Overview

overview

10

Static

static

7

68b53507bf...e7.exe

windows7-x64

10

68b53507bf...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 21:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68b53507bfc36e79ffd4ffbcdefec6e7.exe

  • Size

    3.1MB

  • MD5

    68b53507bfc36e79ffd4ffbcdefec6e7

  • SHA1

    92c474d188287913cb3c404e5c286de578e59ea9

  • SHA256

    bab256aaf0fd8ee5010aef26054bbeac7c75b38be2fd04ce8f0293ad2da9030a

  • SHA512

    94c4a3c9dd179bbf2b407018b4ab7f8eb9fa9b022693206b2c8ffe23b72da7a1166c92079a72a5a77906ca88690b811b7fb9dc517030551f26f9433fdca44d30

  • SSDEEP

    98304:OdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:OdNB4ianUstYuUR2CSHsVP8x

Score
10/10
azorultnetwirebotnetinfostealerratstealertrojanupx

Malware Config

Extracted

Family

netwire

C2

174.127.99.159:7882

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    May-B

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68b53507bfc36e79ffd4ffbcdefec6e7.exe
    "C:\Users\Admin\AppData\Local\Temp\68b53507bfc36e79ffd4ffbcdefec6e7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c test.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        test.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Users\Admin\AppData\Local\Temp\File.exe
          "C:\Users\Admin\AppData\Local\Temp\File.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:752
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
            5⤵
              PID:3260
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1624
              • C:\Windows\SysWOW64\reg.exe
                reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
                6⤵
                  PID:3924
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
                5⤵
                • NTFS ADS
                PID:464
              • C:\Users\Admin\AppData\Local\Temp\svhost.exe
                "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
                5⤵
                • Executes dropped EXE
                PID:2524
              • C:\Users\Admin\AppData\Roaming\tmp.exe
                "C:\Users\Admin\AppData\Roaming\tmp.exe"
                5⤵
                • Executes dropped EXE
                PID:3408
            • C:\Users\Admin\AppData\Local\Temp\svhost.exe
              "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
              4⤵
              • Executes dropped EXE
              PID:3284
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
              4⤵
              • NTFS ADS
              PID:2728
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:516
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
              4⤵
                PID:3708
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
          1⤵
            PID:2800

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\File.exe
            Filesize

            322KB

            MD5

            2b918f61d2a9b0f55fbc91b7f82aacc8

            SHA1

            f11f53bd280f832c523ee9f4928523fd036cdf36

            SHA256

            0ea7811b1be1491c875ca5e0a620a74fb3eec09c988c6908bb409fd595be2490

            SHA512

            b88362b40ee6e17a1d15d36907b2e9f11bb787e7c780bbed18e6a8313f6b767f4c93a629a7825a902801d6c20e179fcad5996dee770774d431f0cb25e8621aec

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\File.exe
            Filesize

            342KB

            MD5

            37c82e15058e2f8f5e9525b956e6440d

            SHA1

            3bf20d00bd7a7943c4066d534f5b276cac5ae39f

            SHA256

            80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7

            SHA512

            5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
            Filesize

            931KB

            MD5

            836cda1d8a9718485cc9f9653530c2d9

            SHA1

            fca85ff9aa624547d9a315962d82388c300edac1

            SHA256

            d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72

            SHA512

            07ca078d79f622706d08a534f6b5e2c896152fb0d0e452781fa6be5dc90028fdf074b3b78acac438f2acf5b3f5522e70afb7db4551874a3083860213e2790481

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
            Filesize

            108KB

            MD5

            21d4917219765f41e871e070e0aaadd0

            SHA1

            cf984c7b64b50e267340ac5cf53717c323bc9fd9

            SHA256

            f3535e87f28fab1e9b863a8873dd37c80c14f55a727349759ee748d9bf01fe94

            SHA512

            a0d3843e4cd7d7533b7afd58e71b346306c513ced2d5f58a6431ce41498fb9e94168465a8a915a2b2ff649a43690f2a5e8acd23678613ebcb32f5b575be18b68

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk
            Filesize

            1KB

            MD5

            da7465ac51f4392897ca50274b029841

            SHA1

            5ec477af273c0a6807a0e80da63295962b3e05e5

            SHA256

            1050fe634155bf60731464843be7e0f1595684211379297c6767e96aaa65bde6

            SHA512

            b4bde01fe9f20633046ba3477a74ed90af727cef5e4df06f32dd73e580f2e7999917ee5a00c01b8c76d2cac8eb933f525f29a8724c39e685b4b593a4adf4ce2f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            184KB

            MD5

            d873ef10bf6a83e3f4970935c09e3fec

            SHA1

            0756270ce4682d0e3e4d8fb533b3f99ce293b3c6

            SHA256

            e4c2c0079065217344b9c4215f0c83216fb0a15bce13ad83164f547781896fb7

            SHA512

            3cdd467f6ca58be386fa4886a6dd17fe746a4b4e10acfac6a3a7f8222839fdc7737db7daa9daf442cddd896201443aeb325ab6d8e5c69931370104a6d520a9f6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            256KB

            MD5

            8fdf47e0ff70c40ed3a17014aeea4232

            SHA1

            e6256a0159688f0560b015da4d967f41cbf8c9bd

            SHA256

            ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

            SHA512

            bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            Filesize

            236KB

            MD5

            26c6ee66eb6f0955ee9f4a60da909e58

            SHA1

            855a5f6a1b3e56c3c71d9ef6a4071eb9ef4e3cf3

            SHA256

            0ca9e4f94604ff31dae432d49f891396c52b94da36d15111af23d7fa39f31dc5

            SHA512

            fc96584c62f3a23ecaf64c26a398ed67ef607d97126c64f0ff6bc8ec3339510c2c94138e7b70b44fde7de35c2fd265eb1de0c22f6bbf1f326715dc4c3ed3ec6b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\test.exe
            Filesize

            267KB

            MD5

            d381666197b0cc61fee8890d2ef0c163

            SHA1

            64763959e785037c8a1c3ede752a2a355bb334f4

            SHA256

            325ae74ac9fdb2e62b20590b0c2a3be9a5d8855fad9b05e0d28eb6854b218fa5

            SHA512

            35fa8a28b3643f5cc5894bc0dbd906c12c032ff32f8980241b083d70b43011580d0c4903f98fcf84ee7e041be9467fa742be842f609559a0381d335f5a183fd6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\test.exe
            Filesize

            187KB

            MD5

            201fa7059588a3966326478024a2e153

            SHA1

            c2c01d0a6e4a610279836acdaac295f1bae90adf

            SHA256

            2608b6295c597d96482f7daf3e4e727ea755d26637e67369de531c1adfb1148c

            SHA512

            af4fb5d0e7226294dfdfd8e9269bfb3700356bf78b57170f5e888f6c089007c8aed7e5703ef75c3cc38be5891ea440fa02a9ef4d4ad37e84ca107bc24a4dee6e

            Download Submit

          • C:\Users\Admin\AppData\Roaming\tmp.exe
            Filesize

            112KB

            MD5

            bae2b04e1160950e570661f55d7cd6f8

            SHA1

            f4abc073a091292547dda85d0ba044cab231c8da

            SHA256

            ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

            SHA512

            1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

            Download Submit

          • memory/752-21-0x00000000009C0000-0x0000000000A1C000-memory.dmp

            Filesize

            368KB

            Download

          • memory/752-23-0x00000000051F0000-0x0000000005200000-memory.dmp

            Filesize

            64KB

            Download

          • memory/752-22-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/752-59-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/752-24-0x0000000005270000-0x0000000005294000-memory.dmp

            Filesize

            144KB

            Download

          • memory/752-64-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/756-56-0x0000000000400000-0x0000000000B9D000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/756-62-0x0000000000400000-0x0000000000B9D000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/756-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

            Filesize

            7.6MB

            Download

          • memory/2524-41-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2524-44-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2524-67-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2524-47-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3284-33-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3284-30-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3284-27-0x0000000000400000-0x0000000000433000-memory.dmp

            Filesize

            204KB

            Download

          • memory/3408-50-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

            Download

          • memory/5104-5-0x0000000000310000-0x00000000003FE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/5104-9-0x0000000004C40000-0x0000000004CC6000-memory.dmp

            Filesize

            536KB

            Download

          • memory/5104-57-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/5104-58-0x0000000004D80000-0x0000000004D90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5104-6-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/5104-61-0x00000000748A0000-0x0000000075050000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/5104-7-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/5104-8-0x0000000004D80000-0x0000000004D90000-memory.dmp

            Filesize

            64KB

            Download