Analysis
-
max time kernel
61s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2022 08:38
Static task
static1
Behavioral task
behavioral1
Sample
lZSrXwYDDkbZYDN.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
lZSrXwYDDkbZYDN.exe
Resource
win10v2004-20220812-en
General
-
Target
lZSrXwYDDkbZYDN.exe
-
Size
1002KB
-
MD5
416f3e2e12938b9627f1b898ad4a689b
-
SHA1
c1a34c536411f34b75c633a6551e0e78b92662c2
-
SHA256
f2d7275a6557c9fa6501794d6f12155813e1ffc672f65f349d3b404952b4701f
-
SHA512
900f606532caf15e1ecd1c6f4ce97a746774f20f549ab090420be151c293bfa39b364d6857b4c6d87162f53f13a941ce66ecece6e2c1f6978e1978ba9204bb06
-
SSDEEP
12288:Zqv+9fw2iNuthqXcsFEYpl8/qSLeQB9PR5ZnaOrRtIE+PPh3+MkorlulYxRqRlr:ZqMo14hqXZoXeYvX9UxCmlVAST
Malware Config
Extracted
azorult
http://ble33n.shop/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lZSrXwYDDkbZYDN.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation lZSrXwYDDkbZYDN.exe -
Loads dropped DLL 4 IoCs
Processes:
lZSrXwYDDkbZYDN.exepid process 3472 lZSrXwYDDkbZYDN.exe 3472 lZSrXwYDDkbZYDN.exe 3472 lZSrXwYDDkbZYDN.exe 3472 lZSrXwYDDkbZYDN.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
lZSrXwYDDkbZYDN.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lZSrXwYDDkbZYDN.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook lZSrXwYDDkbZYDN.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lZSrXwYDDkbZYDN.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
lZSrXwYDDkbZYDN.exedescription pid process target process PID 4656 set thread context of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
lZSrXwYDDkbZYDN.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString lZSrXwYDDkbZYDN.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lZSrXwYDDkbZYDN.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2008 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
lZSrXwYDDkbZYDN.exepid process 3472 lZSrXwYDDkbZYDN.exe 3472 lZSrXwYDDkbZYDN.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
lZSrXwYDDkbZYDN.exelZSrXwYDDkbZYDN.execmd.exedescription pid process target process PID 4656 wrote to memory of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe PID 4656 wrote to memory of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe PID 4656 wrote to memory of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe PID 4656 wrote to memory of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe PID 4656 wrote to memory of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe PID 4656 wrote to memory of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe PID 4656 wrote to memory of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe PID 4656 wrote to memory of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe PID 4656 wrote to memory of 3472 4656 lZSrXwYDDkbZYDN.exe lZSrXwYDDkbZYDN.exe PID 3472 wrote to memory of 3444 3472 lZSrXwYDDkbZYDN.exe cmd.exe PID 3472 wrote to memory of 3444 3472 lZSrXwYDDkbZYDN.exe cmd.exe PID 3472 wrote to memory of 3444 3472 lZSrXwYDDkbZYDN.exe cmd.exe PID 3444 wrote to memory of 2008 3444 cmd.exe timeout.exe PID 3444 wrote to memory of 2008 3444 cmd.exe timeout.exe PID 3444 wrote to memory of 2008 3444 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
lZSrXwYDDkbZYDN.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook lZSrXwYDDkbZYDN.exe -
outlook_win_path 1 IoCs
Processes:
lZSrXwYDDkbZYDN.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook lZSrXwYDDkbZYDN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lZSrXwYDDkbZYDN.exe"C:\Users\Admin\AppData\Local\Temp\lZSrXwYDDkbZYDN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\lZSrXwYDDkbZYDN.exe"C:\Users\Admin\AppData\Local\Temp\lZSrXwYDDkbZYDN.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "lZSrXwYDDkbZYDN.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 34⤵
- Delays execution with timeout.exe
PID:2008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f