Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
CITIUS33XXX10307051121001177.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CITIUS33XXX10307051121001177.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
ucxgm.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
ucxgm.exe
Resource
win10v2004-20240226-en
General
-
Target
CITIUS33XXX10307051121001177.exe
-
Size
337KB
-
MD5
bce638f50587c46faa3c3e1798100251
-
SHA1
7b354d3902b1af13cc17cf4ec0c4da111309956d
-
SHA256
3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b
-
SHA512
18445d9cd7bf41946817dae07652e2f4e9c0f14e98c90941c30b304fb70667aa79f4b5603f60d73bcd7bcca611bee7ac1d0601b278121c311de917b8e26e5c9f
-
SSDEEP
6144:rGioWWuuTKFIIfn9pbghCwAehEPKb0iwRaazRZYJ:2uumFIWTbfZeEyIiYaeRZYJ
Malware Config
Extracted
azorult
http://89.43.107.198/mpom/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
ucxgm.exeucxgm.exepid process 1684 ucxgm.exe 2908 ucxgm.exe -
Loads dropped DLL 5 IoCs
Processes:
CITIUS33XXX10307051121001177.exeucxgm.exeWerFault.exepid process 340 CITIUS33XXX10307051121001177.exe 1684 ucxgm.exe 2560 WerFault.exe 2560 WerFault.exe 2560 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2560 2908 WerFault.exe ucxgm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
CITIUS33XXX10307051121001177.exeucxgm.exeucxgm.exedescription pid process target process PID 340 wrote to memory of 1684 340 CITIUS33XXX10307051121001177.exe ucxgm.exe PID 340 wrote to memory of 1684 340 CITIUS33XXX10307051121001177.exe ucxgm.exe PID 340 wrote to memory of 1684 340 CITIUS33XXX10307051121001177.exe ucxgm.exe PID 340 wrote to memory of 1684 340 CITIUS33XXX10307051121001177.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 1684 wrote to memory of 2908 1684 ucxgm.exe ucxgm.exe PID 2908 wrote to memory of 2560 2908 ucxgm.exe WerFault.exe PID 2908 wrote to memory of 2560 2908 ucxgm.exe WerFault.exe PID 2908 wrote to memory of 2560 2908 ucxgm.exe WerFault.exe PID 2908 wrote to memory of 2560 2908 ucxgm.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CITIUS33XXX10307051121001177.exe"C:\Users\Admin\AppData\Local\Temp\CITIUS33XXX10307051121001177.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Users\Admin\AppData\Local\Temp\ucxgm.exeC:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\ucxgm.exeC:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1204⤵
- Loads dropped DLL
- Program crash
PID:2560
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5a5a523f60a17756e61e17ba513ff59d1
SHA1d03b444c7c2d4ffb34d483427e69ec2116d90951
SHA2565519ce10c332d304d521a15d902d84e2feac7827a148284713402de837fd4755
SHA51299af33e2deb545c902c8663a67643b18ae2ee09924c8dee23c4ed93a6ff55305c020e3fd4e2d3781144450b14468c08799a3c59dfd1151893ec1a7e8352ef08d
-
Filesize
211KB
MD5664cb163be98c1035799694e2585cb16
SHA130984822dc25b065f6476557361396282906c551
SHA256466b28f6c18c530ac94410a111fe1feb84b2363b03831cb3e39af96d37ad56cd
SHA512e723882a67c072413357da1d9950a363ffcdb38fd1554cfede3acc75a16b6b78497a736fed7c32a5b8431a4ce591d3610da561ebbfee03ce04d6661e32612985
-
Filesize
179KB
MD578673699f5e78cf7ecfbb9ef42f3cc20
SHA17d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA25685f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA5121f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016