Overview

overview

10

Static

static

722ef401e5...88.exe

windows7_x64

10

722ef401e5...88.exe

windows10-2004_x64

10

Resubmissions

27-11-2022 20:01

221127-yrz42aad2z 10

12-05-2022 13:49

220512-q47ewafeb7 10

Analysis

  • max time kernel
    165s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-05-2022 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe

  • Size

    483KB

  • MD5

    7a0093c743fc33a5e111f2fec269f79b

  • SHA1

    feadb2ca02d41f2d834b8577f39a582d4bdd734f

  • SHA256

    722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088

  • SHA512

    77cade5a9e48f8d1da6e689a7881b23a1be165f1be8f26059458766e6fc4db8c03c058beb19dd0f644aebd218371ef487fe31a086e6fbc7089976d0802010eee

Score
10/10
azorultinfostealersuricatatrojan

Malware Config

Extracted

Family

azorult

C2

http://5gw4d.xyz/PL341/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

    suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

    suricata
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
    "C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VbxFiQYCyFDgGL.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbxFiQYCyFDgGL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB2E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2020
    • C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
      "C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
      2⤵
        PID:1108
      • C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
        "C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
        2⤵
          PID:1212
        • C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
          "C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
          2⤵
            PID:300
          • C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
            "C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
            2⤵
              PID:1540
            • C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe
              "C:\Users\Admin\AppData\Local\Temp\722ef401e5cbb067c5c33faa402774d3c75ef08e0c8cc4d7e66a9cfa53684088.exe"
              2⤵
                PID:1556

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpAB2E.tmp
              Filesize

              1KB

              MD5

              6776b714f34c5c30052b21b3a5eba935

              SHA1

              b40be6793e6193a458a506cac265b3fca3463179

              SHA256

              5b56d5df0802d8e64c91389d70c3861d82d66bc74334bc4c45ea31f2c2aa2b09

              SHA512

              cd16db7c893705b71711e3c7e6653eac41b744286b892613f86740a234b2c10d8b5c0208fb0bd5ef938d8cd1a0005b63ddd2ddfbd57615afb646fb753a24e450

              Download Submit
            • memory/1540-65-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1540-77-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1540-72-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1540-75-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1540-73-0x000000000041A684-mapping.dmp
              Download
            • memory/1540-66-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1540-70-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1540-68-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1540-69-0x0000000000400000-0x0000000000420000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1684-58-0x0000000004C90000-0x0000000004CF6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/1684-64-0x00000000042E0000-0x0000000004302000-memory.dmp
              Filesize

              136KB

              Download
            • memory/1684-54-0x0000000000240000-0x00000000002C0000-memory.dmp
              Filesize

              512KB

              Download
            • memory/1684-57-0x0000000000580000-0x0000000000598000-memory.dmp
              Filesize

              96KB

              Download
            • memory/1684-56-0x0000000005BA0000-0x0000000005C0C000-memory.dmp
              Filesize

              432KB

              Download
            • memory/1684-55-0x0000000075941000-0x0000000075943000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1732-63-0x000000006E6C0000-0x000000006EC6B000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1732-59-0x0000000000000000-mapping.dmp
              Download
            • memory/2020-60-0x0000000000000000-mapping.dmp
              Download