f5⤵
- Suspicious use of WriteProcessMemory
PID:1252
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y5⤵PID:1440
-
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"5⤵
- Executes dropped EXE
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f4⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f5⤵PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier4⤵
- NTFS ADS
PID:296
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y4⤵PID:2560
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f1⤵PID:2760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD54efeab242d270c008186cbcf32510981
SHA13e2eaa76641e4ed0b9f2c9a5a5f25608849c899c
SHA25626805a2fa33fa59b198874a562f8d0ef0b1708a1e01f63c53d8ae4af6e044af7
SHA51213bee683966186a899bb411ee09e5e7b46db56affae7aa59ecde1c594a4d459dba1f466176639aa0200f8f310a1a1f4387819c61b8e4aef4c49781e9826a12b0
-
Filesize
201KB
MD5f9541d363fe357fc8f4a8994759bb17a
SHA1bb1e10f49ea07d3eb7a384169e830bea4ed31e37
SHA25664a868ec69da470ea50e7828db3f2265909a5d926b5897f22b0eafbba0a7a1e4
SHA512efae193077a87e8f9cbafeae4b19a5607f17e8b9003c4cff7d8b5e5ea38ba9b0f54341fa998ce8bafee43b89fdc0192da3da3a9ffed55a315361f55e3640aa41
-
Filesize
947B
MD5386f9cfd5d79d37525dec6a4a5fe03ef
SHA1fcfdd69029f9eb6abb9a0c94d8d26951f93f9a3f
SHA25632603ad059556d63f968f1558e3fcd383cb89aaca9f886f7bee995b3752184c6
SHA512cd00e9d4d455ba526fabe7bf6561461120a362ebed5ee55e053fdd907de44111c0f35a092d9ea82ce57975335af653004590441852e31928d074c318a2737308
-
Filesize
27B
MD5130a75a932a2fe57bfea6a65b88da8f6
SHA1b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c
SHA256f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e
SHA5126cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
Filesize
649KB
MD5773d26c92008e9134317166ac2d2b57b
SHA147ae9cfed67800e9076020806cb15eeecdf821b4
SHA256e9bcb3fb10d9378e3580dd870c5498d422ac56bf08dae49bda0116daab9a8e15
SHA512717d06755530b8fdd79a840f1174bd6a8055258911d19ca39974b2673edd5eea4fbb60814e4d3c4a32137a10ce1e980cc23c0509d065d895385428a919a8d602
-
Filesize
438KB
MD514187ab92edd9473119054aab4a53e10
SHA16a17c85c15355daf9a9e8cb35ff3610d85545ee7
SHA25608564c21c339d5fd7f46109ed56589ab657858b09d18e76d21b49ec4a5e1afea
SHA512d7ae8c12cfe76fe86b6d022689f001d173cc7b6abdceb3c3ab1f5e88906edb1036a7255c3b354714ecf5deb8bee45ff54afb9a5652dcd8163b7ab2d11265054b
-
Filesize
112KB
MD5bae2b04e1160950e570661f55d7cd6f8
SHA1f4abc073a091292547dda85d0ba044cab231c8da
SHA256ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59
SHA5121bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6
-
Filesize
256KB
MD589c4e3e78187cc240982ec70f69d7931
SHA16520ceb8c1a8ab02b961741208165e3d6478d3f0
SHA256b0a3778ba98201926d4b606dfa35a7f9fa908ef82145d3652ba3b62154385a98
SHA512ae1ef9cad44da552208c11b842a38a3f039c6f71bfceea38096b769902156bc11adbfac5ae7705901fc5a8c1352e9b214d50fe80b4c737e5f995eaf61a75ad59
-
Filesize
342KB
MD537c82e15058e2f8f5e9525b956e6440d
SHA13bf20d00bd7a7943c4066d534f5b276cac5ae39f
SHA25680c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7
SHA5125c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a
-
Filesize
374KB
MD5136c2ff4efeb69a93128f465bc4a5108
SHA1ffd18de587f67e973798f802dcc12023fce2d26f
SHA25686ec4be4241a903c193282005c9b9f6ae7a63c3da591d953371b3a17671d6392
SHA512f2e56da29b22fce1b2632ccb3764f4f9a3dda79eb1b01178bc09b00a8d97ea05dd5b6668eb2d63570cae7be94d314ebace02c89af58a1528b6896e763e28365c