Malware Analysis Report

2024-11-15 10:21

Sample ID 241105-nke56sspcl
Target HATCH COVER REQ_AW24 New Order Request.exe
SHA256 f64a7307f5e75e2e73e93c5e2ed8009e8698e2c388a707afabbb756ecd0e1261
Tags
discovery azorult guloader downloader infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f64a7307f5e75e2e73e93c5e2ed8009e8698e2c388a707afabbb756ecd0e1261

Threat Level: Known bad

The file HATCH COVER REQ_AW24 New Order Request.exe was found to be: Known bad.

Malicious Activity Summary

discovery azorult guloader downloader infostealer trojan

Azorult

Azorult family

Guloader family

Guloader,Cloudeye

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 11:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-05 11:27

Reported

2024-11-05 11:29

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5052 wrote to memory of 4000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5052 wrote to memory of 4000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5052 wrote to memory of 4000 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4000 -ip 4000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 11:27

Reported

2024-11-05 11:29

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1920 set thread context of 1444 N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\slutstrenge.tri C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\Semiprofessionalized248\evaluxir.pra C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe

"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"

C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe

"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kenkyo.x24.eu udp
NL 5.255.110.9:443 kenkyo.x24.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 cq4cq.icu udp
US 8.8.8.8:53 cq4cq.icu udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.157:80 crl.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsyD395.tmp\System.dll

MD5 564bb0373067e1785cba7e4c24aab4bf
SHA1 7c9416a01d821b10b2eef97b80899d24014d6fc1
SHA256 7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA512 22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

memory/1920-10-0x0000000002FE0000-0x0000000004DAF000-memory.dmp

memory/1920-11-0x00000000779E1000-0x0000000077AE2000-memory.dmp

memory/1920-12-0x00000000779E0000-0x0000000077B89000-memory.dmp

memory/1920-13-0x0000000002FE0000-0x0000000004DAF000-memory.dmp

memory/1920-15-0x0000000002FE0000-0x0000000004DAF000-memory.dmp

memory/1444-14-0x00000000779E0000-0x0000000077B89000-memory.dmp

memory/1444-16-0x00000000004B0000-0x0000000001512000-memory.dmp

memory/1444-30-0x00000000004B0000-0x0000000001512000-memory.dmp

memory/1444-31-0x00000000004B0000-0x0000000001512000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 11:27

Reported

2024-11-05 11:29

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Guloader family

guloader

Guloader,Cloudeye

downloader guloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4504 set thread context of 4140 N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\slutstrenge.tri C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\Semiprofessionalized248\evaluxir.pra C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe

"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"

C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe

"C:\Users\Admin\AppData\Local\Temp\HATCH COVER REQ_AW24 New Order Request.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 kenkyo.x24.eu udp
NL 5.255.110.9:443 kenkyo.x24.eu tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 9.110.255.5.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 cq4cq.icu udp
US 8.8.8.8:53 cq4cq.icu udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsbAF9A.tmp\System.dll

MD5 564bb0373067e1785cba7e4c24aab4bf
SHA1 7c9416a01d821b10b2eef97b80899d24014d6fc1
SHA256 7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA512 22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

memory/4504-9-0x0000000002AD0000-0x000000000489F000-memory.dmp

memory/4504-10-0x0000000077471000-0x0000000077591000-memory.dmp

memory/4504-12-0x0000000074165000-0x0000000074166000-memory.dmp

memory/4504-11-0x0000000002AD0000-0x000000000489F000-memory.dmp

memory/4504-13-0x0000000002AD0000-0x000000000489F000-memory.dmp

memory/4140-14-0x0000000001710000-0x00000000034DF000-memory.dmp

memory/4140-21-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/4140-22-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/4140-23-0x0000000000060000-0x0000000000087000-memory.dmp

memory/4140-24-0x00000000004B0000-0x0000000001704000-memory.dmp

memory/4140-25-0x0000000001710000-0x00000000034DF000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-05 11:27

Reported

2024-11-05 11:29

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 220

Network

N/A

Files

N/A