Analysis
-
max time kernel
49s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-05-2021 17:06
Static task
static1
Behavioral task
behavioral1
Sample
9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe
Resource
win10v20210408
General
-
Target
9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe
-
Size
1.9MB
-
MD5
adac3b4cb7f7e8280652146c5893afda
-
SHA1
841a987a4ea28e602fcde17494522544678eed25
-
SHA256
9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76
-
SHA512
2264bf73d07f1a0b9501a6a648d0dc35265195542da882e79dcee6fae6797ed2f4cf0f6b74e38ede24e61ad4e70e95efd60110460d31fe9149500a61c2ddcf29
Malware Config
Extracted
azorult
http://work.wrklantc.in:9050/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 1 IoCs
Processes:
h21vnc.exepid process 2252 h21vnc.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exedescription ioc process File opened (read-only) \??\p: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\u: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\w: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\x: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\y: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\f: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\g: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\n: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\z: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\k: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\l: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\m: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\o: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\v: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\h: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\i: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\j: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\r: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\t: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\a: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\b: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\e: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\q: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe File opened (read-only) \??\s: 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exeh21vnc.exedescription pid process target process PID 736 set thread context of 2752 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe PID 2252 set thread context of 584 2252 h21vnc.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exepid process 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
h21vnc.exepid process 2252 h21vnc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exeh21vnc.exedescription pid process target process PID 736 wrote to memory of 2252 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe h21vnc.exe PID 736 wrote to memory of 2252 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe h21vnc.exe PID 736 wrote to memory of 2252 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe h21vnc.exe PID 2252 wrote to memory of 584 2252 h21vnc.exe svchost.exe PID 2252 wrote to memory of 584 2252 h21vnc.exe svchost.exe PID 736 wrote to memory of 2752 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe PID 736 wrote to memory of 2752 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe PID 736 wrote to memory of 2752 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe PID 736 wrote to memory of 2752 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe PID 736 wrote to memory of 2752 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe PID 2252 wrote to memory of 584 2252 h21vnc.exe svchost.exe PID 2252 wrote to memory of 584 2252 h21vnc.exe svchost.exe PID 2252 wrote to memory of 584 2252 h21vnc.exe svchost.exe PID 736 wrote to memory of 3880 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe schtasks.exe PID 736 wrote to memory of 3880 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe schtasks.exe PID 736 wrote to memory of 3880 736 9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe"C:\Users\Admin\AppData\Local\Temp\9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\h21vnc.exe"C:\Users\Admin\AppData\Local\Temp\h21vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe"C:\Users\Admin\AppData\Local\Temp\9fd1b6bb492b8ddf71e4dd57561772160e28de0c7dc10257ce3c6d6c1e506f76.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn amsi /tr "C:\Users\Admin\slui\comp.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\slui\comp.exeC:\Users\Admin\slui\comp.exe1⤵
-
C:\Users\Admin\slui\comp.exeC:\Users\Admin\slui\comp.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\h21vnc.exeMD5
2aa5b4a93c2ccd200e4d97a64b84aefb
SHA185934cf71fa56f27789686b7ed6db9b82f6417c1
SHA256bed35f8f672d014833f77e430dc6cef5669d7f4997c6353a57a328af9ee37a26
SHA512f79a3e2e1dd2185325037cabdd9ed6581ae09a4961b9170563b5975dd98b17bcd041e9c0c3e460eef2ac806d3e57b72e50e8055b96c513be1c9568423d650756
-
C:\Users\Admin\AppData\Local\Temp\h21vnc.exeMD5
2aa5b4a93c2ccd200e4d97a64b84aefb
SHA185934cf71fa56f27789686b7ed6db9b82f6417c1
SHA256bed35f8f672d014833f77e430dc6cef5669d7f4997c6353a57a328af9ee37a26
SHA512f79a3e2e1dd2185325037cabdd9ed6581ae09a4961b9170563b5975dd98b17bcd041e9c0c3e460eef2ac806d3e57b72e50e8055b96c513be1c9568423d650756
-
C:\Users\Admin\slui\comp.exeMD5
a045fc51434dcffe041d43acdcd932c2
SHA1f4894a3e1d981b253fca4922c5f74e25fa975f5d
SHA256c04ba26500e994f323fb762b7913edd8ddc483f05a7818e118e40cba0bd887ad
SHA512b7f11aabb1557c6de3ce3550007bcb7943b4233ebaf7ade7e7036955a1259d27b4cf71544bd5787479dffca4dc6f6bda63a11be04c519a4266dfa77357a64203
-
C:\Users\Admin\slui\comp.exeMD5
a045fc51434dcffe041d43acdcd932c2
SHA1f4894a3e1d981b253fca4922c5f74e25fa975f5d
SHA256c04ba26500e994f323fb762b7913edd8ddc483f05a7818e118e40cba0bd887ad
SHA512b7f11aabb1557c6de3ce3550007bcb7943b4233ebaf7ade7e7036955a1259d27b4cf71544bd5787479dffca4dc6f6bda63a11be04c519a4266dfa77357a64203
-
C:\Users\Admin\slui\comp.exeMD5
a045fc51434dcffe041d43acdcd932c2
SHA1f4894a3e1d981b253fca4922c5f74e25fa975f5d
SHA256c04ba26500e994f323fb762b7913edd8ddc483f05a7818e118e40cba0bd887ad
SHA512b7f11aabb1557c6de3ce3550007bcb7943b4233ebaf7ade7e7036955a1259d27b4cf71544bd5787479dffca4dc6f6bda63a11be04c519a4266dfa77357a64203
-
memory/584-122-0x0000000000000000-mapping.dmp
-
memory/584-124-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/584-125-0x0000000000B90000-0x0000000000C2C000-memory.dmpFilesize
624KB
-
memory/736-123-0x0000000001640000-0x0000000001641000-memory.dmpFilesize
4KB
-
memory/2252-114-0x0000000000000000-mapping.dmp
-
memory/2752-117-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2752-121-0x000000000041A1F8-mapping.dmp
-
memory/3880-126-0x0000000000000000-mapping.dmp