azorult | hxxp://wiwirdo[.]ac[.]ug/azne[.]exe

General

Target

http://wiwirdo.ac.ug/azne.exe

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

azne.exe

pid process

1824 azne.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

azne.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\International\Geo\Nation azne.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

azne.exe

description pid process target process

PID 1824 set thread context of 760 1824 azne.exe InstallUtil.exe

pid	process
1824	azne.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\International\Geo\Nation	azne.exe

description	pid	process	target process
PID 1824 set thread context of 760	1824	azne.exe	InstallUtil.exe

Drops file in Windows directory 2 IoCs

Processes:

iexplore.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	iexplore.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	iexplore.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 609eb0a81faed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0bd96ba1faed801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba542700000000020000000000106600000001000020000000f1d3532a032a5ff9126585c54415f1ff6543e759b4cd1c5cab4bbedc6fd284e8000000000e8000000002000020000000d69a7a182a147e99af28d9d44331e7c3eacaa9a664b75ab95aeb877112e64d1990000000a927af8b8fe942b72be3f443bcc998809a9cbd23686560aa54e95f864639ed7352e8f3460f6eb61e95623f2a046ac0ead9f7f75bdf876ac89118123c1f5976aa2df094c299473116db6e9b61b0f984210194236e9a71e5ef2fba9eb193a2cbffe3c317c5eef154e714370bff825fb5b2e2d710cbaba8542d0e5d88a9514d0118a05ce6e3530f9d9a2d3233c0fa20a1c340000000bea513857766579e067e46e56362e66b37fbb175ba237ac04bdae4c6ed6bcef4d619d165d66338c66a5dd1ee2ba447e42fc4b1214eb7c6879220cb7363ccdb3c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007647cecb75a30445a6fd9fb68eba542700000000020000000000106600000001000020000000b2d04b472ba7cb6cabd893119d436d3ef9e09982aac92f79a059a1fc72497ea0000000000e8000000002000020000000a063809ed92205a33634eea3ab17700a823c4e82a6316fbd84937b7ee83460ba2000000089f47cc4623ec839d56ed8d1a67e9b7e013a5ca6b1f467217fcc2204448fce0740000000ec0296bc9d8717043bc9cda18d7b23ff335cf380a2f445da10c6b0bb5812d94d2b130eddf3a1c7fd2d60bc25d35562f8047c97d02a17f62c5a730fcfbfa98224	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "367055360"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8B44621-1A12-11ED-A827-6ACE15CCDF97} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 48 IoCs

Processes:

iexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

azne.exe

pid process

1824 azne.exe
1824 azne.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1932 iexplore.exe
1932 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1932 iexplore.exe
1932 iexplore.exe
1264 IEXPLORE.EXE
1264 IEXPLORE.EXE
1932 iexplore.exe

pid	process
1824	azne.exe
1824	azne.exe

pid	process
1932	iexplore.exe
1932	iexplore.exe

pid	process
1932	iexplore.exe
1932	iexplore.exe
1264	IEXPLORE.EXE
1264	IEXPLORE.EXE
1932	iexplore.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

iexplore.exeazne.exe

description	pid	process	target process
PID 1932 wrote to memory of 1264	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1264	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1264	1932	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 1264	1932	iexplore.exe	IEXPLORE.EXE
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe
PID 1824 wrote to memory of 760	1824	azne.exe	InstallUtil.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://wiwirdo.ac.ug/azne.exe
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Users\Admin\Desktop\azne.exe
"C:\Users\Admin\Desktop\azne.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WPY7EY0I.txt
Filesize
605B

MD5
b8b9aa6a95901652abc10d4ab25d7e9f

SHA1
084edd1f923b6adbd75ef454b5747d0a92639e3c

SHA256
39275ca51d3708a3d3e56392492c08fe7761bcd87d81b47511df73faff4ab223

SHA512
10bb8ca84f34fe6e50075b9f519cdcbd7b628800b0b97dc84234dcf31da96256472eca3e9d10abfa4174aa2d81c65adcf25c52c914e194b9ef8e0ea2a6bb4d96

Download Submit
C:\Users\Admin\Desktop\azne.exe
Filesize
283KB

MD5
438cbbc5449ace7dc2f23c8f884a51e5

SHA1
e485f4b2797c6e3cb66c0fdcf388a4373b5dc495

SHA256
c56d7650cb69a9ecc1cb26d4324a0708ae5eea20e640b33e32bbcb45b58c0703

SHA512
2c92aea2256975d7eaf2f0c35622a41dfd189961f4fc5f302ec6133cd6aa8e6ab80d089e594afa51fc71c3d7bff4737e8ebafbd7c2c6327d73cd1682f1b6afb2

Download Submit
C:\Users\Admin\Desktop\azne.exe.owqk6ld.partial
Filesize
283KB

MD5
438cbbc5449ace7dc2f23c8f884a51e5

SHA1
e485f4b2797c6e3cb66c0fdcf388a4373b5dc495

SHA256
c56d7650cb69a9ecc1cb26d4324a0708ae5eea20e640b33e32bbcb45b58c0703

SHA512
2c92aea2256975d7eaf2f0c35622a41dfd189961f4fc5f302ec6133cd6aa8e6ab80d089e594afa51fc71c3d7bff4737e8ebafbd7c2c6327d73cd1682f1b6afb2

Download Submit
memory/760-68-0x000000000041A684-mapping.dmp

Download
memory/760-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/760-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/760-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/760-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/760-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/760-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/760-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/760-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1824-58-0x0000000000CF0000-0x0000000000D48000-memory.dmp

Filesize
352KB

Download
memory/1824-59-0x0000000000B40000-0x0000000000B8C000-memory.dmp

Filesize
304KB

Download
memory/1824-57-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1824-56-0x00000000013A0000-0x00000000013EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads