Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
17-01-2024 11:52
General
-
Target
629151c519ea438d8c8f1123eb71e751.exe
-
Size
3.1MB
-
MD5
629151c519ea438d8c8f1123eb71e751
-
SHA1
5b6c259947cce3501afb81393890157f1d1fb87f
-
SHA256
8b80621cf6ee6cfef0091af3fd0f2c39a92f0c4efe2d6ec9dc5986d519628d07
-
SHA512
8f592cedbc824a6820c0f37de614fd0f00492bcedd20468e5af00e91f3f06fbe0016421aa87a3f7d68512413226f1ae5e5b82ba4feae19f0a6a0b9f5a296be88
-
SSDEEP
98304:XdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:XdNB4ianUstYuUR2CSHsVP8x
Malware Config
Extracted
netwire
174.127.99.159:7882
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
May-B
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Extracted
azorult
https://gemateknindoperkasa.co.id/imag/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
NetWire RAT payload 3 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe"C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier3⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f1⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
310KB
MD50a6bbc1ea01f47f879637d3c5a9fe8fb
SHA111ff92b3e6196604ed34ddd46039cc8cc64b5a14
SHA2567089d548e647457d27c9dd935090a0d7f7702d778676126f1d539faa1c61aa5b
SHA5125964206468ce132db40d6b026089c89e3954a95efbdbf941a261a0081d3c2cc165020e479fcba2022fd01471d7e303f54ca8aaf519d22a7fcb2e9f1165ff283a
-
Filesize
284KB
MD53197d87708566ffa669604c9e87a751a
SHA138e8d88be645b7924aec5bd8c48c1bfabedf22c4
SHA256035818e2e38a2055e1f14aa977cadf9b4372bcc521222a3a51c7b9df6a0ffa64
SHA512f26d413c5d3f819ae078cc2d93ab012a2125f1ee22c3b5ae522bf1df54c8e7ec6881789382e242df07d29f80ff1b0451697cc671293925d23ca4f7109ac31cf7
-
Filesize
165KB
MD5c622163200e94e9d48f755c43c6ac985
SHA1acc5858ab9236a54f4726a490c34ee81bda3af70
SHA25624f9116e48f364905ebce356fb3a3b764d83a09b04f722539a18e9bc21b42f9f
SHA512c2601239cdc9c387cc6b98f3829f238a6db1580f062f49a20a2db7a52ab56b5e3666525cb69de1a85d232c75baee966b9856f7092e13465736186d732f5c7e3d
-
Filesize
385KB
MD5c14d313cef547f4fe25eb1e40d648bca
SHA13d0df1ee27660cd4ebe02a02dfa434b109d50c55
SHA25605ec4c80e408ebbbe4064d2ef9dd5e587db0298212b1ff927a77f440eaaba8d6
SHA51288a6a505970bf33be102713cef020df6626353cfd9ddfe144af910106599d6d1f83723e349b43a6389cc513ee6a0ce52c18cba95fed96ae3b33df2d29a8b1ebe
-
Filesize
337KB
MD54c061e1d122ceba20a66f58db39eb507
SHA15854c8d9d354614adf27c14633bc124e331d3727
SHA256f74508d8401d6844eb4a6d68b2fffc5051445ac032767f6154fb19e73a9cfe4e
SHA51258018a4a2ed2ad573f0a0c94baa348fc3e4e0fc4d16c88131e848107a4dd6a7c74dea38496e7df819182207600be9996d6c441caaf4a7325564958901eba2cc6
-
Filesize
1KB
MD5c9896844255a6e4610e124e2d91d7b87
SHA1fe7b66e833d8576ecf06f547f5aede6089a58cad
SHA2564ad61eb92e20cb4d8a0f06bd40acabd12a38c14a7e26aae2c9e3025f1faf45d7
SHA5127dcbcdf723e4b13688801d169e19fe1c3f623808e2c86ff85f8ea0a2f7704aaef2bd9927c98c2f6f4f257d412fe720ae6b42e8bf279cbb684af0c5b950e2ddfd
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
131KB
MD5043740beb2fa186058081bba255affd1
SHA10661d8e98930d49a3c9ff50708b24e7993f216f9
SHA256f610ce98e2f5cb12a36fee337d237e34a7b133a385b567fa6e366f065bca8ab3
SHA51293f0e0278ee71a5fa9dc60021d5d670d12455b22b8a6e6458e56b14aa49e7ed61804d92abd140af7d30f04ced9ab62f871521f52c84ecf4cc3ff67c981ba41cb
-
Filesize
72KB
MD557d978f88e950c145bcbb5f6f09de721
SHA1482980eb6d362cc99033c612feadc0c2d27cc2a0
SHA2561902d1464cee2d8e94775a5d67b2ea8fe8bf558dd1e389e5867dfafd55f43186
SHA5128137c8f4629e293c81bfa570cd35607585bebca26da61771dc505e7bd6b65d0322b56047c2be61a6a5d0ec2ae84d1abf00fde5e2053bf5b558643a83bd5df0c8
-
Filesize
112KB
MD5bae2b04e1160950e570661f55d7cd6f8
SHA1f4abc073a091292547dda85d0ba044cab231c8da
SHA256ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59
SHA5121bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
144KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
368KB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
7.6MB
-
Filesize
536KB
-
Filesize
952KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB