azorult | 390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-09-2022 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inkooporders voor factuur 28-09-22.exe
Size

428KB
MD5

5ce3b1bbcb5e6de79fdf2b4bbf9a8c65
SHA1

25e9d8e5a31913b28b9bcaf64574ef135e0fa3e9
SHA256

390ba9da469491e34db509524293b00feb22b768a11c0792d67c92b17881a521
SHA512

ed6c8de8791bdec42641b730896675e24d77d67b48c396f04b9b2f537cfa72f7b66a76813ffbf621bdc52e26cfb28c53bdba55acb9e255d3cd021a3e07227af3
SSDEEP

6144:uTouKrWBEu3/Z2lpGDHU3ykJF1Mai/nsSL2pNUn+/V6QcjX5P6uE:uToPWBv/cpGrU3ywtmnsSL6u+/Eg

Score

10^/10

azorult infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 1 IoCs

Processes:

uwmldfjccru.exe

pid process

1868 uwmldfjccru.exe

pid	process
1868	uwmldfjccru.exe

Loads dropped DLL 11 IoCs

Processes:

Inkooporders voor factuur 28-09-22.exeuwmldfjccru.exeuwmldfjccru.exeWerFault.exe

pid	process
1584	Inkooporders voor factuur 28-09-22.exe
1584	Inkooporders voor factuur 28-09-22.exe
1584	Inkooporders voor factuur 28-09-22.exe
1584	Inkooporders voor factuur 28-09-22.exe
1868	uwmldfjccru.exe
1128	uwmldfjccru.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe
2020	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

uwmldfjccru.exe

description pid process target process

PID 1868 set thread context of 1128 1868 uwmldfjccru.exe uwmldfjccru.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2020 1868 WerFault.exe uwmldfjccru.exe

description	pid	process	target process
PID 1868 set thread context of 1128	1868	uwmldfjccru.exe	uwmldfjccru.exe

pid	pid_target	process	target process
2020	1868	WerFault.exe	uwmldfjccru.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Inkooporders voor factuur 28-09-22.exeuwmldfjccru.exe

description	pid	process	target process
PID 1584 wrote to memory of 1868	1584	Inkooporders voor factuur 28-09-22.exe	uwmldfjccru.exe
PID 1584 wrote to memory of 1868	1584	Inkooporders voor factuur 28-09-22.exe	uwmldfjccru.exe
PID 1584 wrote to memory of 1868	1584	Inkooporders voor factuur 28-09-22.exe	uwmldfjccru.exe
PID 1584 wrote to memory of 1868	1584	Inkooporders voor factuur 28-09-22.exe	uwmldfjccru.exe
PID 1868 wrote to memory of 1128	1868	uwmldfjccru.exe	uwmldfjccru.exe
PID 1868 wrote to memory of 1128	1868	uwmldfjccru.exe	uwmldfjccru.exe
PID 1868 wrote to memory of 1128	1868	uwmldfjccru.exe	uwmldfjccru.exe
PID 1868 wrote to memory of 1128	1868	uwmldfjccru.exe	uwmldfjccru.exe
PID 1868 wrote to memory of 1128	1868	uwmldfjccru.exe	uwmldfjccru.exe
PID 1868 wrote to memory of 2020	1868	uwmldfjccru.exe	WerFault.exe
PID 1868 wrote to memory of 2020	1868	uwmldfjccru.exe	WerFault.exe
PID 1868 wrote to memory of 2020	1868	uwmldfjccru.exe	WerFault.exe
PID 1868 wrote to memory of 2020	1868	uwmldfjccru.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Inkooporders voor factuur 28-09-22.exe
"C:\Users\Admin\AppData\Local\Temp\Inkooporders voor factuur 28-09-22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
"C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
"C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe"
3⤵
- Loads dropped DLL
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 220
3⤵
- Loads dropped DLL
- Program crash
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwhwq.yal
Filesize
112KB

MD5
d27c158245078509fd55786ac41510be

SHA1
932a72ab2591fdad28538a8c81fc38d05c00e655

SHA256
a07db9f703d4ab31316375030ca37bb25c1a4b3be9db559d5e9a897e54df7188

SHA512
e1337346d3c5732324378d5e23d57f06caf19e8d65a55404d1764915998c176ad56f1ec2fe4918562de95e30eb44b3e35ef3b8395ebf7fc208c827d803ebe20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvbvc.wi
Filesize
4KB

MD5
e854155a021d9bc03e4b3d9021551ea7

SHA1
d8ed02e8cd8747a4933d5512f977ca531c5a3aea

SHA256
1f185fb5b1ceeb00eac1ec67c1c8c894d670c478fbe03157987ebbafaf4874dd

SHA512
b8171f24589195fc004beae5d67d45cc81a216ec95cebabd36f7ca25e0d7303eb04a734afafb309c06b39b99ca75ea0d3a9b313e9e7d20830f1040219e08ca62

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
\Users\Admin\AppData\Local\Temp\uwmldfjccru.exe
Filesize
58KB

MD5
728abee2e95f1c9854d5153832c21a24

SHA1
9b4f0b702c2e0f2d548782b2d314708dbf362ff6

SHA256
782e8dc429b53922ff2a067cbbb502004c15da4298103f79a706b8645110904b

SHA512
1a6631dbcaba338e78e39bfbaa8aad9a427edca0f11b686003ab2b5364c1f9845dd83b7e6c604be796afdb860a786b8fbcc9016349c0c9bd271d0dc08fb3e69e

Download Submit
memory/1128-66-0x000000000041A684-mapping.dmp

Download
memory/1584-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1868-59-0x0000000000000000-mapping.dmp

Download
memory/2020-68-0x0000000000000000-mapping.dmp

Download