azorult | 8f4d9fec8d65f36cc3379135373703612b13d644c2e92ef15e4100d77bef4f4d

Analysis

max time kernel
59s
max time network
62s
platform
windows10_x64
resource
win10v20201028
submitted
04-03-2021 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Autodesk_AutoCAD_keygen_by_KeygenNinja.exe
Size

8.6MB
MD5

26fb5cbb439c37c7437c43951b56a9e8
SHA1

ffe7d540afd6410bd69e502d47252930a1411f73
SHA256

ced746e74fedf490bf79b1c68c9e15290c33f42df5fd2281a13708fae54c8ea7
SHA512

f0a24019707d4ec9e8477037d2d2f83c511a0e4dc9aa0a0c7a4f97b4a8ab1ac1a5618145fc628068c326856cc0cf9e3c697489cdd4b0d92a369ebd54b5391a78

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 3 IoCs

pid	Process
3552	keygen-pr.exe
3744	keygen-step-1.exe
3452	keygen-step-3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 2724	3584	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	78
PID 3584 wrote to memory of 2724	3584	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	78
PID 3584 wrote to memory of 2724	3584	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	78
PID 2724 wrote to memory of 3552	2724	cmd.exe	81
PID 2724 wrote to memory of 3552	2724	cmd.exe	81
PID 2724 wrote to memory of 3552	2724	cmd.exe	81
PID 2724 wrote to memory of 3744	2724	cmd.exe	82
PID 2724 wrote to memory of 3744	2724	cmd.exe	82
PID 2724 wrote to memory of 3744	2724	cmd.exe	82
PID 2724 wrote to memory of 3452	2724	cmd.exe	83
PID 2724 wrote to memory of 3452	2724	cmd.exe	83
PID 2724 wrote to memory of 3452	2724	cmd.exe	83
PID 2724 wrote to memory of 3892	2724	cmd.exe	84
PID 2724 wrote to memory of 3892	2724	cmd.exe	84
PID 2724 wrote to memory of 3892	2724	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\Autodesk_AutoCAD_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Autodesk_AutoCAD_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      PID:2908
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3744
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    PID:3452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      PID:3576
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:3104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads