Analysis
-
max time kernel
93s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2022 15:29
Static task
static1
Behavioral task
behavioral1
Sample
appicon.ps1
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
appicon.ps1
Resource
win10v2004-20220721-en
General
-
Target
appicon.ps1
-
Size
3.5MB
-
MD5
7e8b01de67c0391da2dd1997b8e2f649
-
SHA1
70233d718878b78b32945e8f30cc4bb111542c85
-
SHA256
59833bdf99c6e94235e386ce20c12647010e7de9a74356588b27a7e5fe4710ad
-
SHA512
8f5c85c41d45381045d91def651d00639f0bdc3c86174fcf4e4d7ff1e1a9b872eb7001feb202000fec7047169ccb822e4d977b149c89f249b0dda127074b7511
Malware Config
Extracted
azorult
http://188.32.97.44/twitch/fk32nOPxf/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Processes:
resource yara_rule behavioral2/memory/4568-132-0x0000000000400000-0x0000000000B79000-memory.dmp upx behavioral2/memory/4568-136-0x0000000000400000-0x0000000000B79000-memory.dmp upx behavioral2/memory/4568-138-0x0000000000400000-0x0000000000B79000-memory.dmp upx behavioral2/memory/4568-139-0x0000000000400000-0x0000000000B79000-memory.dmp upx behavioral2/memory/4568-141-0x0000000000400000-0x0000000000B79000-memory.dmp upx behavioral2/memory/4568-143-0x0000000000400000-0x0000000000B79000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RegAsm.exepid process 4568 RegAsm.exe 4568 RegAsm.exe 4568 RegAsm.exe 4568 RegAsm.exe 4568 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2208 set thread context of 4568 2208 powershell.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exeRegAsm.exepid process 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 2208 powershell.exe 4568 RegAsm.exe 4568 RegAsm.exe 4568 RegAsm.exe 4568 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2208 powershell.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
powershell.exedescription pid process target process PID 2208 wrote to memory of 4428 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4428 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4428 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4380 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4380 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4380 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 5012 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 5012 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 5012 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe PID 2208 wrote to memory of 4568 2208 powershell.exe RegAsm.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\appicon.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2208-130-0x000002021EFC0000-0x000002021EFE2000-memory.dmpFilesize
136KB
-
memory/2208-131-0x00007FFF3B440000-0x00007FFF3BF01000-memory.dmpFilesize
10.8MB
-
memory/2208-135-0x00007FFF3B440000-0x00007FFF3BF01000-memory.dmpFilesize
10.8MB
-
memory/4568-132-0x0000000000400000-0x0000000000B79000-memory.dmpFilesize
7.5MB
-
memory/4568-133-0x0000000000B76D48-mapping.dmp
-
memory/4568-136-0x0000000000400000-0x0000000000B79000-memory.dmpFilesize
7.5MB
-
memory/4568-138-0x0000000000400000-0x0000000000B79000-memory.dmpFilesize
7.5MB
-
memory/4568-139-0x0000000000400000-0x0000000000B79000-memory.dmpFilesize
7.5MB
-
memory/4568-140-0x000000007FA50000-0x000000007FE21000-memory.dmpFilesize
3.8MB
-
memory/4568-141-0x0000000000400000-0x0000000000B79000-memory.dmpFilesize
7.5MB
-
memory/4568-142-0x000000007FA50000-0x000000007FE21000-memory.dmpFilesize
3.8MB
-
memory/4568-143-0x0000000000400000-0x0000000000B79000-memory.dmpFilesize
7.5MB