Analysis
-
max time kernel
140s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 07:36
Static task
static1
Behavioral task
behavioral1
Sample
FedEx Shipping Document.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
FedEx Shipping Document.exe
Resource
win10v2004-20240802-en
General
-
Target
FedEx Shipping Document.exe
-
Size
396KB
-
MD5
426a70b17444d7928e16d122e11a3da1
-
SHA1
320a7b6857baedfff5512e84569d8d4cc05dc6e0
-
SHA256
88da0443485279462c67050bb9973e9fed6a8fdffc6f2a46929eeb138d3e9000
-
SHA512
d4b215f52064b9016d313f2ad63be86a061324ee72a0257bd69776f72e99b60bddabdb6de1a655c432227fa5e957c3983c64b8052bd349a47abc884bc0d7cec6
-
SSDEEP
6144:vkAo1hecmm8UyucIXbPusaBPsz4KIIH5wXCvBmm8uYqh9kcc7V:4CcIE5oWwm8uYYSc
Malware Config
Extracted
azorult
http://l0h5.shop/CM341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL 4 IoCs
Processes:
MSBuild.exepid process 624 MSBuild.exe 624 MSBuild.exe 624 MSBuild.exe 624 MSBuild.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSBuild.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
FedEx Shipping Document.exedescription pid process target process PID 4644 set thread context of 624 4644 FedEx Shipping Document.exe MSBuild.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MSBuild.execmd.exetimeout.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
FedEx Shipping Document.exepid process 4644 FedEx Shipping Document.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MSBuild.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MSBuild.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1644 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 624 MSBuild.exe 624 MSBuild.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
FedEx Shipping Document.exeMSBuild.execmd.exedescription pid process target process PID 4644 wrote to memory of 624 4644 FedEx Shipping Document.exe MSBuild.exe PID 4644 wrote to memory of 624 4644 FedEx Shipping Document.exe MSBuild.exe PID 4644 wrote to memory of 624 4644 FedEx Shipping Document.exe MSBuild.exe PID 4644 wrote to memory of 624 4644 FedEx Shipping Document.exe MSBuild.exe PID 4644 wrote to memory of 624 4644 FedEx Shipping Document.exe MSBuild.exe PID 4644 wrote to memory of 624 4644 FedEx Shipping Document.exe MSBuild.exe PID 4644 wrote to memory of 624 4644 FedEx Shipping Document.exe MSBuild.exe PID 4644 wrote to memory of 624 4644 FedEx Shipping Document.exe MSBuild.exe PID 4644 wrote to memory of 624 4644 FedEx Shipping Document.exe MSBuild.exe PID 624 wrote to memory of 1880 624 MSBuild.exe cmd.exe PID 624 wrote to memory of 1880 624 MSBuild.exe cmd.exe PID 624 wrote to memory of 1880 624 MSBuild.exe cmd.exe PID 1880 wrote to memory of 1644 1880 cmd.exe timeout.exe PID 1880 wrote to memory of 1644 1880 cmd.exe timeout.exe PID 1880 wrote to memory of 1644 1880 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedEx Shipping Document.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Shipping Document.exe"1⤵
- Suspicious use of SetThreadContext
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1644
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f