Overview

overview

10

Static

static

3

DOC6010038709-PO.exe

windows7-x64

10

DOC6010038709-PO.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Proctodyni...de.app

macos-10.15-amd64

1

Analysis

  • max time kernel
    89s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOC6010038709-PO.exe

  • Size

    401KB

  • MD5

    5ad5fcac5705acde3ed51ae6b3c2c0b1

  • SHA1

    77a26b80323ac8e1f172d8ce980120454ed53939

  • SHA256

    52dd1ddf925baa01a172d0e420ec8833a10726ee7a7dcfc2a55f1e04f47c6a63

  • SHA512

    1b472fc9a53b6a8864176dbd7e1ce91dccdae9c6dcf9716274c80011368275dc1f3c2098287bd32d708ce18214b048113fdc59cefd3a106a1d2b6ddaee304a27

  • SSDEEP

    12288:3kvqcSBHwEbBn+mDZVKxRu2GfWLpcCoJt:9wOTZVKbgWLCCat

Score
10/10
azorultguloaderdownloaderinfostealertrojan

Malware Config

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Loads dropped DLL 4 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOC6010038709-PO.exe
    "C:\Users\Admin\AppData\Local\Temp\DOC6010038709-PO.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\DOC6010038709-PO.exe
      "C:\Users\Admin\AppData\Local\Temp\DOC6010038709-PO.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsq497D.tmp\System.dll
    Filesize

    11KB

    MD5

    17ed1c86bd67e78ade4712be48a7d2bd

    SHA1

    1cc9fe86d6d6030b4dae45ecddce5907991c01a0

    SHA256

    bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

    SHA512

    0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq497D.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    42b064366f780c1f298fa3cb3aeae260

    SHA1

    5b0349db73c43f35227b252b9aa6555f5ede9015

    SHA256

    c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

    SHA512

    50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq497D.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    b55f7f1b17c39018910c23108f929082

    SHA1

    1601f1cc0d0d6bcf35799b7cd15550cd01556172

    SHA256

    c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7

    SHA512

    d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa

    Download Submit

  • memory/1608-27-0x0000000005230000-0x0000000007BF0000-memory.dmp

    Filesize

    41.8MB

    Download

  • memory/1608-23-0x0000000077051000-0x0000000077171000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1608-24-0x0000000077051000-0x0000000077171000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1608-25-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1608-22-0x0000000005230000-0x0000000007BF0000-memory.dmp

    Filesize

    41.8MB

    Download

  • memory/1660-26-0x00000000004A0000-0x0000000002E60000-memory.dmp

    Filesize

    41.8MB

    Download

  • memory/1660-28-0x00000000770D8000-0x00000000770D9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1660-29-0x00000000770F5000-0x00000000770F6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1660-39-0x0000000072A50000-0x0000000073CA4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1660-40-0x0000000000060000-0x0000000000087000-memory.dmp

    Filesize

    156KB

    Download

  • memory/1660-41-0x0000000072A50000-0x0000000073CA4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1660-43-0x0000000077051000-0x0000000077171000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1660-42-0x00000000004A0000-0x0000000002E60000-memory.dmp

    Filesize

    41.8MB

    Download