Overview

overview

10

Static

static

4eaee1f695...c2.exe

windows7_x64

10

4eaee1f695...c2.exe

windows10_x64

10

Analysis

  • max time kernel
    44s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    09-05-2021 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe

  • Size

    1.9MB

  • MD5

    be2de5463fff77d33317c926421ba040

  • SHA1

    eea7d85b92d2a2c1fda03364882be19703484ba8

  • SHA256

    4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2

  • SHA512

    bc60e5ae5de7dd13280d39c515065e9b70aaec0a06a7571e38ac2055648f33058e8cdcd2eba1a569b5e60edcbae2d913ff542c6d3571b6d49879ea0f59729fc4

Score
10/10
azorultinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://work.wrklantc.in:9050/_az/

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe
    "C:\Users\Admin\AppData\Local\Temp\4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Users\Admin\AppData\Local\Temp\h21vnc.exe
      "C:\Users\Admin\AppData\Local\Temp\h21vnc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k
        3⤵
        • Maps connected drives based on registry
        PID:3524
    • C:\Users\Admin\AppData\Local\Temp\4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe
      "C:\Users\Admin\AppData\Local\Temp\4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe"
      2⤵
        PID:1912
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn amsi /tr "C:\Users\Admin\slui\comp.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:1264
    • C:\Users\Admin\slui\comp.exe
      C:\Users\Admin\slui\comp.exe
      1⤵
      • Executes dropped EXE
      PID:3208
    • C:\Users\Admin\slui\comp.exe
      C:\Users\Admin\slui\comp.exe
      1⤵
        PID:576
      • C:\Users\Admin\slui\comp.exe
        C:\Users\Admin\slui\comp.exe
        1⤵
          PID:3876

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        Peripheral Device Discovery

        2
        T1120

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\h21vnc.exe
          MD5

          2aa5b4a93c2ccd200e4d97a64b84aefb

          SHA1

          85934cf71fa56f27789686b7ed6db9b82f6417c1

          SHA256

          bed35f8f672d014833f77e430dc6cef5669d7f4997c6353a57a328af9ee37a26

          SHA512

          f79a3e2e1dd2185325037cabdd9ed6581ae09a4961b9170563b5975dd98b17bcd041e9c0c3e460eef2ac806d3e57b72e50e8055b96c513be1c9568423d650756

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\h21vnc.exe
          MD5

          2aa5b4a93c2ccd200e4d97a64b84aefb

          SHA1

          85934cf71fa56f27789686b7ed6db9b82f6417c1

          SHA256

          bed35f8f672d014833f77e430dc6cef5669d7f4997c6353a57a328af9ee37a26

          SHA512

          f79a3e2e1dd2185325037cabdd9ed6581ae09a4961b9170563b5975dd98b17bcd041e9c0c3e460eef2ac806d3e57b72e50e8055b96c513be1c9568423d650756

          Download Submit
        • C:\Users\Admin\slui\comp.exe
          MD5

          5bf1d00f913d8149604f235f34948b82

          SHA1

          71137e3f58b3609333120a4c1938ddbb22dce413

          SHA256

          bd69d30f0ce7d19791646026d99b6d6b1a5de1d2c7a511e3b57b9d39ca4bf0d9

          SHA512

          cb2179efce95fa1c2343fe05f1dc82ca98daa8ad8e30e37bf1c7397e9d55da83fdf84ad310f969caca51b702de4e9e011be05e20c2259a2f9e93491a2e07cb2b

          Download Submit
        • C:\Users\Admin\slui\comp.exe
          MD5

          5bf1d00f913d8149604f235f34948b82

          SHA1

          71137e3f58b3609333120a4c1938ddbb22dce413

          SHA256

          bd69d30f0ce7d19791646026d99b6d6b1a5de1d2c7a511e3b57b9d39ca4bf0d9

          SHA512

          cb2179efce95fa1c2343fe05f1dc82ca98daa8ad8e30e37bf1c7397e9d55da83fdf84ad310f969caca51b702de4e9e011be05e20c2259a2f9e93491a2e07cb2b

          Download Submit
        • C:\Users\Admin\slui\comp.exe
          MD5

          5bf1d00f913d8149604f235f34948b82

          SHA1

          71137e3f58b3609333120a4c1938ddbb22dce413

          SHA256

          bd69d30f0ce7d19791646026d99b6d6b1a5de1d2c7a511e3b57b9d39ca4bf0d9

          SHA512

          cb2179efce95fa1c2343fe05f1dc82ca98daa8ad8e30e37bf1c7397e9d55da83fdf84ad310f969caca51b702de4e9e011be05e20c2259a2f9e93491a2e07cb2b

          Download Submit
        • C:\Users\Admin\slui\comp.exe
          MD5

          5bf1d00f913d8149604f235f34948b82

          SHA1

          71137e3f58b3609333120a4c1938ddbb22dce413

          SHA256

          bd69d30f0ce7d19791646026d99b6d6b1a5de1d2c7a511e3b57b9d39ca4bf0d9

          SHA512

          cb2179efce95fa1c2343fe05f1dc82ca98daa8ad8e30e37bf1c7397e9d55da83fdf84ad310f969caca51b702de4e9e011be05e20c2259a2f9e93491a2e07cb2b

          Download Submit
        • memory/1264-126-0x0000000000000000-mapping.dmp
          Download
        • memory/1912-120-0x0000000000400000-0x0000000000420000-memory.dmp
          Filesize

          128KB

          Download
        • memory/1912-124-0x000000000041A1F8-mapping.dmp
          Download
        • memory/2528-114-0x0000000000000000-mapping.dmp
          Download
        • memory/3524-118-0x00000000009C0000-0x00000000009C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3524-119-0x0000000000920000-0x00000000009BC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/3524-117-0x0000000000000000-mapping.dmp
          Download
        • memory/3952-125-0x0000000000F50000-0x0000000001188000-memory.dmp
          Filesize

          2.2MB

          Download