azorult | 83dd85f70cd56a5bb4973cc60b50a9b736a14c64a1522abf1ddbae4ba35ae4ee

Analysis

max time kernel
59s
max time network
65s
platform
windows10_x64
resource
win10v20201028
submitted
05-03-2021 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Raxco.Perfect.Registry.2.0.0.2.key.code.generator.exe
Size

8.6MB
MD5

4c5d5630a17759bff9cb25a75a6de902
SHA1

7e30a081298ef34a5f7db00607f10c72464e4c96
SHA256

45411d2b5bf4e2d0e75af577252aba0a84ccc51e7b05e9b67a54390bb7aab8d8
SHA512

09d2a7fa28f88dd5c622b99318a7d68b1c3f9f6fa3edbe589cb067478dba73e790346b967599dde0745e8afeded0096c99d796206f691c34c903c97a01db80f3

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 3 IoCs

pid	Process
4052	keygen-pr.exe
4084	keygen-step-1.exe
2056	keygen-step-3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 3188	4700	Raxco.Perfect.Registry.2.0.0.2.key.code.generator.exe	78
PID 4700 wrote to memory of 3188	4700	Raxco.Perfect.Registry.2.0.0.2.key.code.generator.exe	78
PID 4700 wrote to memory of 3188	4700	Raxco.Perfect.Registry.2.0.0.2.key.code.generator.exe	78
PID 3188 wrote to memory of 4052	3188	cmd.exe	81
PID 3188 wrote to memory of 4052	3188	cmd.exe	81
PID 3188 wrote to memory of 4052	3188	cmd.exe	81
PID 3188 wrote to memory of 4084	3188	cmd.exe	82
PID 3188 wrote to memory of 4084	3188	cmd.exe	82
PID 3188 wrote to memory of 4084	3188	cmd.exe	82
PID 3188 wrote to memory of 2056	3188	cmd.exe	83
PID 3188 wrote to memory of 2056	3188	cmd.exe	83
PID 3188 wrote to memory of 2056	3188	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\Raxco.Perfect.Registry.2.0.0.2.key.code.generator.exe
"C:\Users\Admin\AppData\Local\Temp\Raxco.Perfect.Registry.2.0.0.2.key.code.generator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      PID:1632
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:4084
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    PID:2056
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads