Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
jjhluxw.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
jjhluxw.exe
Resource
win10v2004-20241007-en
General
-
Target
0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe
-
Size
234KB
-
MD5
38d378ff52ea3dba53a07eee3ed769c7
-
SHA1
94181ebcbe353d496701681b6bd03e06c1c63751
-
SHA256
0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4
-
SHA512
ab096595c92f3bca5659b2156e3daed47f70dd8ab3ddff1506ff164a50fa4d15f2503776d43633056ebcb569255295f8f7af53a031f552da1a3f73d017c105cc
-
SSDEEP
6144:gYa6oBsctoZqfq4S4JV2p9wubvEjRTsObhUXLbPp:gYxcCZqHp2prEVs+C7F
Malware Config
Extracted
azorult
http://141.98.6.162/office/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Executes dropped EXE 2 IoCs
Processes:
jjhluxw.exejjhluxw.exepid process 2464 jjhluxw.exe 2328 jjhluxw.exe -
Loads dropped DLL 2 IoCs
Processes:
0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exejjhluxw.exepid process 2892 0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe 2464 jjhluxw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jjhluxw.exedescription pid process target process PID 2464 set thread context of 2328 2464 jjhluxw.exe jjhluxw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exejjhluxw.exejjhluxw.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjhluxw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjhluxw.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
jjhluxw.exepid process 2464 jjhluxw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exejjhluxw.exedescription pid process target process PID 2892 wrote to memory of 2464 2892 0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe jjhluxw.exe PID 2892 wrote to memory of 2464 2892 0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe jjhluxw.exe PID 2892 wrote to memory of 2464 2892 0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe jjhluxw.exe PID 2892 wrote to memory of 2464 2892 0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe jjhluxw.exe PID 2464 wrote to memory of 2328 2464 jjhluxw.exe jjhluxw.exe PID 2464 wrote to memory of 2328 2464 jjhluxw.exe jjhluxw.exe PID 2464 wrote to memory of 2328 2464 jjhluxw.exe jjhluxw.exe PID 2464 wrote to memory of 2328 2464 jjhluxw.exe jjhluxw.exe PID 2464 wrote to memory of 2328 2464 jjhluxw.exe jjhluxw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe"C:\Users\Admin\AppData\Local\Temp\0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe"C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe" C:\Users\Admin\AppData\Local\Temp\izwmcwjt.yhc2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe"C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD519e06b8c8c60c69e11228b250568400a
SHA17c49e0aca8637c2adf258f98b1e7e45bcefaef53
SHA256fb8e5832ac5a98dd0ab1030628a559627279ae256593510b0fbc6da2a43f2ad8
SHA512e67eaebb28cab7784446cc3fbbdfb8fa3c4229225e4abdff26091a65f8adf8a912414a0bedd4b0458594776814c14f0f9cf9f18c71e3d3a75bef70b2056a389c
-
Filesize
132KB
MD5f495dbd405842d0cee36e9ff9d3be29e
SHA135e5f6e880f2069a94d7cfa8847040fb1bb0c8e9
SHA256aa7ec70ab30285dcd735aa0c1feb12729c10198a4eb2ebcce50e3a1afca58da4
SHA51244fd0a274c612094c150be66d4ab447d474f81900388fc8b1dbc9828a195bc43a05f6337132a1438612a6f329cc99880dba3c6eb997755e02713d877cc675e8c
-
Filesize
108KB
MD55f16ae72eb6fbd3040d5d3c18c5ac304
SHA14e1604b5e763aa9f336996c75cb3e8436f16850f
SHA2563b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16
SHA5127ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d