Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0209202414...st.exe

windows7-x64

10

0209202414...st.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/09/2024, 16:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    020920241451ModificationList.exe

  • Size

    1.0MB

  • MD5

    97cc0e7d7caa3483e4c5e5cff9fbe67e

  • SHA1

    e74e03ad3d8f52ce5858a5e8208343fa04a2b367

  • SHA256

    65e1b5713b271302e96bab80440f744c13c953749562603ea3ee03eda880f9ea

  • SHA512

    320b84be5ade8681a0be7bd862dfa1b65f75189cc95967ed586d9efdb3c68a8f243861c399339b42f9688561c2f217a6e9d8e4b2e586a4d4f2f583eca711c357

  • SSDEEP

    24576:OLPskXqS0jFC6LkpzqPskXqS0jFC6LkpzWoKywypSpbYmb93PK/:QJXUJC6LkpzqJXUJC6LkpzEMSNYmpy/

Score
10/10
azorultcollectioncredential_accessdiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

https://ehzwq.shop/erd/mac/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\020920241451ModificationList.exe
    "C:\Users\Admin\AppData\Local\Temp\020920241451ModificationList.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\020920241451ModificationList.exe
      "C:\Users\Admin\AppData\Local\Temp\020920241451ModificationList.exe"
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Accesses Microsoft Outlook profiles
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1252
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "020920241451ModificationList.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Windows\SysWOW64\timeout.exe
          C:\Windows\system32\timeout.exe 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:512

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    ehzwq.shop
    020920241451ModificationList.exe
    Remote address:
    8.8.8.8:53
    Request
    ehzwq.shop
    IN A
    Response
    ehzwq.shop
    IN A
    172.67.162.36
    ehzwq.shop
    IN A
    104.21.10.25
  • flag-us
    POST
    https://ehzwq.shop/erd/mac/index.php
    020920241451ModificationList.exe
    Remote address:
    172.67.162.36:443
    Request
    POST /erd/mac/index.php HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Host: ehzwq.shop
    Content-Length: 111
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Mon, 02 Sep 2024 16:37:50 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: close
    X-Powered-By: PHP/5.6.37
    Vary: Accept-Encoding,User-Agent
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VA97kq%2B93djtuulv%2Fq1XjtCwuur7BXQ8b4Boj5kFwhw4sPjOYRbf%2FFdlvr8kJur3Oobk2XWIrkcdEtJH2RangNcP6ZjcQvwxSDAsBWwiY09Vaq6YBluw9ct5QQjr"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bceed478b946559-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    c.pki.goog
    020920241451ModificationList.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    216.58.201.99
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    020920241451ModificationList.exe
    Remote address:
    216.58.201.99:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 02 Sep 2024 15:55:07 GMT
    Expires: Mon, 02 Sep 2024 16:45:07 GMT
    Cache-Control: public, max-age=3000
    Age: 2562
    Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    020920241451ModificationList.exe
    Remote address:
    216.58.201.99:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Mon, 02 Sep 2024 16:04:36 GMT
    Expires: Mon, 02 Sep 2024 16:54:36 GMT
    Cache-Control: public, max-age=3000
    Age: 1993
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    36.162.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    36.162.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    99.201.58.216.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.201.58.216.in-addr.arpa
    IN PTR
    Response
    99.201.58.216.in-addr.arpa
    IN PTR
    prg03s02-in-f31e100net
    99.201.58.216.in-addr.arpa
    IN PTR
    prg03s02-in-f99�G
    99.201.58.216.in-addr.arpa
    IN PTR
    lhr48s48-in-f3�G
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    POST
    https://ehzwq.shop/erd/mac/index.php
    020920241451ModificationList.exe
    Remote address:
    172.67.162.36:443
    Request
    POST /erd/mac/index.php HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Host: ehzwq.shop
    Content-Length: 62253
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Mon, 02 Sep 2024 16:37:55 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: close
    X-Powered-By: PHP/5.6.37
    Vary: User-Agent
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MygxhRNMLNMdDOrEEBN70vEOYfADUfmsxe4nIpxegXwfskMxbwa6WPcIO4CEOOZUWpiJ7vTTPBmKtU%2FIxLyGd7R%2Fa73cFU4AhhEtdxRveGapBU%2F3bcqOoJgFGuO3"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8bceed666c7c9578-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 172.67.162.36:443
    https://ehzwq.shop/erd/mac/index.php
    tls, http
    020920241451ModificationList.exe
    159.3kB
     4.6MB
     3401
    3399

    HTTP Request

    POST https://ehzwq.shop/erd/mac/index.php

    HTTP Response

    200
  • 216.58.201.99:80
    http://c.pki.goog/r/r4.crl
    http
    020920241451ModificationList.exe
    556 B
     3.8kB
     7
    5

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 172.67.162.36:443
    https://ehzwq.shop/erd/mac/index.php
    tls, http
    020920241451ModificationList.exe
    65.3kB
     1.9kB
     57
    27

    HTTP Request

    POST https://ehzwq.shop/erd/mac/index.php

    HTTP Response

    200
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    ehzwq.shop
    dns
    020920241451ModificationList.exe
    56 B
     88 B
     1
    1

    DNS Request

    ehzwq.shop

    DNS Response

    172.67.162.36
    104.21.10.25

  • 8.8.8.8:53
    c.pki.goog
    dns
    020920241451ModificationList.exe
    56 B
     107 B
     1
    1

    DNS Request

    c.pki.goog

    DNS Response

    216.58.201.99

  • 8.8.8.8:53
    36.162.67.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    36.162.67.172.in-addr.arpa

  • 8.8.8.8:53
    99.201.58.216.in-addr.arpa
    dns
    72 B
     169 B
     1
    1

    DNS Request

    99.201.58.216.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll
    Filesize

    135KB

    MD5

    9e682f1eb98a9d41468fc3e50f907635

    SHA1

    85e0ceca36f657ddf6547aa0744f0855a27527ee

    SHA256

    830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

    SHA512

    230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll
    Filesize

    429KB

    MD5

    109f0f02fd37c84bfc7508d4227d7ed5

    SHA1

    ef7420141bb15ac334d3964082361a460bfdb975

    SHA256

    334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

    SHA512

    46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll
    Filesize

    1.2MB

    MD5

    556ea09421a0f74d31c4c0a89a70dc23

    SHA1

    f739ba9b548ee64b13eb434a3130406d23f836e3

    SHA256

    f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

    SHA512

    2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll
    Filesize

    81KB

    MD5

    7587bf9cb4147022cd5681b015183046

    SHA1

    f2106306a8f6f0da5afb7fc765cfa0757ad5a628

    SHA256

    c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

    SHA512

    0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

    Download Submit

  • memory/1252-34-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1252-169-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1252-166-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1252-39-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1252-38-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1252-36-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1948-9-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1948-8-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1948-28-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1948-27-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1948-32-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1948-33-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1948-25-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1948-24-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1948-17-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1948-26-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1948-40-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1948-2-0x00000000774C2000-0x00000000774C3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1948-10-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1948-11-0x00000000006A0000-0x00000000007A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1948-12-0x000000000040B000-0x000000000040C000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1948-13-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1948-3-0x0000000002370000-0x0000000002371000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.