Analysis
-
max time kernel
135s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2024 11:52
Behavioral task
behavioral1
Sample
629151c519ea438d8c8f1123eb71e751.exe
Resource
win7-20231215-en
General
-
Target
629151c519ea438d8c8f1123eb71e751.exe
-
Size
3.1MB
-
MD5
629151c519ea438d8c8f1123eb71e751
-
SHA1
5b6c259947cce3501afb81393890157f1d1fb87f
-
SHA256
8b80621cf6ee6cfef0091af3fd0f2c39a92f0c4efe2d6ec9dc5986d519628d07
-
SHA512
8f592cedbc824a6820c0f37de614fd0f00492bcedd20468e5af00e91f3f06fbe0016421aa87a3f7d68512413226f1ae5e5b82ba4feae19f0a6a0b9f5a296be88
-
SSDEEP
98304:XdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:XdNB4ianUstYuUR2CSHsVP8x
Malware Config
Extracted
netwire
174.127.99.159:7882
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
May-B
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Extracted
azorult
https://gemateknindoperkasa.co.id/imag/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1444-30-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1444-36-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/1444-27-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
test.exeFile.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation test.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation File.exe -
Executes dropped EXE 5 IoCs
Processes:
test.exeFile.exesvhost.exetmp.exesvhost.exepid process 4536 test.exe 3932 File.exe 1444 svhost.exe 684 tmp.exe 744 svhost.exe -
Processes:
resource yara_rule behavioral2/memory/3960-0-0x0000000000400000-0x0000000000B9D000-memory.dmp upx behavioral2/memory/3960-56-0x0000000000400000-0x0000000000B9D000-memory.dmp upx behavioral2/memory/3960-62-0x0000000000400000-0x0000000000B9D000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
Processes:
test.exeFile.exedescription pid process target process PID 4536 set thread context of 1444 4536 test.exe svhost.exe PID 3932 set thread context of 744 3932 File.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 2 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
test.exeFile.exepid process 4536 test.exe 3932 File.exe 4536 test.exe 4536 test.exe 3932 File.exe 3932 File.exe 4536 test.exe 3932 File.exe 4536 test.exe 3932 File.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
test.exeFile.exedescription pid process Token: SeDebugPrivilege 4536 test.exe Token: SeDebugPrivilege 3932 File.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
629151c519ea438d8c8f1123eb71e751.execmd.exetest.exeFile.execmd.execmd.exedescription pid process target process PID 3960 wrote to memory of 2168 3960 629151c519ea438d8c8f1123eb71e751.exe cmd.exe PID 3960 wrote to memory of 2168 3960 629151c519ea438d8c8f1123eb71e751.exe cmd.exe PID 3960 wrote to memory of 2168 3960 629151c519ea438d8c8f1123eb71e751.exe cmd.exe PID 2168 wrote to memory of 4536 2168 cmd.exe test.exe PID 2168 wrote to memory of 4536 2168 cmd.exe test.exe PID 2168 wrote to memory of 4536 2168 cmd.exe test.exe PID 4536 wrote to memory of 3932 4536 test.exe File.exe PID 4536 wrote to memory of 3932 4536 test.exe File.exe PID 4536 wrote to memory of 3932 4536 test.exe File.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 4536 wrote to memory of 1444 4536 test.exe svhost.exe PID 3932 wrote to memory of 684 3932 File.exe tmp.exe PID 3932 wrote to memory of 684 3932 File.exe tmp.exe PID 3932 wrote to memory of 684 3932 File.exe tmp.exe PID 4536 wrote to memory of 1012 4536 test.exe cmd.exe PID 4536 wrote to memory of 1012 4536 test.exe cmd.exe PID 4536 wrote to memory of 1012 4536 test.exe cmd.exe PID 3932 wrote to memory of 744 3932 File.exe svhost.exe PID 3932 wrote to memory of 744 3932 File.exe svhost.exe PID 3932 wrote to memory of 744 3932 File.exe svhost.exe PID 3932 wrote to memory of 744 3932 File.exe svhost.exe PID 3932 wrote to memory of 744 3932 File.exe svhost.exe PID 3932 wrote to memory of 744 3932 File.exe svhost.exe PID 3932 wrote to memory of 744 3932 File.exe svhost.exe PID 3932 wrote to memory of 744 3932 File.exe svhost.exe PID 3932 wrote to memory of 744 3932 File.exe svhost.exe PID 4536 wrote to memory of 3136 4536 test.exe cmd.exe PID 4536 wrote to memory of 3136 4536 test.exe cmd.exe PID 4536 wrote to memory of 3136 4536 test.exe cmd.exe PID 3136 wrote to memory of 1996 3136 cmd.exe reg.exe PID 3136 wrote to memory of 1996 3136 cmd.exe reg.exe PID 3136 wrote to memory of 1996 3136 cmd.exe reg.exe PID 4536 wrote to memory of 3180 4536 test.exe cmd.exe PID 4536 wrote to memory of 3180 4536 test.exe cmd.exe PID 4536 wrote to memory of 3180 4536 test.exe cmd.exe PID 3932 wrote to memory of 2496 3932 File.exe cmd.exe PID 3932 wrote to memory of 2496 3932 File.exe cmd.exe PID 3932 wrote to memory of 2496 3932 File.exe cmd.exe PID 3932 wrote to memory of 3652 3932 File.exe cmd.exe PID 3932 wrote to memory of 3652 3932 File.exe cmd.exe PID 3932 wrote to memory of 3652 3932 File.exe cmd.exe PID 3652 wrote to memory of 8 3652 cmd.exe reg.exe PID 3652 wrote to memory of 8 3652 cmd.exe reg.exe PID 3652 wrote to memory of 8 3652 cmd.exe reg.exe PID 3932 wrote to memory of 836 3932 File.exe cmd.exe PID 3932 wrote to memory of 836 3932 File.exe cmd.exe PID 3932 wrote to memory of 836 3932 File.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe"C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2168
-
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"3⤵
- Executes dropped EXE
PID:684 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier3⤵
- NTFS ADS
PID:836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f3⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y3⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
PID:3180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y2⤵PID:1012
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f1⤵PID:8
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f1⤵PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
310KB
MD50a6bbc1ea01f47f879637d3c5a9fe8fb
SHA111ff92b3e6196604ed34ddd46039cc8cc64b5a14
SHA2567089d548e647457d27c9dd935090a0d7f7702d778676126f1d539faa1c61aa5b
SHA5125964206468ce132db40d6b026089c89e3954a95efbdbf941a261a0081d3c2cc165020e479fcba2022fd01471d7e303f54ca8aaf519d22a7fcb2e9f1165ff283a
-
Filesize
284KB
MD53197d87708566ffa669604c9e87a751a
SHA138e8d88be645b7924aec5bd8c48c1bfabedf22c4
SHA256035818e2e38a2055e1f14aa977cadf9b4372bcc521222a3a51c7b9df6a0ffa64
SHA512f26d413c5d3f819ae078cc2d93ab012a2125f1ee22c3b5ae522bf1df54c8e7ec6881789382e242df07d29f80ff1b0451697cc671293925d23ca4f7109ac31cf7
-
Filesize
165KB
MD5c622163200e94e9d48f755c43c6ac985
SHA1acc5858ab9236a54f4726a490c34ee81bda3af70
SHA25624f9116e48f364905ebce356fb3a3b764d83a09b04f722539a18e9bc21b42f9f
SHA512c2601239cdc9c387cc6b98f3829f238a6db1580f062f49a20a2db7a52ab56b5e3666525cb69de1a85d232c75baee966b9856f7092e13465736186d732f5c7e3d
-
Filesize
385KB
MD5c14d313cef547f4fe25eb1e40d648bca
SHA13d0df1ee27660cd4ebe02a02dfa434b109d50c55
SHA25605ec4c80e408ebbbe4064d2ef9dd5e587db0298212b1ff927a77f440eaaba8d6
SHA51288a6a505970bf33be102713cef020df6626353cfd9ddfe144af910106599d6d1f83723e349b43a6389cc513ee6a0ce52c18cba95fed96ae3b33df2d29a8b1ebe
-
Filesize
337KB
MD54c061e1d122ceba20a66f58db39eb507
SHA15854c8d9d354614adf27c14633bc124e331d3727
SHA256f74508d8401d6844eb4a6d68b2fffc5051445ac032767f6154fb19e73a9cfe4e
SHA51258018a4a2ed2ad573f0a0c94baa348fc3e4e0fc4d16c88131e848107a4dd6a7c74dea38496e7df819182207600be9996d6c441caaf4a7325564958901eba2cc6
-
Filesize
1KB
MD5c9896844255a6e4610e124e2d91d7b87
SHA1fe7b66e833d8576ecf06f547f5aede6089a58cad
SHA2564ad61eb92e20cb4d8a0f06bd40acabd12a38c14a7e26aae2c9e3025f1faf45d7
SHA5127dcbcdf723e4b13688801d169e19fe1c3f623808e2c86ff85f8ea0a2f7704aaef2bd9927c98c2f6f4f257d412fe720ae6b42e8bf279cbb684af0c5b950e2ddfd
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
131KB
MD5043740beb2fa186058081bba255affd1
SHA10661d8e98930d49a3c9ff50708b24e7993f216f9
SHA256f610ce98e2f5cb12a36fee337d237e34a7b133a385b567fa6e366f065bca8ab3
SHA51293f0e0278ee71a5fa9dc60021d5d670d12455b22b8a6e6458e56b14aa49e7ed61804d92abd140af7d30f04ced9ab62f871521f52c84ecf4cc3ff67c981ba41cb
-
Filesize
72KB
MD557d978f88e950c145bcbb5f6f09de721
SHA1482980eb6d362cc99033c612feadc0c2d27cc2a0
SHA2561902d1464cee2d8e94775a5d67b2ea8fe8bf558dd1e389e5867dfafd55f43186
SHA5128137c8f4629e293c81bfa570cd35607585bebca26da61771dc505e7bd6b65d0322b56047c2be61a6a5d0ec2ae84d1abf00fde5e2053bf5b558643a83bd5df0c8
-
Filesize
112KB
MD5bae2b04e1160950e570661f55d7cd6f8
SHA1f4abc073a091292547dda85d0ba044cab231c8da
SHA256ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59
SHA5121bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6