Overview

overview

10

Static

static

22f28d25bf...b1.exe

windows7_x64

10

22f28d25bf...b1.exe

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-11-2020 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22f28d25bf6b26e0d79836e03efe49e325a6eea6b06dfea97a03c62a578f7fb1.exe

  • Size

    1.9MB

  • MD5

    a6c9c1928c989b8f9197f438b672e2cc

  • SHA1

    76408657d60ea841f68cb78d37793e62b721014c

  • SHA256

    22f28d25bf6b26e0d79836e03efe49e325a6eea6b06dfea97a03c62a578f7fb1

  • SHA512

    b9d4e00975bcee7f08735ec987410cb5be4a41bfed7aff4f79b936e28e827b9a20755dbc46a691267111db33a6dcb148d132580dd8170d3ef2e0cda80b7bc2f5

Score
10/10
azorultevasioninfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://qdrenfa.com/~zadmin/lk/a/az/ch/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22f28d25bf6b26e0d79836e03efe49e325a6eea6b06dfea97a03c62a578f7fb1.exe
    "C:\Users\Admin\AppData\Local\Temp\22f28d25bf6b26e0d79836e03efe49e325a6eea6b06dfea97a03c62a578f7fb1.exe"
    1⤵
    • Windows security modification
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\SysWOW64\timeout.exe
      timeout 4
      2⤵
      • Delays execution with timeout.exe
      PID:2160
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\22f28d25bf6b26e0d79836e03efe49e325a6eea6b06dfea97a03c62a578f7fb1.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4040
    • C:\Users\Admin\AppData\Local\Temp\22f28d25bf6b26e0d79836e03efe49e325a6eea6b06dfea97a03c62a578f7fb1.exe
      "C:\Users\Admin\AppData\Local\Temp\22f28d25bf6b26e0d79836e03efe49e325a6eea6b06dfea97a03c62a578f7fb1.exe"
      2⤵
        PID:3872
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 2060
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3988

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2160-4-0x0000000000000000-mapping.dmp
      Download
    • memory/3872-17-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/3872-20-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/3872-18-0x000000000041A684-mapping.dmp
      Download
    • memory/3980-1-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3980-3-0x0000000005900000-0x0000000005901000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3980-5-0x0000000001A60000-0x0000000001AC2000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3980-6-0x0000000007140000-0x0000000007141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3980-0-0x0000000073E00000-0x00000000744EE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3988-24-0x00000000057E0000-0x00000000057E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3988-21-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-8-0x0000000073E00000-0x00000000744EE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4040-9-0x0000000004650000-0x0000000004651000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-14-0x0000000007AE0000-0x0000000007AE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-15-0x00000000072C0000-0x00000000072C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-16-0x00000000081F0000-0x00000000081F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-12-0x0000000007170000-0x0000000007171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-11-0x00000000070D0000-0x00000000070D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-19-0x0000000008140000-0x0000000008141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-10-0x0000000007360000-0x0000000007361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-13-0x0000000007250000-0x0000000007251000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-7-0x0000000000000000-mapping.dmp
      Download
    • memory/4040-28-0x0000000008F30000-0x0000000008F63000-memory.dmp
      Filesize

      204KB

      Download
    • memory/4040-35-0x0000000008F10000-0x0000000008F11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-36-0x0000000009280000-0x0000000009281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-37-0x0000000009430000-0x0000000009431000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-38-0x00000000093E0000-0x00000000093E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4040-40-0x00000000093D0000-0x00000000093D1000-memory.dmp
      Filesize

      4KB

      Download