Overview

overview

10

Static

static

788fae56b0...c0.exe

windows7_x64

10

788fae56b0...c0.exe

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    57s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-01-2021 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

  • Size

    826KB

  • MD5

    4b1703f0fedf97b6fd5ed404a790236c

  • SHA1

    f9712dae7825a77bd33ed623ca335378a161c502

  • SHA256

    788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0

  • SHA512

    4c874f3e6288e7081cc84286aad67b8b344050d9c6559e0f05b676c6e75a9c8dca3b6cc9383bbf3946189d7eafdec078f25b162d0f63787ae419def7221a7da0

Score
10/10
azorultevasioninfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://al-ifah.com/PL341/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
    "C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VkxqbQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:536
    • C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
      "C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe"
      2⤵
        PID:968
      • C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
        "C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe"
        2⤵
          PID:304

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      2
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpE62A.tmp
        MD5

        01197244e1013ffba1166394b20a7661

        SHA1

        ceaa55a513a052bec32aa023b8db88b4dbad92d9

        SHA256

        925e1ebb4cdd4631bc9cac604658e0ce7394e7be53f5fc54c8a17347c5904122

        SHA512

        7553285903e6edaff81c2ed7a9e38fe39ac9ab0e0cde407a458476c9d4157b1fe4cc5c767d377dc56dbc7336f3cc3f36ccb96d7844906e06928f28e004bfad35

        Download Submit
      • memory/292-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/292-3-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/292-5-0x0000000000510000-0x0000000000522000-memory.dmp
        Filesize

        72KB

        Download
      • memory/292-6-0x0000000004D20000-0x0000000004D74000-memory.dmp
        Filesize

        336KB

        Download
      • memory/304-9-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/304-10-0x000000000041A684-mapping.dmp
        Download
      • memory/304-11-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/520-12-0x000007FEF6B80000-0x000007FEF6DFA000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/536-7-0x0000000000000000-mapping.dmp
        Download