Overview

overview

10

Static

static

10

AZGAIQ.exe

windows7-x64

9

AZGAIQ.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/02/2024, 17:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AZGAIQ.exe

  • Size

    1.3MB

  • MD5

    0ec1335d66a4cc8ab5a5fb48a3560bc4

  • SHA1

    f22ad2202454c56087ae0d2de4442a89bdea046e

  • SHA256

    46db56c2197d24b0b8fa1588ea1ba0b91bed54afd2876c00b737593660c0c3cd

  • SHA512

    6048d3c5bd3af1857b02cda2227cfb992cd6f55e7ceda41036d5661675e022c0a7a0daaf98db66227ac39bf06e3f62bb941915e84a0786956c63f6d6ba6a53b3

  • SSDEEP

    24576:ethEVaPqL5uTGczYcXga6C7WrmjSD2IrKFhoV7u:mEVUc5uTGczjSA2DVrKURu

Score
9/10
ransomwarespywarestealerupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AZGAIQ.exe
    "C:\Users\Admin\AppData\Local\Temp\AZGAIQ.exe"
    1⤵
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    PID:3480

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    202.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    202.178.17.96.in-addr.arpa
    IN PTR
    Response
    202.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-202deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    178.223.142.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    178.223.142.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    208.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.178.17.96.in-addr.arpa
    IN PTR
    Response
    208.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-208deploystaticakamaitechnologiescom
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.178.17.96.in-addr.arpa
    IN PTR
    Response
    209.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-209deploystaticakamaitechnologiescom
  • flag-us
    DNS
    16.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    16.173.189.20.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    202.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    202.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    178.223.142.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    178.223.142.52.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    208.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    208.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    209.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    209.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    16.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    16.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Lock.Adobe
    Filesize

    8B

    MD5

    de6fdff1993c731e52e49d52a6e684d9

    SHA1

    120d1ff8a24109eed24ac1a5697383d50bcc0f47

    SHA256

    645c2d0cb9f6edf276f7dead9ab8c72531cdae22f54962d174c1339c30cb1b42

    SHA512

    99d05bf76a3a7466ccf27ac304ba35639716089d8dae388aaa707bfb6feb3f362251a65951663dd86abcac5a5e7358a5f29faedfe4c0b55ae136ba9d8f1209c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aut7986.tmp
    Filesize

    1.0MB

    MD5

    5aa90a0f7830666ef1360b39cbb406db

    SHA1

    f189fbf1ae1a75bab23e5aa0d950db1eb4b72fee

    SHA256

    ddafb9b732aced96a8b9c3d6fbaa9d69b2c116b7e486270ea42df1b6bb6099fa

    SHA512

    0ffd27800fe704c39f8444bb006a6b4e34d5e6443f89aaaf8a21b2f5ea2cf55ad768ed5e57d117f5950ce225ac7ba184a98a895eef7826687d8b09e2ec997a91

    Download Submit

  • memory/3480-164-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-165-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-159-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-160-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-161-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-162-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-0-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-79-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-166-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-167-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-168-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-169-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-170-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-171-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

  • memory/3480-172-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.