Overview

overview

10

Static

static

3

94d77da6e9...74.exe

windows7-x64

10

94d77da6e9...74.exe

windows10-2004-x64

8

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2024 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94d77da6e9ba6786e66b3864a9092a028d4e076774a5003b50eea0b5b04be074.exe

  • Size

    593KB

  • MD5

    6b67c037861d71932f9971faade3c695

  • SHA1

    03313a12f94a0923bd456a058bb974e43f3c8562

  • SHA256

    94d77da6e9ba6786e66b3864a9092a028d4e076774a5003b50eea0b5b04be074

  • SHA512

    d59c9fe2cb5664394c670ca85964c85fbc4f00129c786ea79470b6c47d9768a5481496a6b9ac38f15c4cc66aad83e372a162a9890359648b19c4c08b9c53728f

  • SSDEEP

    12288:sCn4AyHnr1nomoZlKOKIQxRGul47sbYY6UsGVPCHNwEX:/nEnrVvfOdQxJ47skYxsGVcNb

Score
10/10
azorultexecutioninfostealertrojan

Malware Config

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 6 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94d77da6e9ba6786e66b3864a9092a028d4e076774a5003b50eea0b5b04be074.exe
    "C:\Users\Admin\AppData\Local\Temp\94d77da6e9ba6786e66b3864a9092a028d4e076774a5003b50eea0b5b04be074.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$thingumajig=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Cytoplasmiske.Inl';$barbs=$thingumajig.SubString(70747,3);.$barbs($thingumajig)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Users\Admin\AppData\Local\Temp\Stikprvevarianterne204.exe
        "C:\Users\Admin\AppData\Local\Temp\Stikprvevarianterne204.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Stikprvevarianterne204.exe
    Filesize

    593KB

    MD5

    6b67c037861d71932f9971faade3c695

    SHA1

    03313a12f94a0923bd456a058bb974e43f3c8562

    SHA256

    94d77da6e9ba6786e66b3864a9092a028d4e076774a5003b50eea0b5b04be074

    SHA512

    d59c9fe2cb5664394c670ca85964c85fbc4f00129c786ea79470b6c47d9768a5481496a6b9ac38f15c4cc66aad83e372a162a9890359648b19c4c08b9c53728f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Cytoplasmiske.Inl
    Filesize

    69KB

    MD5

    400299b1901cee5565c7f095ae1da7a0

    SHA1

    6f5ef95f16c7657a1147c13f483738efbb97696e

    SHA256

    0c3763bcba10bdcf914aeb773514df59169770ff0e3f3dfcba1ffb9f699a61e4

    SHA512

    d09950fd2a75ad6a7b4a5e101cbad8f411110aa787c06e5750ae42465981786ff978d14ffee328fa88ab4b8adf25afc9511f18f34b42bbdbd186b0ab0cde3855

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Importability.Bol
    Filesize

    347KB

    MD5

    eb4cd7696599b90f2a761dba56ea7584

    SHA1

    c1a0f20bd589f2f4a3c92ba4d487c8654f0c6b44

    SHA256

    b54095a8b08b7f0f459234a16916756f570c82831e893e3be5976cca91c2aab8

    SHA512

    d57ddedee24657c9d66b62cf7dd2cc06a6d7ce0c4a4b5919956a58309e3912d69432e7fb916e1d2441d7b1d09737facfdc76e90984ed829ec41fdb3696be50f3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy2CF.tmp\BgImage.dll
    Filesize

    7KB

    MD5

    49998d066af103d06b56f5b4c76b1497

    SHA1

    b7dce166147f40dfa17f5ca950c4e324a10d04be

    SHA256

    95042dbe7428461ee7fd210acf37040eb921012c7b32f66cb54766f0a16bb5b6

    SHA512

    61b0d75ef3a18c8c13ad8c614a012a71cbc4f6fd4bba0aa0c7b866e1a8fbf5f9fdb3e012a3566586d47fc8b456a7de36a06a0d70cdf27e504aac64eab37555d7

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy2CF.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    19d3373e403a6e724cfa1563dfd1f463

    SHA1

    4917547b355a91e9431879209f56925097bf4fb3

    SHA256

    873fa0c52eae7cfbed56ea18b21fad0ca8f018ab7f305bd1db1a3ec454e353d1

    SHA512

    b6f6db23376ade4bb864ea14244980612f42f322d3915540090bfe8edc80e9577b7aec3589bd587ca47a729371ed8ab8e6e23031bb3e3f524d48783637646193

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy2CF.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    6c881f00ba860b17821d8813aa34dbc6

    SHA1

    0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

    SHA256

    bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

    SHA512

    c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

    Download Submit

  • memory/1828-36-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1828-38-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1828-39-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1828-42-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1828-37-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1828-44-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1828-45-0x00000000064A0000-0x000000000B18D000-memory.dmp

    Filesize

    76.9MB

    Download

  • memory/1828-46-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1828-35-0x0000000074071000-0x0000000074072000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2528-51-0x0000000000480000-0x00000000014E2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2528-52-0x0000000000480000-0x00000000014E2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2528-53-0x0000000000480000-0x00000000014E2000-memory.dmp

    Filesize

    16.4MB

    Download