Analysis

  • max time kernel
    1797s
  • max time network
    1811s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-11-2020 14:34

General

  • Target

    0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Downloads MZ/PE file
  • Executes dropped EXE ⋅ 3 IoCs
  • Loads dropped DLL ⋅ 3 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
  • Checks installed software on the system ⋅ 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext ⋅ 2 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry ⋅ 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
    "C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:424
    • C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
      "C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:188
      • C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
        "{path}"
        Executes dropped EXE
        PID:1512
      • C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
        "{path}"
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /pid 1304 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\566008868267324\\* & exit
          Suspicious use of WriteProcessMemory
          PID:580
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /pid 1304
            Kills process with taskkill
            Suspicious use of AdjustPrivilegeToken
            PID:1324
    • C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
      "{path}"
      PID:2268

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
                    • C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
                    • C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
                    • C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
                    • \ProgramData\mozglue.dll
                    • \ProgramData\nss3.dll
                    • \ProgramData\sqlite3.dll
                    • memory/188-24-0x00000000081D0000-0x0000000008229000-memory.dmp
                    • memory/188-17-0x0000000000420000-0x0000000000421000-memory.dmp
                    • memory/188-14-0x0000000073D50000-0x000000007443E000-memory.dmp
                    • memory/188-10-0x0000000000000000-mapping.dmp
                    • memory/424-8-0x0000000006F10000-0x0000000006F57000-memory.dmp
                    • memory/424-3-0x00000000056F0000-0x00000000056F1000-memory.dmp
                    • memory/424-1-0x0000000000920000-0x0000000000921000-memory.dmp
                    • memory/424-9-0x0000000007000000-0x0000000007001000-memory.dmp
                    • memory/424-4-0x00000000052F0000-0x00000000052F1000-memory.dmp
                    • memory/424-0-0x0000000073D50000-0x000000007443E000-memory.dmp
                    • memory/424-7-0x0000000008990000-0x00000000089A4000-memory.dmp
                    • memory/424-6-0x0000000008DD0000-0x0000000008DD1000-memory.dmp
                    • memory/424-5-0x0000000005450000-0x0000000005451000-memory.dmp
                    • memory/580-38-0x0000000000000000-mapping.dmp
                    • memory/1304-28-0x0000000000417A8B-mapping.dmp
                    • memory/1304-30-0x0000000000400000-0x0000000000434000-memory.dmp
                    • memory/1304-27-0x0000000000400000-0x0000000000434000-memory.dmp
                    • memory/1324-39-0x0000000000000000-mapping.dmp
                    • memory/2268-16-0x0000000000400000-0x0000000000420000-memory.dmp
                    • memory/2268-15-0x000000000041A684-mapping.dmp
                    • memory/2268-13-0x0000000000400000-0x0000000000420000-memory.dmp