Overview

overview

10

Static

static

5

Corona-vir...om.exe

windows7-x64

10

Corona-vir...om.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Corona-virus-Map.com.exe

  • Size

    3.3MB

  • MD5

    73da2c02c6f8bfd4662dc84820dcd983

  • SHA1

    949b69bf87515ad8945ce9a79f68f8b788c0ae39

  • SHA256

    2b35aa9c70ef66197abfb9bc409952897f9f70818633ab43da85b3825b256307

  • SHA512

    43daa65bc057abc5e07b909eb71361c8488863c7c8a4a271b426b06cb8c16d3f7db8e66051627a50d392ff088cd619e00a7ac075454dccf901a4271251c9c6e3

  • SSDEEP

    98304:r2cPK8o4ZhHpmaFDh62Z4BDksIslSOkXvR:iCKCZho6k2IDks/b8Z

Score
10/10
azorultdiscoveryevasioninfostealerspywarestealertrojanupx

Malware Config

Extracted

Family

azorult

C2

http://coronavirusstatus.space/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 20 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Time Discovery 1 TTPs 2 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Corona-virus-Map.com.exe
    "C:\Users\Admin\AppData\Local\Temp\Corona-virus-Map.com.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Users\Admin\AppData\Roaming\Z11062600\Corona.exe
      "C:\Users\Admin\AppData\Roaming\Z11062600\Corona.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Corona.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Corona.sfx.exe
          Corona.sfx.exe -p3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r -dC:\Windows\System32
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Corona.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Corona.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4004
            • C:\Users\Admin\AppData\Roaming\Z58538177\bin.exe
              "C:\Users\Admin\AppData\Roaming\Z58538177\bin.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2908
            • C:\Users\Admin\AppData\Roaming\Z58538177\Build.exe
              "C:\Users\Admin\AppData\Roaming\Z58538177\Build.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • NTFS ADS
              • Suspicious use of WriteProcessMemory
              PID:4664
              • C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.exe
                C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.exe
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • NTFS ADS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4216
                • C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe
                  C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\ENU_801FE97FC252B45E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\*"
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • System Time Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3288
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml"
                  8⤵
                  • Sets file to hidden
                  • System Location Discovery: System Language Discovery
                  • System Time Discovery
                  • Views/modifies file attributes
                  PID:4672
    • C:\Users\Admin\AppData\Roaming\Z11062600\Corona-virus-Map.com.exe
      "C:\Users\Admin\AppData\Roaming\Z11062600\Corona-virus-Map.com.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1576
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 2836
        3⤵
        • Program crash
        PID:2648
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1576 -ip 1576
    1⤵
      PID:4696
    • C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.exe
      C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2088
    • C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.exe
      C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:3184

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FMGLWGAG\app-a3ca87c4b608dae825ebd35a4953334c[1].css
      Filesize

      116KB

      MD5

      a3ca87c4b608dae825ebd35a4953334c

      SHA1

      19fcb0dfc36711cf8d2c82c994f9134801c9202d

      SHA256

      126fe4dc5bf421f7cd942077791d097458914d879c8703dd654ca01da227d687

      SHA512

      36ae6fb1551fd200918ca043bc0757f5e380689ca6504d0bb087850e646b266a84ec8a3a53da1b35cb5deb72c2ad7df5a1329ee0ac03d99e9bf6e436bc0bba77

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Corona.bat
      Filesize

      84B

      MD5

      e9dcbecca02b600ce135f7d58b8cd830

      SHA1

      e8956408efe58fa5934f7f742f6fcaf429964034

      SHA256

      0cd1e499799e4d98f1cb76df08ff7a7f441216ff713dfa97cb6691c68c962cf8

      SHA512

      80001c7a0bac929436d4637ca981ed8c128172920f0e5fbdc99151ae04fad507e4db395253cb2d10b2d2e3b684708e143eddc2c339af3e7ccde2bb02068535ec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Corona.sfx.exe
      Filesize

      2.0MB

      MD5

      3cb9fc1ee05f49438455ba1aea3bca4e

      SHA1

      401431f0781b416f3e237e993b1a283b3a37613e

      SHA256

      148520c746aee00d7330e8c639a0bcd576c9a431acb197e36f27529f5e897fb4

      SHA512

      8456cac4acb3e4d6538c1ef1a9abfdd7e15c6f0dc3a61b2fe24992e2faf256da0fd8ae170add9c363711ff3f85371fe263ccebd72c3524d9147db9261d4dfdd6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Corona.exe
      Filesize

      2.2MB

      MD5

      27ad5971933d514c3a0e90fe2a0f0389

      SHA1

      b11ea20d95aaea2fde9bee0d7ac5eac0b81a839c

      SHA256

      13c0165703482dd521e1c1185838a6a12ed5e980e7951a130444cf2feed1102e

      SHA512

      d0e9c8fa9ae48abe7bbc9648d8cccff88d58f4392315b20aaca10720e9e2c164641c2b127b26fdba490f677615b4af49c3fbeb4ce60029f2c73bb74888e2eef5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aut926C.tmp
      Filesize

      2.2MB

      MD5

      1beba1640f5573cbac5552ae02c38f33

      SHA1

      6878e9825fad4696e48aca151e656a4581e3dc16

      SHA256

      0b3e7faa3ad28853bb2b2ef188b310a67663a96544076cd71c32ac088f9af74d

      SHA512

      b7404b3f0a0e1fcc020557b27821a63c19ffe006407051645abaf32b3881e89661f729e4c2c94e068ea16fbfc97f7a6c3be9387bd8d745e8eec9d288b3f8a381

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aut9C60.tmp
      Filesize

      1.3MB

      MD5

      f6a5e02f46d761d3890debd8f2084d37

      SHA1

      d64ff51020046fb13aec3ed608ba499295caf80d

      SHA256

      126569286f8a4caeeaba372c0bdba93a9b0639beaad9c250b8223f8ecc1e8040

      SHA512

      a3563460ce90c04da9e498081d68a9e3dc0ef25dccd21330e60f0617455aa4f839ba127d69e8043111fcb3912a44ef10eb53b0baaabad7bdf6f691f5842bff31

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\autA103.tmp
      Filesize

      360KB

      MD5

      7f3768254c9ab2f4880007342597b6ae

      SHA1

      ab9004da7f23121810c4bbfd6f4e46fc82b10d5c

      SHA256

      90d33735206157b89919679ec9b08ec6357f615ac0868f57c5a7984785a68b6d

      SHA512

      52aa660d3f622963fbe7b2af3337d8da872a009ccfc313ff955eea77ba5ab3ff3662eb38e6f3f6e0c138fdc265fd27facec60fc25f847d8239dd78d647813ecf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Z11062600\Corona-virus-Map.com.exe
      Filesize

      451KB

      MD5

      07b819b4d602635365e361b96749ac3e

      SHA1

      7664716cc5097a97415c4d22ccb558dfcb139020

      SHA256

      203c7e843936469ecf0f5dec989d690b0c770f803e46062ad0a9885a1105a2b8

      SHA512

      83e67fe87870b1b8b53fd909e7272d4b4995e00c7d446b19f4a29a59b3d29ce5c73da3446290e71d36c73e922c473a18ced25706c2bd69ef82c2cf841d938555

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Z58538177\bin.exe
      Filesize

      114KB

      MD5

      c4852ee6589252c601bc2922a35dd7da

      SHA1

      4c8a7c3dabf12748201c496525a37ec65577cbbb

      SHA256

      fda64c0ac9be3d10c28035d12ac0f63d85bb0733e78fe634a51474c83d0a0df8

      SHA512

      d144cb9bd81118d853e831f4890c4f32b9c5d59fd5188fca4056670263c6315481d406fc8ec31347db0b0d226a57f3fcc003f5d73591ed5f04c4f6c9a67a65dd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Information.txt
      Filesize

      4KB

      MD5

      6b4eb63dabfc2a168c3a749b642507aa

      SHA1

      0a7c49063bb7f79cf2af78687ac2313f288ee117

      SHA256

      ab300ccfdad7fcceb538e38b0ae5e9d10c56290a0f594dc679a22fa233de4a45

      SHA512

      291a4206b08a59949f4afae8490a3072852e86bbc1655440f2107e88754944b340f7493748f2601d82ae07e17eca4f1ba0cdde9fafc9e537ba42e8d05a6b3cfe

      Download Submit

    • C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\1\Screen.jpg
      Filesize

      29KB

      MD5

      0487ae2e0f5b6b6698d78cebae712765

      SHA1

      50aaddf748296c4cec6a69841c4a26833a6c6747

      SHA256

      8f094ed8d50e0adbed1b8ba7138b31f7423b4f973e85633cb86e5fc06d21f40d

      SHA512

      86f1612e29ed9d7a225330ad662d158609c355aad4f3df864308398dc581682afad0fef2071c634d1117fbc83c7de5e772274a20ab64398be25f1e481e82a2f5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe
      Filesize

      197KB

      MD5

      946285055913d457fda78a4484266e96

      SHA1

      668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

      SHA256

      23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

      SHA512

      30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

      Download Submit

    • C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.module.exe.2
      Filesize

      197KB

      MD5

      b6633a59ee4762b8cdaae77fd1b34748

      SHA1

      de3dc7bf57b39b0274b6667a491156727cb13abc

      SHA256

      783e3808d022dc6528bb451a2b613114a1c797fec9d4c0e03af60800cff69571

      SHA512

      74b745a50ce6d189bc40026a760108a0d972d0eb688fc3032ec73b508d0287ab10998b38fd49f88623ce15a095c618259d44e25c2ccf2fafb89f1f8c4e9229ec

      Download Submit

    • C:\Users\Admin\AppData\Roaming\amd64_netfx4-system.runti..dowsruntime.ui.xaml\Windows.Globalization.Fontgroups.sqlite3.module.dll
      Filesize

      360KB

      MD5

      8c127ce55bfbb55eb9a843c693c9f240

      SHA1

      75c462c935a7ff2c90030c684440d61d48bb1858

      SHA256

      4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

      SHA512

      d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

      Download Submit

    • memory/1576-170-0x0000000072A20000-0x00000000731D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1576-30-0x0000000000790000-0x0000000000806000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1576-40-0x0000000072A20000-0x00000000731D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1576-140-0x0000000009A70000-0x000000000A216000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/1576-29-0x0000000072A2E000-0x0000000072A2F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1576-32-0x0000000005060000-0x00000000050F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1576-39-0x0000000005230000-0x000000000523A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1576-31-0x0000000005560000-0x0000000005B04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2088-205-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2908-96-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3184-214-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3288-194-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/3288-189-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

      Download

    • memory/4216-195-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-201-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-136-0x0000000061E00000-0x0000000061ED2000-memory.dmp

      Filesize

      840KB

      Download

    • memory/4216-125-0x0000000061E00000-0x0000000061ED2000-memory.dmp

      Filesize

      840KB

      Download

    • memory/4216-196-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-197-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-198-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-199-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-200-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-216-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-215-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-206-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-207-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-208-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-209-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-210-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-212-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4216-105-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4664-107-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4664-91-0x0000000000B30000-0x0000000000E0D000-memory.dmp

      Filesize

      2.9MB

      Download