Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

GigaloadPa...5).exe

windows7-x64

10

GigaloadPa...5).exe

windows10-2004-x64

10

GigaloadPa...5).exe

windows10-ltsc 2021-x64

10

GigaloadPa...5).exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2024, 18:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GigaloadPayload (12345).exe

  • Size

    3.9MB

  • MD5

    b9406604f5de550f91f2e8afbf7ccb48

  • SHA1

    89668040f222864fe263593c7691320cd6947cc7

  • SHA256

    a358a32d3298e53eb7a94c199985f5170c760f21af0dee7906e9072cd157ed59

  • SHA512

    84b672fdae327620044ed4c4d4ab9f38423f113c96eae29a752331b4f61bddc9cd519c84dd4f0ccc065131ebdc8c87901164bba089bdff6e897573acd1d6d926

  • SSDEEP

    98304:ehyDwycvLyZOaBukBPk76NJ0tsxIDBGRZqGQ0nu0:ehyDwy2QBuKseIWZqKu0

Score
10/10
azorultponycollectioncredential_accessdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://upqx.ru/1210776429.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GigaloadPayload (12345).exe
    "C:\Users\Admin\AppData\Local\Temp\GigaloadPayload (12345).exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
        keygen-pj.exe -pAevKviq48c
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_win_path
          PID:2028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240614546.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe" "
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3496
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
        keygen-step-1.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3252
      • C:\Windows\System32\control.exe
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4804
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4464
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:5032

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    upqx.ru
    keygen-step-1.exe
    Remote address:
    8.8.8.8:53
    Request
    upqx.ru
    IN A
    Response
    upqx.ru
    IN A
    185.180.231.18
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-ru
    POST
    http://upqx.ru/1210776429.php
    keygen-step-1.exe
    Remote address:
    185.180.231.18:80
    Request
    POST /1210776429.php HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Host: upqx.ru
    Content-Length: 109
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.20.1
    Date: Sun, 01 Dec 2024 18:14:08 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: close
    Vary: Accept-Encoding
    Vary: Accept-Encoding
  • flag-us
    DNS
    18.231.180.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.231.180.185.in-addr.arpa
    IN PTR
    Response
    18.231.180.185.in-addr.arpa
    IN PTR
    vm2545892 firstbyteclub
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 185.180.231.18:80
    http://upqx.ru/1210776429.php
    http
    keygen-step-1.exe
    544 B
     437 B
     6
    5

    HTTP Request

    POST http://upqx.ru/1210776429.php

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    upqx.ru
    dns
    keygen-step-1.exe
    53 B
     69 B
     1
    1

    DNS Request

    upqx.ru

    DNS Response

    185.180.231.18

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    18.231.180.185.in-addr.arpa
    dns
    73 B
     111 B
     1
    1

    DNS Request

    18.231.180.185.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240614546.bat
    Filesize

    94B

    MD5

    3880eeb1c736d853eb13b44898b718ab

    SHA1

    4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

    SHA256

    936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

    SHA512

    3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
    Filesize

    363KB

    MD5

    c0f34f38475aa244c9c8696aeed709a5

    SHA1

    0194b56c80c4b5192873400fdc96ce7d8df682a2

    SHA256

    831c985a5c9cc76c7c3de456f2eafeeba65a8930ef5e2aecc69fc7bd739f1046

    SHA512

    15defe7601a9d49325719b746422ddc60492935d3e34db058ed7f726cfeff0b3dac6faf2bcb9113ce14bdf9e8d295bef33931fd23e58c995cc6a4f42fa310ced

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    Filesize

    112KB

    MD5

    43eb47b71c9f1003adc2d0f108d2679c

    SHA1

    5965eb51d289dc79ab56cb995d47f371472d4846

    SHA256

    913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1

    SHA512

    7713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl
    Filesize

    3.5MB

    MD5

    f79d41dcfd84fd36b9cd7179785d6e80

    SHA1

    2f3b1ee36156f0a443c0ae0628a3229c9068b06f

    SHA256

    0d3056fb280d3ad7ff3e72fd285ecdf6ab1bedab3165386e58f7a76b84d9f275

    SHA512

    b42accfe5dd52f0c0299ff74ea4f85b20335c8fc9f0b80437e69c1f9378bb2259d58ca52fc89cb093d6d3bd43673c8e49dc97872b7025e3164488e162f25ed71

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
    Filesize

    97B

    MD5

    b7da5b5251bfd8f57cbac943155601a9

    SHA1

    133751b2b7a68a92ad1e21417dd4d2b1d44cc2da

    SHA256

    023d11aa3cbc04bc1591c0bb608f35da7c124f8a30c57accaf6be067b889c2ee

    SHA512

    7e71857c603dee06fc7a63a8a0e7cfb7f18d24b676c0a3df45f5b011f638a84faf4bb5d69ebc2c5a998482c4bbad1b726c43aa6e5669d3762f263a56d4e47368

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
    Filesize

    103KB

    MD5

    2fbf80a7ba32f036bb97a2d0d909283c

    SHA1

    ed00a832320f3806ef3ecacfb54356e55b8e713f

    SHA256

    aaa583789b2a7d918ab2654f48b2f401588f43f8b835ea176ea4276c59bed4ee

    SHA512

    a74ec6ffc270d3800f673aa83a76d6dc59857a71791470a4e09653bbfc18ec192b8949566ab15adaf923a3f9b54d568f6de93ad36df70357450d3effb09160ef

    Download Submit

  • memory/3252-25-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.