Analysis

  • max time kernel
    112s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23/05/2022, 01:49

General

  • Target

    55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe

  • Size

    1.7MB

  • MD5

    10fa511e7a230d443c6bbc008ebdf1c7

  • SHA1

    976e29b1b050a70448ea23976deb8b7f24594e36

  • SHA256

    55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69

  • SHA512

    4a2a854bcdcab4ef0fef9cf33814d9dd08f72444079ae29b3228f631e7520ac2a570b1da20c5f76ab2cc4ad88b8073f98a12e27820a3d2f0d559d3606ba5c395

Malware Config

Extracted

Family

azorult

C2

http://bl1we4t.xyz/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
    "C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 20
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Windows\SysWOW64\timeout.exe
        timeout 20
        3⤵
        • Delays execution with timeout.exe
        PID:4364
    • C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
      C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
      2⤵
        PID:4252

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/3196-130-0x0000000000F60000-0x000000000110C000-memory.dmp

            Filesize

            1.7MB

          • memory/3196-131-0x000000000CB50000-0x000000000D168000-memory.dmp

            Filesize

            6.1MB

          • memory/3196-132-0x000000000D170000-0x000000000D714000-memory.dmp

            Filesize

            5.6MB

          • memory/3196-133-0x000000000C530000-0x000000000C5C2000-memory.dmp

            Filesize

            584KB

          • memory/4252-137-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

          • memory/4252-139-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

          • memory/4252-140-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB