azorult | 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b

Analysis

max time kernel
3s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-05-2022 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
Size

337KB
MD5

bce638f50587c46faa3c3e1798100251
SHA1

7b354d3902b1af13cc17cf4ec0c4da111309956d
SHA256

3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b
SHA512

18445d9cd7bf41946817dae07652e2f4e9c0f14e98c90941c30b304fb70667aa79f4b5603f60d73bcd7bcca611bee7ac1d0601b278121c311de917b8e26e5c9f

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://89.43.107.198/mpom/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

ucxgm.exeucxgm.exe

pid process

1840 ucxgm.exe
1800 ucxgm.exe
Loads dropped DLL 5 IoCs

Processes:

3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exeucxgm.exeWerFault.exe

pid process

1040 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
1840 ucxgm.exe
1824 WerFault.exe
1824 WerFault.exe
1824 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1824 1800 WerFault.exe ucxgm.exe

pid	process
1840	ucxgm.exe
1800	ucxgm.exe

pid	process
1040	3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
1840	ucxgm.exe
1824	WerFault.exe
1824	WerFault.exe
1824	WerFault.exe

pid	pid_target	process	target process
1824	1800	WerFault.exe	ucxgm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exeucxgm.exeucxgm.exe

description	pid	process	target process
PID 1040 wrote to memory of 1840	1040	3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe	ucxgm.exe
PID 1040 wrote to memory of 1840	1040	3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe	ucxgm.exe
PID 1040 wrote to memory of 1840	1040	3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe	ucxgm.exe
PID 1040 wrote to memory of 1840	1040	3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1840 wrote to memory of 1800	1840	ucxgm.exe	ucxgm.exe
PID 1800 wrote to memory of 1824	1800	ucxgm.exe	WerFault.exe
PID 1800 wrote to memory of 1824	1800	ucxgm.exe	WerFault.exe
PID 1800 wrote to memory of 1824	1800	ucxgm.exe	WerFault.exe
PID 1800 wrote to memory of 1824	1800	ucxgm.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
"C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
  C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
    C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 120
      4⤵
      Loads dropped DLL
      Program crash
      PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\joszbi

Filesize
5KB

MD5
a5a523f60a17756e61e17ba513ff59d1

SHA1
d03b444c7c2d4ffb34d483427e69ec2116d90951

SHA256
5519ce10c332d304d521a15d902d84e2feac7827a148284713402de837fd4755

SHA512
99af33e2deb545c902c8663a67643b18ae2ee09924c8dee23c4ed93a6ff55305c020e3fd4e2d3781144450b14468c08799a3c59dfd1151893ec1a7e8352ef08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqrvq39gj49la

Filesize
211KB

MD5
664cb163be98c1035799694e2585cb16

SHA1
30984822dc25b065f6476557361396282906c551

SHA256
466b28f6c18c530ac94410a111fe1feb84b2363b03831cb3e39af96d37ad56cd

SHA512
e723882a67c072413357da1d9950a363ffcdb38fd1554cfede3acc75a16b6b78497a736fed7c32a5b8431a4ce591d3610da561ebbfee03ce04d6661e32612985

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

Filesize
179KB

MD5
78673699f5e78cf7ecfbb9ef42f3cc20

SHA1
7d1a1e230a595a3249f70871dfca54c1c7e6bb3e

SHA256
85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838

SHA512
1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

Filesize
179KB

MD5
78673699f5e78cf7ecfbb9ef42f3cc20

SHA1
7d1a1e230a595a3249f70871dfca54c1c7e6bb3e

SHA256
85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838

SHA512
1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

Filesize
179KB

MD5
78673699f5e78cf7ecfbb9ef42f3cc20

SHA1
7d1a1e230a595a3249f70871dfca54c1c7e6bb3e

SHA256
85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838

SHA512
1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

Download Submit
\Users\Admin\AppData\Local\Temp\ucxgm.exe

Filesize
179KB

MD5
78673699f5e78cf7ecfbb9ef42f3cc20

SHA1
7d1a1e230a595a3249f70871dfca54c1c7e6bb3e

SHA256
85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838

SHA512
1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

Download Submit
\Users\Admin\AppData\Local\Temp\ucxgm.exe

Filesize
179KB

MD5
78673699f5e78cf7ecfbb9ef42f3cc20

SHA1
7d1a1e230a595a3249f70871dfca54c1c7e6bb3e

SHA256
85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838

SHA512
1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

Download Submit
\Users\Admin\AppData\Local\Temp\ucxgm.exe

Filesize
179KB

MD5
78673699f5e78cf7ecfbb9ef42f3cc20

SHA1
7d1a1e230a595a3249f70871dfca54c1c7e6bb3e

SHA256
85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838

SHA512
1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

Download Submit
\Users\Admin\AppData\Local\Temp\ucxgm.exe

Filesize
179KB

MD5
78673699f5e78cf7ecfbb9ef42f3cc20

SHA1
7d1a1e230a595a3249f70871dfca54c1c7e6bb3e

SHA256
85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838

SHA512
1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

Download Submit
\Users\Admin\AppData\Local\Temp\ucxgm.exe

Filesize
179KB

MD5
78673699f5e78cf7ecfbb9ef42f3cc20

SHA1
7d1a1e230a595a3249f70871dfca54c1c7e6bb3e

SHA256
85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838

SHA512
1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

Download Submit
memory/1040-54-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

Filesize
8KB

Download
memory/1800-63-0x0000000000000000-mapping.dmp

Download
memory/1800-70-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1800-67-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1800-65-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1824-71-0x0000000000000000-mapping.dmp

Download
memory/1840-56-0x0000000000000000-mapping.dmp

Download