azorult | 2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c

Analysis

max time kernel
55s
max time network
54s
platform
windows7_x64
resource
win7v20201028
submitted
07-04-2021 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_767893434432.scr
Size

360KB
MD5

641e970f32447644bd26570d3be688a1
SHA1

fb4aac120c7d4543326e06f1438a570a62524b86
SHA256

2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c
SHA512

6b89cb2faa64a2345a61792c5ac577b73aa11d9072185ab2f31a2b61a5c1d68784cf85d5702941ba5ef9c5bd8f82cb53113906a4e437cb7648e307d043904bbe

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

https://sterline.lt/lokk/32/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Nirsoft 13 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

1084 AdvancedRun.exe
568 AdvancedRun.exe
856 AdvancedRun.exe
1340 AdvancedRun.exe

Loads dropped DLL 8 IoCs

Processes:

IMG_767893434432.scrAdvancedRun.exeAdvancedRun.exe

pid	process
1888	IMG_767893434432.scr
1888	IMG_767893434432.scr
1084	AdvancedRun.exe
1084	AdvancedRun.exe
1888	IMG_767893434432.scr
1888	IMG_767893434432.scr
856	AdvancedRun.exe
856	AdvancedRun.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

IMG_767893434432.scr

description pid process target process

PID 1888 set thread context of 1396 1888 IMG_767893434432.scr IMG_767893434432.scr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1888 set thread context of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeIMG_767893434432.scr

pid	process
1084	AdvancedRun.exe
1084	AdvancedRun.exe
568	AdvancedRun.exe
568	AdvancedRun.exe
856	AdvancedRun.exe
856	AdvancedRun.exe
1340	AdvancedRun.exe
1340	AdvancedRun.exe
1888	IMG_767893434432.scr
1888	IMG_767893434432.scr

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

IMG_767893434432.scrAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	1888	IMG_767893434432.scr
Token: SeDebugPrivilege	1084	AdvancedRun.exe
Token: SeImpersonatePrivilege	1084	AdvancedRun.exe
Token: SeDebugPrivilege	568	AdvancedRun.exe
Token: SeImpersonatePrivilege	568	AdvancedRun.exe
Token: SeDebugPrivilege	856	AdvancedRun.exe
Token: SeImpersonatePrivilege	856	AdvancedRun.exe
Token: SeDebugPrivilege	1340	AdvancedRun.exe
Token: SeImpersonatePrivilege	1340	AdvancedRun.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

IMG_767893434432.scrAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 1888 wrote to memory of 1084	1888	IMG_767893434432.scr	AdvancedRun.exe
PID 1888 wrote to memory of 1084	1888	IMG_767893434432.scr	AdvancedRun.exe
PID 1888 wrote to memory of 1084	1888	IMG_767893434432.scr	AdvancedRun.exe
PID 1888 wrote to memory of 1084	1888	IMG_767893434432.scr	AdvancedRun.exe
PID 1084 wrote to memory of 568	1084	AdvancedRun.exe	AdvancedRun.exe
PID 1084 wrote to memory of 568	1084	AdvancedRun.exe	AdvancedRun.exe
PID 1084 wrote to memory of 568	1084	AdvancedRun.exe	AdvancedRun.exe
PID 1084 wrote to memory of 568	1084	AdvancedRun.exe	AdvancedRun.exe
PID 1888 wrote to memory of 856	1888	IMG_767893434432.scr	AdvancedRun.exe
PID 1888 wrote to memory of 856	1888	IMG_767893434432.scr	AdvancedRun.exe
PID 1888 wrote to memory of 856	1888	IMG_767893434432.scr	AdvancedRun.exe
PID 1888 wrote to memory of 856	1888	IMG_767893434432.scr	AdvancedRun.exe
PID 856 wrote to memory of 1340	856	AdvancedRun.exe	AdvancedRun.exe
PID 856 wrote to memory of 1340	856	AdvancedRun.exe	AdvancedRun.exe
PID 856 wrote to memory of 1340	856	AdvancedRun.exe	AdvancedRun.exe
PID 856 wrote to memory of 1340	856	AdvancedRun.exe	AdvancedRun.exe
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr
PID 1888 wrote to memory of 1396	1888	IMG_767893434432.scr	IMG_767893434432.scr

C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr
"C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 1084
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 856
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr
C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr
2⤵
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/568-24-0x0000000000000000-mapping.dmp

Download
memory/856-29-0x0000000000000000-mapping.dmp

Download
memory/1084-20-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1084-18-0x0000000000000000-mapping.dmp

Download
memory/1340-34-0x0000000000000000-mapping.dmp

Download
memory/1396-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1396-38-0x000000000041A1F8-mapping.dmp

Download
memory/1396-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1628-40-0x000007FEF5FA0000-0x000007FEF621A000-memory.dmp

Filesize
2.5MB

Download
memory/1888-5-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1888-2-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-6-0x00000000006B0000-0x00000000006B2000-memory.dmp

Filesize
8KB

Download
memory/1888-3-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1888-7-0x0000000004B80000-0x0000000004BD3000-memory.dmp

Filesize
332KB

Download