Resubmissions
23-07-2024 17:59
240723-wk4grs1hrl 1023-07-2024 17:56
240723-wjg75svcla 1023-07-2024 17:55
240723-whgvzsvcjg 823-07-2024 17:52
240723-wf3pns1hll 823-07-2024 17:45
240723-wbtafa1gpr 1023-07-2024 17:42
240723-v97eaavane 1023-07-2024 17:40
240723-v8625a1fpm 823-07-2024 17:39
240723-v8bafs1fll 823-07-2024 17:36
240723-v62dvs1eqq 10General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
-
Sample
240723-wk4grs1hrl
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win10-20240404-en
Malware Config
Extracted
metasploit
windows/download_exec
http://149.129.72.37:23456/SNpK
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)
Extracted
azorult
http://boglogov.site/index.php
Targets
-
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
2File Deletion
2Modify Registry
8Pre-OS Boot
1Bootkit
1