azorult | e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7

Analysis

max time kernel
40s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe
Size

246KB
MD5

bc6e81255131133a0f8e9ea4cea63d1a
SHA1

c6daa783428bc85f48f5b3d906b56e13d10ec7eb
SHA256

e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7
SHA512

ee7a61c5a9af70e7970641da0d8ca904c7c5859b6e946cbbfbef9226546ebe6a51f770e25bb554151956dbe51b77fa133961612e92796e5c6b2bce655449b062

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://e4v5sa.xyz/PL341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

lwkcbv.exelwkcbv.exe

pid process

880 lwkcbv.exe
1712 lwkcbv.exe

pid	process
880	lwkcbv.exe
1712	lwkcbv.exe

Loads dropped DLL 6 IoCs

Processes:

e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exelwkcbv.exeWerFault.exe

pid	process
1756	e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe
1756	e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe
880	lwkcbv.exe
2028	WerFault.exe
2028	WerFault.exe
2028	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2028 1712 WerFault.exe lwkcbv.exe

pid	pid_target	process	target process
2028	1712	WerFault.exe	lwkcbv.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exelwkcbv.exelwkcbv.exe

description	pid	process	target process
PID 1756 wrote to memory of 880	1756	e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe	lwkcbv.exe
PID 1756 wrote to memory of 880	1756	e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe	lwkcbv.exe
PID 1756 wrote to memory of 880	1756	e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe	lwkcbv.exe
PID 1756 wrote to memory of 880	1756	e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 880 wrote to memory of 1712	880	lwkcbv.exe	lwkcbv.exe
PID 1712 wrote to memory of 2028	1712	lwkcbv.exe	WerFault.exe
PID 1712 wrote to memory of 2028	1712	lwkcbv.exe	WerFault.exe
PID 1712 wrote to memory of 2028	1712	lwkcbv.exe	WerFault.exe
PID 1712 wrote to memory of 2028	1712	lwkcbv.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe
"C:\Users\Admin\AppData\Local\Temp\e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe
C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe C:\Users\Admin\AppData\Local\Temp\vfloigqd
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe
C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe C:\Users\Admin\AppData\Local\Temp\vfloigqd
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 120
4⤵
- Loads dropped DLL
- Program crash
PID:2028

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe
Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe
Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe
Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
C:\Users\Admin\AppData\Local\Temp\skwe7k8r3x
Filesize
111KB

MD5
226c5855242ee35ce3a51cfb3346f3bc

SHA1
25620586916cda93b377df5a86915205da0128c5

SHA256
16fe1baf817863a33b29c2b1ea1680931fb8726ee45cee1cc139cdc0a1b2a2a5

SHA512
c9e44ee820e207f55fdce7539a2f7e291e6afd9295d4a1f4558136b2e4348df4d34708371b667875836a2950af8429709541bbfa5be3d8a8d32898b0decc5197

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfloigqd
Filesize
4KB

MD5
b787488b159b7291448881e6cf5cd6c4

SHA1
a5bcce8af707ca48171043eb1c3d7618ec224ba9

SHA256
c376c7e1015e220de379598025778d8b928a76453d574e4b5424dc11d3157339

SHA512
568710f6e1abd5f9bb3cf808ab4ad95d5a6a918317c9220e0d457343c86800a558e40e6dd7c51c66bada313629860c9a488dd9be134c31ccc31a1c556efd867f

Download Submit
\Users\Admin\AppData\Local\Temp\lwkcbv.exe
Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
\Users\Admin\AppData\Local\Temp\lwkcbv.exe
Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
\Users\Admin\AppData\Local\Temp\lwkcbv.exe
Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
\Users\Admin\AppData\Local\Temp\lwkcbv.exe
Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
\Users\Admin\AppData\Local\Temp\lwkcbv.exe
Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
\Users\Admin\AppData\Local\Temp\lwkcbv.exe
Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
memory/880-57-0x0000000000000000-mapping.dmp

Download
memory/1712-67-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1712-70-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1712-63-0x0000000000000000-mapping.dmp

Download
memory/1712-65-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1756-54-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/2028-71-0x0000000000000000-mapping.dmp

Download