Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 03:47
Static task
static1
Behavioral task
behavioral1
Sample
Azygoses125.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Azygoses125.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
General
-
Target
Azygoses125.exe
-
Size
747KB
-
MD5
723e8d7420209e5658d32ebeaea45b9c
-
SHA1
1fab08989ece01ecd3f485d33a921dd553ccc393
-
SHA256
29807b7bbe150c4005266b07919615984fcc9dec19052ae262374635024c9e2b
-
SHA512
bd1bb8ee484f3d0768ce1afdbc4091e168613f0d162142f8fbf916bbcf5e5e40f43fecf1452976baf898abe4077db184efda918bbedc472016953fb7f6e470e4
-
SSDEEP
12288:hDGZKmormA1WTNBX5CN/8DCYz1JqAxQJuPLaDbguIsFFfDF/dvJimLQrU+UvdmBp:vmor/1WNBYN/iXqAxQJW0kTsF/im/mBp
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1944 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 2948 Azygoses125.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\unthick.ini Azygoses125.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Azygoses125.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1944 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2948 wrote to memory of 1944 2948 Azygoses125.exe 31 PID 2948 wrote to memory of 1944 2948 Azygoses125.exe 31 PID 2948 wrote to memory of 1944 2948 Azygoses125.exe 31 PID 2948 wrote to memory of 1944 2948 Azygoses125.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Azygoses125.exe"C:\Users\Admin\AppData\Local\Temp\Azygoses125.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Okkupationers=gc -raw 'C:\Users\Admin\AppData\Local\magmaet\clenched\Gascon.Som';$Indyndendes=$Okkupationers.SubString(74357,3);.$Indyndendes($Okkupationers) "2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD5e23f52386361095bdb7040b09e2216ae
SHA191f31dd82ab80140db621b6dce0b9b5d6b568723
SHA25636467321184a76e0fea592d2896856a37ec18fc8480de66f05d719d93b39d070
SHA51219d18de54b3466f0d283271786b3b308c3be07f21174c46563c4c16292716c52f2c1b85f416ed77143ea6847bfc4c4c37f22296948eac47499276b181f129b9c
-
Filesize
6KB
MD51b0e41f60564cccccd71347d01a7c397
SHA1b1bddd97765e9c249ba239e9c95ab32368098e02
SHA25613ebc725f3f236e1914fe5288ad6413798ad99bef38bfe9c8c898181238e8a10
SHA512b6d7925cdff358992b2682cf1485227204ce3868c981c47778dd6da32057a595caa933d8242c8d7090b0c54110d45fa8f935a1b4eec1e318d89cc0e44b115785