azorult | 36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e

General

Target

36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
Size

516KB
MD5

50ef01a3ea956415109060b12df69af3
SHA1

9017e97b4a34336392b7b98ad2aff8c4dad228d9
SHA256

36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e
SHA512

d518eb98744fb1b3dbf94dc07c58c22c216d120a537df4e2253f59db6b6b555de56a16e2fdcc71cc951b433533c94a06f8b60d9d9fadf2e7ea18c9ae03072c8d

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://e4v5sa.xyz/PL341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe

description	pid	process	target process
PID 4284 set thread context of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1512 schtasks.exe

pid	process
1512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe

pid	process
4532	powershell.exe
4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
4532	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe

description	pid	process
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe

C:\Users\Admin\AppData\Local\Temp\36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
"C:\Users\Admin\AppData\Local\Temp\36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VtwKTd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VtwKTd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC06.tmp"
2⤵
- Creates scheduled task(s)
PID:1512

C:\Users\Admin\AppData\Local\Temp\36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
"C:\Users\Admin\AppData\Local\Temp\36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe"
2⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
"C:\Users\Admin\AppData\Local\Temp\36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe"
2⤵
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEC06.tmp
Filesize
1KB

MD5
3a5bb7321eb457581a1c37560d6f2834

SHA1
7ec5e117fd901214bbff7834a3faaa1b91bed4e6

SHA256
12444ab7adf91eb1aca42ae2a744c41fceacf875ecd8fb059beea63c4ad664a2

SHA512
e5cc3ffa0af2a3d9624fd10cfa6b3fc13eed9fbe6158cea898190bc6b7169295abe90a27da1406467c5b5f62254ff04983476a12837ea2b914fc3a0ea0b4e91e

Download Submit
memory/1512-137-0x0000000000000000-mapping.dmp

Download
memory/1964-141-0x0000000000000000-mapping.dmp

Download
memory/4284-131-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/4284-132-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/4284-133-0x00000000051F0000-0x00000000051FA000-memory.dmp

Filesize
40KB

Download
memory/4284-134-0x0000000000ED0000-0x0000000000F6C000-memory.dmp

Filesize
624KB

Download
memory/4284-135-0x0000000008BE0000-0x0000000008C46000-memory.dmp

Filesize
408KB

Download
memory/4284-130-0x0000000000610000-0x0000000000694000-memory.dmp

Filesize
528KB

Download
memory/4532-152-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/4532-153-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/4532-142-0x0000000005310000-0x0000000005332000-memory.dmp

Filesize
136KB

Download
memory/4532-138-0x0000000004E30000-0x0000000004E66000-memory.dmp

Filesize
216KB

Download
memory/4532-159-0x0000000007A00000-0x0000000007A08000-memory.dmp

Filesize
32KB

Download
memory/4532-158-0x0000000007A20000-0x0000000007A3A000-memory.dmp

Filesize
104KB

Download
memory/4532-146-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/4532-157-0x0000000007910000-0x000000000791E000-memory.dmp

Filesize
56KB

Download
memory/4532-156-0x0000000007960000-0x00000000079F6000-memory.dmp

Filesize
600KB

Download
memory/4532-149-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/4532-150-0x00000000069A0000-0x00000000069D2000-memory.dmp

Filesize
200KB

Download
memory/4532-151-0x0000000073AA0000-0x0000000073AEC000-memory.dmp

Filesize
304KB

Download
memory/4532-136-0x0000000000000000-mapping.dmp

Download
memory/4532-140-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/4532-154-0x00000000076D0000-0x00000000076EA000-memory.dmp

Filesize
104KB

Download
memory/4532-155-0x0000000007750000-0x000000000775A000-memory.dmp

Filesize
40KB

Download
memory/5052-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5052-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5052-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5052-143-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 4284 wrote to memory of 4532	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	powershell.exe
PID 4284 wrote to memory of 4532	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	powershell.exe
PID 4284 wrote to memory of 4532	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	powershell.exe
PID 4284 wrote to memory of 1512	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	schtasks.exe
PID 4284 wrote to memory of 1512	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	schtasks.exe
PID 4284 wrote to memory of 1512	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	schtasks.exe
PID 4284 wrote to memory of 1964	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 1964	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 1964	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe
PID 4284 wrote to memory of 5052	4284	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe	36d24df14c30587bab4aec2992cd86d258d0245f01781abb57241005282a8f7e.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads