Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23/05/2022, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
Resource
win10v2004-20220414-en
General
-
Target
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
-
Size
1.7MB
-
MD5
10fa511e7a230d443c6bbc008ebdf1c7
-
SHA1
976e29b1b050a70448ea23976deb8b7f24594e36
-
SHA256
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69
-
SHA512
4a2a854bcdcab4ef0fef9cf33814d9dd08f72444079ae29b3228f631e7520ac2a570b1da20c5f76ab2cc4ad88b8073f98a12e27820a3d2f0d559d3606ba5c395
Malware Config
Extracted
azorult
http://bl1we4t.xyz/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\engr = "\"C:\\Users\\Admin\\AppData\\Local\\engr.exe\"" 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1448 set thread context of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 2024 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2040 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 28 PID 1448 wrote to memory of 2040 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 28 PID 1448 wrote to memory of 2040 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 28 PID 1448 wrote to memory of 2040 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 28 PID 2040 wrote to memory of 2024 2040 cmd.exe 30 PID 2040 wrote to memory of 2024 2040 cmd.exe 30 PID 2040 wrote to memory of 2024 2040 cmd.exe 30 PID 2040 wrote to memory of 2024 2040 cmd.exe 30 PID 1448 wrote to memory of 1724 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 31 PID 1448 wrote to memory of 1724 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 31 PID 1448 wrote to memory of 1724 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 31 PID 1448 wrote to memory of 1724 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 31 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32 PID 1448 wrote to memory of 1996 1448 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe"C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
PID:2024
-
-
-
C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exeC:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe2⤵PID:1724
-
-
C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exeC:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe2⤵PID:1996
-