Analysis
-
max time kernel
95s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:48
Static task
static1
Behavioral task
behavioral1
Sample
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
Resource
win10v2004-20220414-en
General
-
Target
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
-
Size
1.7MB
-
MD5
10fa511e7a230d443c6bbc008ebdf1c7
-
SHA1
976e29b1b050a70448ea23976deb8b7f24594e36
-
SHA256
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69
-
SHA512
4a2a854bcdcab4ef0fef9cf33814d9dd08f72444079ae29b3228f631e7520ac2a570b1da20c5f76ab2cc4ad88b8073f98a12e27820a3d2f0d559d3606ba5c395
Malware Config
Extracted
azorult
http://bl1we4t.xyz/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\engr = "\"C:\\Users\\Admin\\AppData\\Local\\engr.exe\"" 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exedescription pid process target process PID 1464 set thread context of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1512 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exepid process 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exedescription pid process Token: SeDebugPrivilege 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.execmd.exedescription pid process target process PID 1464 wrote to memory of 2380 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe cmd.exe PID 1464 wrote to memory of 2380 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe cmd.exe PID 1464 wrote to memory of 2380 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe cmd.exe PID 2380 wrote to memory of 1512 2380 cmd.exe timeout.exe PID 2380 wrote to memory of 1512 2380 cmd.exe timeout.exe PID 2380 wrote to memory of 1512 2380 cmd.exe timeout.exe PID 1464 wrote to memory of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe PID 1464 wrote to memory of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe PID 1464 wrote to memory of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe PID 1464 wrote to memory of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe PID 1464 wrote to memory of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe PID 1464 wrote to memory of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe PID 1464 wrote to memory of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe PID 1464 wrote to memory of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe PID 1464 wrote to memory of 3872 1464 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe"C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exeC:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1464-130-0x0000000000FB0000-0x000000000115C000-memory.dmpFilesize
1.7MB
-
memory/1464-131-0x000000000DC80000-0x000000000E298000-memory.dmpFilesize
6.1MB
-
memory/1464-132-0x000000000E2A0000-0x000000000E844000-memory.dmpFilesize
5.6MB
-
memory/1464-133-0x000000000D660000-0x000000000D6F2000-memory.dmpFilesize
584KB
-
memory/1512-135-0x0000000000000000-mapping.dmp
-
memory/2380-134-0x0000000000000000-mapping.dmp
-
memory/3872-136-0x0000000000000000-mapping.dmp
-
memory/3872-137-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3872-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3872-140-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB