Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-02-2024 05:45
Static task
static1
Behavioral task
behavioral1
Sample
7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe
Resource
win10v2004-20231215-en
General
-
Target
7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe
-
Size
1.5MB
-
MD5
ef25ff0d23d8da1b5250fd896896f53e
-
SHA1
390d474c015306ebd252978d7dba78720238543b
-
SHA256
7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3
-
SHA512
976a67d43491a9b81ee04bb9fc80fc2f08c8b4415bbffad50be1a6e67912cb5995cbded04990397df78af785c60bbf89a1d1d0626aca1ec091344293424ea49d
-
SSDEEP
49152:FTvC/MTQYxsWR7acyejdjIQl6kX7sXf8n0irmNmSb6HCjsZ:pjTQYxsWR5yejdjIQl6kX7sXf8nzrm8l
Malware Config
Extracted
azorult
http://mhlc.shop/MC341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Loads dropped DLL 4 IoCs
Processes:
svchost.exepid process 848 svchost.exe 848 svchost.exe 848 svchost.exe 848 svchost.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook svchost.exe Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook svchost.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exedescription pid process target process PID 2176 set thread context of 848 2176 7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5000 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exepid process 848 svchost.exe 848 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exepid process 2176 7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exesvchost.execmd.exedescription pid process target process PID 2176 wrote to memory of 848 2176 7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe svchost.exe PID 2176 wrote to memory of 848 2176 7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe svchost.exe PID 2176 wrote to memory of 848 2176 7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe svchost.exe PID 2176 wrote to memory of 848 2176 7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe svchost.exe PID 848 wrote to memory of 392 848 svchost.exe cmd.exe PID 848 wrote to memory of 392 848 svchost.exe cmd.exe PID 848 wrote to memory of 392 848 svchost.exe cmd.exe PID 392 wrote to memory of 5000 392 cmd.exe timeout.exe PID 392 wrote to memory of 5000 392 cmd.exe timeout.exe PID 392 wrote to memory of 5000 392 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook svchost.exe -
outlook_win_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe"C:\Users\Admin\AppData\Local\Temp\7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\7406da890d87374ab8f524683aef1c11f201068b95095aa20ac3712daaa0c5b3.exe"2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "svchost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- Delays execution with timeout.exe
PID:5000
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f