Analysis
-
max time kernel
140s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-03-2023 13:26
Static task
static1
Behavioral task
behavioral1
Sample
ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
Resource
win10v2004-20230220-en
General
-
Target
ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
-
Size
8.0MB
-
MD5
1ac70328ce1dea448647022c5b360a67
-
SHA1
4f295ccfc7b7a2eeeec53df66d22743dbac301a6
-
SHA256
addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51
-
SHA512
26192e10e1b095739fd2b193c199aa689b0f7d26d57bef9718ef1cee41b95e5b4113cc987cd1847a7a1f3e727f0601099bde92591d3e153ddb37fa36e4f897c5
-
SSDEEP
196608:oKFIqkBPpjIwzMYsK6fg4/Lovsc+eQ5AdlH3sxAPflIKap:vkFAYsrfx8vJ+eQAd5sxAPmfp
Malware Config
Extracted
azorult
http://f0355889.xsph.ru/Panel/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
csrss.exeKMSAuto Net.exepid process 1004 csrss.exe 1072 KMSAuto Net.exe -
Loads dropped DLL 10 IoCs
Processes:
ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeWerFault.exepid process 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe 1544 WerFault.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\csrss.exe vmprotect \Users\Admin\AppData\Roaming\csrss.exe vmprotect C:\Users\Admin\AppData\Roaming\csrss.exe vmprotect \Users\Admin\AppData\Roaming\csrss.exe vmprotect C:\Users\Admin\AppData\Roaming\csrss.exe vmprotect behavioral1/memory/1004-96-0x0000000000400000-0x0000000000BBE000-memory.dmp vmprotect \Users\Admin\AppData\Roaming\csrss.exe vmprotect \Users\Admin\AppData\Roaming\csrss.exe vmprotect \Users\Admin\AppData\Roaming\csrss.exe vmprotect \Users\Admin\AppData\Roaming\csrss.exe vmprotect -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
csrss.exepid process 1004 csrss.exe -
Drops file in Program Files directory 4 IoCs
Processes:
KMSAuto Net.exeADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.execmd.exedescription ioc process File opened for modification C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe KMSAuto Net.exe File opened for modification C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe File opened for modification C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test cmd.exe File opened for modification C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test KMSAuto Net.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1544 1004 WerFault.exe csrss.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
csrss.exepid process 1004 csrss.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 936 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 936 AUDIODG.EXE Token: 33 936 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 936 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeKMSAuto Net.execsrss.exedescription pid process target process PID 1988 wrote to memory of 1004 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe csrss.exe PID 1988 wrote to memory of 1004 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe csrss.exe PID 1988 wrote to memory of 1004 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe csrss.exe PID 1988 wrote to memory of 1004 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe csrss.exe PID 1988 wrote to memory of 1072 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe KMSAuto Net.exe PID 1988 wrote to memory of 1072 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe KMSAuto Net.exe PID 1988 wrote to memory of 1072 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe KMSAuto Net.exe PID 1988 wrote to memory of 1072 1988 ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe KMSAuto Net.exe PID 1072 wrote to memory of 996 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 996 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 996 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 996 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 1184 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 1184 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 1184 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 1184 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 1924 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 1924 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 1924 1072 KMSAuto Net.exe cmd.exe PID 1072 wrote to memory of 1924 1072 KMSAuto Net.exe cmd.exe PID 1004 wrote to memory of 1544 1004 csrss.exe WerFault.exe PID 1004 wrote to memory of 1544 1004 csrss.exe WerFault.exe PID 1004 wrote to memory of 1544 1004 csrss.exe WerFault.exe PID 1004 wrote to memory of 1544 1004 csrss.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe"C:\Users\Admin\AppData\Local\Temp\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" /nc /s2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 7283⤵
- Loads dropped DLL
- Program crash
-
C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe"C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe" /nc2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c echo test>>"C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4d81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeFilesize
8.4MB
MD52fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeFilesize
8.4MB
MD52fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeFilesize
8.4MB
MD52fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.testFilesize
6B
MD59f06243abcb89c70e0c331c61d871fa7
SHA1fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4
SHA256837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b
SHA512b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
4.8MB
MD52a0c555c70eb25094c94e4ba5a6ba131
SHA1aa23bc37987a9c802ba5331577776ef2af1d07d8
SHA256cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df
SHA512e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
4.8MB
MD52a0c555c70eb25094c94e4ba5a6ba131
SHA1aa23bc37987a9c802ba5331577776ef2af1d07d8
SHA256cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df
SHA512e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
4.8MB
MD52a0c555c70eb25094c94e4ba5a6ba131
SHA1aa23bc37987a9c802ba5331577776ef2af1d07d8
SHA256cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df
SHA512e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c
-
\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeFilesize
8.4MB
MD52fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeFilesize
8.4MB
MD52fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeFilesize
8.4MB
MD52fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exeFilesize
8.4MB
MD52fb86be791b4bb4389e55df0fec04eb7
SHA1375dc8189059602f9eb571b473d723fad3ad3d8c
SHA256b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
SHA5123230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
4.8MB
MD52a0c555c70eb25094c94e4ba5a6ba131
SHA1aa23bc37987a9c802ba5331577776ef2af1d07d8
SHA256cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df
SHA512e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
4.8MB
MD52a0c555c70eb25094c94e4ba5a6ba131
SHA1aa23bc37987a9c802ba5331577776ef2af1d07d8
SHA256cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df
SHA512e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
4.8MB
MD52a0c555c70eb25094c94e4ba5a6ba131
SHA1aa23bc37987a9c802ba5331577776ef2af1d07d8
SHA256cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df
SHA512e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
4.8MB
MD52a0c555c70eb25094c94e4ba5a6ba131
SHA1aa23bc37987a9c802ba5331577776ef2af1d07d8
SHA256cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df
SHA512e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
4.8MB
MD52a0c555c70eb25094c94e4ba5a6ba131
SHA1aa23bc37987a9c802ba5331577776ef2af1d07d8
SHA256cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df
SHA512e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c
-
\Users\Admin\AppData\Roaming\csrss.exeFilesize
4.8MB
MD52a0c555c70eb25094c94e4ba5a6ba131
SHA1aa23bc37987a9c802ba5331577776ef2af1d07d8
SHA256cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df
SHA512e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c
-
memory/1004-94-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1004-92-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1004-91-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1004-93-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1004-95-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1004-90-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1004-96-0x0000000000400000-0x0000000000BBE000-memory.dmpFilesize
7.7MB
-
memory/1072-99-0x00000000008E0000-0x0000000000920000-memory.dmpFilesize
256KB
-
memory/1072-105-0x00000000008E0000-0x0000000000920000-memory.dmpFilesize
256KB
-
memory/1072-98-0x0000000001220000-0x0000000001A80000-memory.dmpFilesize
8.4MB
-
memory/1072-111-0x00000000008E0000-0x0000000000920000-memory.dmpFilesize
256KB
-
memory/1072-112-0x00000000008E0000-0x0000000000920000-memory.dmpFilesize
256KB
-
memory/1072-117-0x00000000008E0000-0x0000000000920000-memory.dmpFilesize
256KB
-
memory/1072-119-0x00000000008E0000-0x0000000000920000-memory.dmpFilesize
256KB
-
memory/1988-100-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB