Analysis
-
max time kernel
140s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 07:06
Static task
static1
Behavioral task
behavioral1
Sample
799667af57a95a533d10863a658c30bb.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
799667af57a95a533d10863a658c30bb.exe
Resource
win10v2004-20231215-en
General
-
Target
799667af57a95a533d10863a658c30bb.exe
-
Size
688KB
-
MD5
799667af57a95a533d10863a658c30bb
-
SHA1
952615061f288c135f73c7d25cf4f1f10217b7a8
-
SHA256
c74313aab2a5ab68bd3645525e6a2187d20281b8874edecbbdcc8f9ebcb97fed
-
SHA512
6a215ba28aff45d85e83e7935d37786839c0cd495583ce9150ddd5bc4266e62a4daef299aedd7880952562b1e596999fc6cb1f079258420e83ac2fd9907cb6ef
-
SSDEEP
12288:9Qnk3GDYKGcblfxTLWFNThvEjjZobhBrLq8PlCIur/xg4nAOoW6n0zi:HAOcZZTLWvNkenrLqF/n760zi
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 1 IoCs
Processes:
Magnum.exepid process 2552 Magnum.exe -
Loads dropped DLL 8 IoCs
Processes:
799667af57a95a533d10863a658c30bb.exeWerFault.exepid process 2372 799667af57a95a533d10863a658c30bb.exe 2372 799667af57a95a533d10863a658c30bb.exe 2372 799667af57a95a533d10863a658c30bb.exe 2372 799667af57a95a533d10863a658c30bb.exe 1096 WerFault.exe 1096 WerFault.exe 1096 WerFault.exe 1096 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1096 2552 WerFault.exe Magnum.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1260 DllHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
799667af57a95a533d10863a658c30bb.exeMagnum.exedescription pid process target process PID 2372 wrote to memory of 2552 2372 799667af57a95a533d10863a658c30bb.exe Magnum.exe PID 2372 wrote to memory of 2552 2372 799667af57a95a533d10863a658c30bb.exe Magnum.exe PID 2372 wrote to memory of 2552 2372 799667af57a95a533d10863a658c30bb.exe Magnum.exe PID 2372 wrote to memory of 2552 2372 799667af57a95a533d10863a658c30bb.exe Magnum.exe PID 2552 wrote to memory of 1096 2552 Magnum.exe WerFault.exe PID 2552 wrote to memory of 1096 2552 Magnum.exe WerFault.exe PID 2552 wrote to memory of 1096 2552 Magnum.exe WerFault.exe PID 2552 wrote to memory of 1096 2552 Magnum.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\799667af57a95a533d10863a658c30bb.exe"C:\Users\Admin\AppData\Local\Temp\799667af57a95a533d10863a658c30bb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Magnum.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Magnum.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 7643⤵
- Loads dropped DLL
- Program crash
PID:1096
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:1260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5072f2309e2957f39d88744e27d833dae
SHA1285b92a9fd4800aa72672f1ccd0674d86754f431
SHA256c9176035801b34d756f173b5da1499f1e55020650cad64716996b06ab63e5208
SHA512cc40f628aefa300a4aa356f2f496ea62aac6d54ea8a94f8b367ae8e726cf5129c1ebeeb5c1d078e3c08d4c87ae160afea94c53e45c8e75afb89500651a4c81e5
-
Filesize
34KB
MD54b3f2561840c2b4194ea50b7d6ff6d37
SHA12d8dc8e65dfa1c52cecfb3920949442900ca3ab9
SHA256e0567dce1c6a6178519559ffaa15b21029a1319638cc68e2f91f89f5da3ca43a
SHA51285b9854c495267a35769b5f96a1fef5e04070839ef205a16ea8d51b0f371ff98f15a4efff986d7a0fd670340f973006afced0644fb9726f7244218a08874430e
-
Filesize
112KB
MD56f5a20615232c0c07dc0ca5341432cf2
SHA103633cc8adb14d5c9705a37bb7776a754038c459
SHA25625755846445d7441fd09bd51f2dc59eed673b71c9744b7ecb9a0c14f655a02a9
SHA512c8cabd720226f37322d9620bbb8697c2ddc672dc80f2b9186c5a89ba26f9714689891e778987d232f6338d35f6db126eae08deb63a35b3a064aca6c4aacbf7c0