Analysis
-
max time kernel
112s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23/05/2022, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
Resource
win10v2004-20220414-en
General
-
Target
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe
-
Size
1.7MB
-
MD5
10fa511e7a230d443c6bbc008ebdf1c7
-
SHA1
976e29b1b050a70448ea23976deb8b7f24594e36
-
SHA256
55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69
-
SHA512
4a2a854bcdcab4ef0fef9cf33814d9dd08f72444079ae29b3228f631e7520ac2a570b1da20c5f76ab2cc4ad88b8073f98a12e27820a3d2f0d559d3606ba5c395
Malware Config
Extracted
azorult
http://bl1we4t.xyz/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\engr = "\"C:\\Users\\Admin\\AppData\\Local\\engr.exe\"" 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3196 set thread context of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 4364 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3196 wrote to memory of 4756 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 83 PID 3196 wrote to memory of 4756 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 83 PID 3196 wrote to memory of 4756 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 83 PID 4756 wrote to memory of 4364 4756 cmd.exe 85 PID 4756 wrote to memory of 4364 4756 cmd.exe 85 PID 4756 wrote to memory of 4364 4756 cmd.exe 85 PID 3196 wrote to memory of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91 PID 3196 wrote to memory of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91 PID 3196 wrote to memory of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91 PID 3196 wrote to memory of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91 PID 3196 wrote to memory of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91 PID 3196 wrote to memory of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91 PID 3196 wrote to memory of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91 PID 3196 wrote to memory of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91 PID 3196 wrote to memory of 4252 3196 55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe"C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
PID:4364
-
-
-
C:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exeC:\Users\Admin\AppData\Local\Temp\55d6cf850bc8e1f91d1d5b0905eed004df00da757e7ffc80fead608ff18f1e69.exe2⤵PID:4252
-