Analysis
-
max time kernel
44s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
09-05-2021 14:30
Static task
static1
Behavioral task
behavioral1
Sample
4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe
Resource
win10v20210410
General
-
Target
4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe
-
Size
1.9MB
-
MD5
be2de5463fff77d33317c926421ba040
-
SHA1
eea7d85b92d2a2c1fda03364882be19703484ba8
-
SHA256
4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2
-
SHA512
bc60e5ae5de7dd13280d39c515065e9b70aaec0a06a7571e38ac2055648f33058e8cdcd2eba1a569b5e60edcbae2d913ff542c6d3571b6d49879ea0f59729fc4
Malware Config
Extracted
azorult
http://work.wrklantc.in:9050/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
h21vnc.execomp.exepid process 2528 h21vnc.exe 3208 comp.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exedescription ioc process File opened (read-only) \??\e: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\n: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\v: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\q: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\s: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\t: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\z: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\g: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\l: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\m: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\u: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\w: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\x: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\b: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\h: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\k: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\j: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\o: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\p: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\r: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\y: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\a: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\f: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe File opened (read-only) \??\i: 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
h21vnc.exe4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exedescription pid process target process PID 2528 set thread context of 3524 2528 h21vnc.exe svchost.exe PID 3952 set thread context of 1912 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exepid process 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
h21vnc.exepid process 2528 h21vnc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exeh21vnc.exedescription pid process target process PID 3952 wrote to memory of 2528 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe h21vnc.exe PID 3952 wrote to memory of 2528 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe h21vnc.exe PID 3952 wrote to memory of 2528 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe h21vnc.exe PID 2528 wrote to memory of 3524 2528 h21vnc.exe svchost.exe PID 2528 wrote to memory of 3524 2528 h21vnc.exe svchost.exe PID 2528 wrote to memory of 3524 2528 h21vnc.exe svchost.exe PID 2528 wrote to memory of 3524 2528 h21vnc.exe svchost.exe PID 2528 wrote to memory of 3524 2528 h21vnc.exe svchost.exe PID 3952 wrote to memory of 1912 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe PID 3952 wrote to memory of 1912 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe PID 3952 wrote to memory of 1912 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe PID 3952 wrote to memory of 1912 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe PID 3952 wrote to memory of 1912 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe PID 3952 wrote to memory of 1264 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe schtasks.exe PID 3952 wrote to memory of 1264 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe schtasks.exe PID 3952 wrote to memory of 1264 3952 4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe"C:\Users\Admin\AppData\Local\Temp\4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\h21vnc.exe"C:\Users\Admin\AppData\Local\Temp\h21vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe"C:\Users\Admin\AppData\Local\Temp\4eaee1f695e6c1b2d9313e2e25796206f3e516a5492318c7309de0e7718d67c2.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn amsi /tr "C:\Users\Admin\slui\comp.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\slui\comp.exeC:\Users\Admin\slui\comp.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\slui\comp.exeC:\Users\Admin\slui\comp.exe1⤵
-
C:\Users\Admin\slui\comp.exeC:\Users\Admin\slui\comp.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\h21vnc.exeMD5
2aa5b4a93c2ccd200e4d97a64b84aefb
SHA185934cf71fa56f27789686b7ed6db9b82f6417c1
SHA256bed35f8f672d014833f77e430dc6cef5669d7f4997c6353a57a328af9ee37a26
SHA512f79a3e2e1dd2185325037cabdd9ed6581ae09a4961b9170563b5975dd98b17bcd041e9c0c3e460eef2ac806d3e57b72e50e8055b96c513be1c9568423d650756
-
C:\Users\Admin\AppData\Local\Temp\h21vnc.exeMD5
2aa5b4a93c2ccd200e4d97a64b84aefb
SHA185934cf71fa56f27789686b7ed6db9b82f6417c1
SHA256bed35f8f672d014833f77e430dc6cef5669d7f4997c6353a57a328af9ee37a26
SHA512f79a3e2e1dd2185325037cabdd9ed6581ae09a4961b9170563b5975dd98b17bcd041e9c0c3e460eef2ac806d3e57b72e50e8055b96c513be1c9568423d650756
-
C:\Users\Admin\slui\comp.exeMD5
5bf1d00f913d8149604f235f34948b82
SHA171137e3f58b3609333120a4c1938ddbb22dce413
SHA256bd69d30f0ce7d19791646026d99b6d6b1a5de1d2c7a511e3b57b9d39ca4bf0d9
SHA512cb2179efce95fa1c2343fe05f1dc82ca98daa8ad8e30e37bf1c7397e9d55da83fdf84ad310f969caca51b702de4e9e011be05e20c2259a2f9e93491a2e07cb2b
-
C:\Users\Admin\slui\comp.exeMD5
5bf1d00f913d8149604f235f34948b82
SHA171137e3f58b3609333120a4c1938ddbb22dce413
SHA256bd69d30f0ce7d19791646026d99b6d6b1a5de1d2c7a511e3b57b9d39ca4bf0d9
SHA512cb2179efce95fa1c2343fe05f1dc82ca98daa8ad8e30e37bf1c7397e9d55da83fdf84ad310f969caca51b702de4e9e011be05e20c2259a2f9e93491a2e07cb2b
-
C:\Users\Admin\slui\comp.exeMD5
5bf1d00f913d8149604f235f34948b82
SHA171137e3f58b3609333120a4c1938ddbb22dce413
SHA256bd69d30f0ce7d19791646026d99b6d6b1a5de1d2c7a511e3b57b9d39ca4bf0d9
SHA512cb2179efce95fa1c2343fe05f1dc82ca98daa8ad8e30e37bf1c7397e9d55da83fdf84ad310f969caca51b702de4e9e011be05e20c2259a2f9e93491a2e07cb2b
-
C:\Users\Admin\slui\comp.exeMD5
5bf1d00f913d8149604f235f34948b82
SHA171137e3f58b3609333120a4c1938ddbb22dce413
SHA256bd69d30f0ce7d19791646026d99b6d6b1a5de1d2c7a511e3b57b9d39ca4bf0d9
SHA512cb2179efce95fa1c2343fe05f1dc82ca98daa8ad8e30e37bf1c7397e9d55da83fdf84ad310f969caca51b702de4e9e011be05e20c2259a2f9e93491a2e07cb2b
-
memory/1264-126-0x0000000000000000-mapping.dmp
-
memory/1912-120-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1912-124-0x000000000041A1F8-mapping.dmp
-
memory/2528-114-0x0000000000000000-mapping.dmp
-
memory/3524-118-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/3524-119-0x0000000000920000-0x00000000009BC000-memory.dmpFilesize
624KB
-
memory/3524-117-0x0000000000000000-mapping.dmp
-
memory/3952-125-0x0000000000F50000-0x0000000001188000-memory.dmpFilesize
2.2MB