Analysis
-
max time kernel
126s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-04-2021 06:01
Static task
static1
Behavioral task
behavioral1
Sample
IMG_767893434432.scr
Resource
win7v20201028
General
-
Target
IMG_767893434432.scr
-
Size
360KB
-
MD5
641e970f32447644bd26570d3be688a1
-
SHA1
fb4aac120c7d4543326e06f1438a570a62524b86
-
SHA256
2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c
-
SHA512
6b89cb2faa64a2345a61792c5ac577b73aa11d9072185ab2f31a2b61a5c1d68784cf85d5702941ba5ef9c5bd8f82cb53113906a4e437cb7648e307d043904bbe
Malware Config
Extracted
azorult
https://sterline.lt/lokk/32/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Nirsoft 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepid process 340 AdvancedRun.exe 3660 AdvancedRun.exe 2320 AdvancedRun.exe 3200 AdvancedRun.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
IMG_767893434432.scrdescription pid process target process PID 504 set thread context of 3808 504 IMG_767893434432.scr IMG_767893434432.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
IMG_767893434432.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString IMG_767893434432.scr Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 IMG_767893434432.scr -
Processes:
IMG_767893434432.scrdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 IMG_767893434432.scr Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e IMG_767893434432.scr -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeIMG_767893434432.scrIMG_767893434432.scrpid process 340 AdvancedRun.exe 340 AdvancedRun.exe 340 AdvancedRun.exe 340 AdvancedRun.exe 3660 AdvancedRun.exe 3660 AdvancedRun.exe 3660 AdvancedRun.exe 3660 AdvancedRun.exe 2320 AdvancedRun.exe 2320 AdvancedRun.exe 2320 AdvancedRun.exe 2320 AdvancedRun.exe 3200 AdvancedRun.exe 3200 AdvancedRun.exe 3200 AdvancedRun.exe 3200 AdvancedRun.exe 504 IMG_767893434432.scr 504 IMG_767893434432.scr 504 IMG_767893434432.scr 504 IMG_767893434432.scr 504 IMG_767893434432.scr 504 IMG_767893434432.scr 3808 IMG_767893434432.scr 3808 IMG_767893434432.scr -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
IMG_767893434432.scrAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exedescription pid process Token: SeDebugPrivilege 504 IMG_767893434432.scr Token: SeDebugPrivilege 340 AdvancedRun.exe Token: SeImpersonatePrivilege 340 AdvancedRun.exe Token: SeDebugPrivilege 3660 AdvancedRun.exe Token: SeImpersonatePrivilege 3660 AdvancedRun.exe Token: SeDebugPrivilege 2320 AdvancedRun.exe Token: SeImpersonatePrivilege 2320 AdvancedRun.exe Token: SeDebugPrivilege 3200 AdvancedRun.exe Token: SeImpersonatePrivilege 3200 AdvancedRun.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
IMG_767893434432.scrAdvancedRun.exeAdvancedRun.exedescription pid process target process PID 504 wrote to memory of 340 504 IMG_767893434432.scr AdvancedRun.exe PID 504 wrote to memory of 340 504 IMG_767893434432.scr AdvancedRun.exe PID 504 wrote to memory of 340 504 IMG_767893434432.scr AdvancedRun.exe PID 340 wrote to memory of 3660 340 AdvancedRun.exe AdvancedRun.exe PID 340 wrote to memory of 3660 340 AdvancedRun.exe AdvancedRun.exe PID 340 wrote to memory of 3660 340 AdvancedRun.exe AdvancedRun.exe PID 504 wrote to memory of 2320 504 IMG_767893434432.scr AdvancedRun.exe PID 504 wrote to memory of 2320 504 IMG_767893434432.scr AdvancedRun.exe PID 504 wrote to memory of 2320 504 IMG_767893434432.scr AdvancedRun.exe PID 2320 wrote to memory of 3200 2320 AdvancedRun.exe AdvancedRun.exe PID 2320 wrote to memory of 3200 2320 AdvancedRun.exe AdvancedRun.exe PID 2320 wrote to memory of 3200 2320 AdvancedRun.exe AdvancedRun.exe PID 504 wrote to memory of 2072 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 2072 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 2072 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 3808 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 3808 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 3808 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 3808 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 3808 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 3808 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 3808 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 3808 504 IMG_767893434432.scr IMG_767893434432.scr PID 504 wrote to memory of 3808 504 IMG_767893434432.scr IMG_767893434432.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr"C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3403⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 23203⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scrC:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr2⤵
-
C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scrC:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr2⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/340-20-0x0000000000000000-mapping.dmp
-
memory/504-7-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/504-8-0x00000000015D0000-0x00000000015D1000-memory.dmpFilesize
4KB
-
memory/504-9-0x0000000008560000-0x0000000008562000-memory.dmpFilesize
8KB
-
memory/504-10-0x0000000008580000-0x00000000085D3000-memory.dmpFilesize
332KB
-
memory/504-19-0x00000000089B0000-0x00000000089B1000-memory.dmpFilesize
4KB
-
memory/504-6-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/504-5-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/504-3-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/504-2-0x0000000073D40000-0x000000007442E000-memory.dmpFilesize
6.9MB
-
memory/2320-25-0x0000000000000000-mapping.dmp
-
memory/3200-27-0x0000000000000000-mapping.dmp
-
memory/3660-23-0x0000000000000000-mapping.dmp
-
memory/3808-29-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3808-30-0x000000000041A1F8-mapping.dmp
-
memory/3808-31-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB