Overview

overview

10

Static

static

URLScan

urlscan

1

http://wiwirdo.ac.ug...

windows7-x64

10

http://wiwirdo.ac.ug...

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2022 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://wiwirdo.ac.ug/azne.exe

Score
10/10
azorultinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://wiwirdo.ac.ug/azne.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3560 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4964
  • C:\Users\Admin\Desktop\azne.exe
    "C:\Users\Admin\Desktop\azne.exe"
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:1312
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3648

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\C0A1EEE1\mozglue.dll
      Filesize

      135KB

      MD5

      9e682f1eb98a9d41468fc3e50f907635

      SHA1

      85e0ceca36f657ddf6547aa0744f0855a27527ee

      SHA256

      830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

      SHA512

      230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\C0A1EEE1\msvcp140.dll
      Filesize

      429KB

      MD5

      109f0f02fd37c84bfc7508d4227d7ed5

      SHA1

      ef7420141bb15ac334d3964082361a460bfdb975

      SHA256

      334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

      SHA512

      46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\C0A1EEE1\nss3.dll
      Filesize

      1.2MB

      MD5

      556ea09421a0f74d31c4c0a89a70dc23

      SHA1

      f739ba9b548ee64b13eb434a3130406d23f836e3

      SHA256

      f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

      SHA512

      2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\C0A1EEE1\vcruntime140.dll
      Filesize

      81KB

      MD5

      7587bf9cb4147022cd5681b015183046

      SHA1

      f2106306a8f6f0da5afb7fc765cfa0757ad5a628

      SHA256

      c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

      SHA512

      0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\C0A1EEE1\vcruntime140.dll
      Filesize

      81KB

      MD5

      7587bf9cb4147022cd5681b015183046

      SHA1

      f2106306a8f6f0da5afb7fc765cfa0757ad5a628

      SHA256

      c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

      SHA512

      0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\C0A1EEE1\vcruntime140.dll
      Filesize

      81KB

      MD5

      7587bf9cb4147022cd5681b015183046

      SHA1

      f2106306a8f6f0da5afb7fc765cfa0757ad5a628

      SHA256

      c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

      SHA512

      0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

      Download Submit
    • C:\Users\Admin\Desktop\azne.exe
      Filesize

      283KB

      MD5

      438cbbc5449ace7dc2f23c8f884a51e5

      SHA1

      e485f4b2797c6e3cb66c0fdcf388a4373b5dc495

      SHA256

      c56d7650cb69a9ecc1cb26d4324a0708ae5eea20e640b33e32bbcb45b58c0703

      SHA512

      2c92aea2256975d7eaf2f0c35622a41dfd189961f4fc5f302ec6133cd6aa8e6ab80d089e594afa51fc71c3d7bff4737e8ebafbd7c2c6327d73cd1682f1b6afb2

      Download Submit
    • C:\Users\Admin\Desktop\azne.exe.0d0taj2.partial
      Filesize

      283KB

      MD5

      438cbbc5449ace7dc2f23c8f884a51e5

      SHA1

      e485f4b2797c6e3cb66c0fdcf388a4373b5dc495

      SHA256

      c56d7650cb69a9ecc1cb26d4324a0708ae5eea20e640b33e32bbcb45b58c0703

      SHA512

      2c92aea2256975d7eaf2f0c35622a41dfd189961f4fc5f302ec6133cd6aa8e6ab80d089e594afa51fc71c3d7bff4737e8ebafbd7c2c6327d73cd1682f1b6afb2

      Download Submit
    • memory/1312-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1896-136-0x0000000005900000-0x0000000005992000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1896-137-0x00000000058F0000-0x00000000058FA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1896-135-0x0000000005E10000-0x00000000063B4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1896-134-0x0000000000F00000-0x0000000000F4C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3648-143-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3648-142-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3648-140-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3648-139-0x0000000000000000-mapping.dmp
      Download
    • memory/3648-150-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download