azorult | addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51

Analysis

max time kernel
140s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-03-2023 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
Size

8.0MB
MD5

1ac70328ce1dea448647022c5b360a67
SHA1

4f295ccfc7b7a2eeeec53df66d22743dbac301a6
SHA256

addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51
SHA512

26192e10e1b095739fd2b193c199aa689b0f7d26d57bef9718ef1cee41b95e5b4113cc987cd1847a7a1f3e727f0601099bde92591d3e153ddb37fa36e4f897c5
SSDEEP

196608:oKFIqkBPpjIwzMYsK6fg4/Lovsc+eQ5AdlH3sxAPflIKap:vkFAYsrfx8vJ+eQAd5sxAPmfp

Score

10^/10

azorult discovery infostealer trojan vmprotect

Malware Config

Extracted

Family

azorult

http://f0355889.xsph.ru/Panel/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

csrss.exeKMSAuto Net.exe

pid process

1004 csrss.exe
1072 KMSAuto Net.exe

pid	process
1004	csrss.exe
1072	KMSAuto Net.exe

Loads dropped DLL 10 IoCs

Processes:

ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeWerFault.exe

pid	process
1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe
1544	WerFault.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
C:\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
C:\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
behavioral1/memory/1004-96-0x0000000000400000-0x0000000000BBE000-memory.dmp	vmprotect
\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
\Users\Admin\AppData\Roaming\csrss.exe	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

csrss.exe

pid process

1004 csrss.exe

pid	process
1004	csrss.exe

Drops file in Program Files directory 4 IoCs

Processes:

KMSAuto Net.exeADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.execmd.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe	KMSAuto Net.exe
File opened for modification	C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
File opened for modification	C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test	cmd.exe
File opened for modification	C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test	KMSAuto Net.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1544 1004 WerFault.exe csrss.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

csrss.exe

pid process

1004 csrss.exe

pid	pid_target	process	target process
1544	1004	WerFault.exe	csrss.exe

pid	process
1004	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	936	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	936	AUDIODG.EXE
Token: 33	936	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	936	AUDIODG.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeKMSAuto Net.execsrss.exe

description	pid	process	target process
PID 1988 wrote to memory of 1004	1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	csrss.exe
PID 1988 wrote to memory of 1004	1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	csrss.exe
PID 1988 wrote to memory of 1004	1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	csrss.exe
PID 1988 wrote to memory of 1004	1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	csrss.exe
PID 1988 wrote to memory of 1072	1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	KMSAuto Net.exe
PID 1988 wrote to memory of 1072	1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	KMSAuto Net.exe
PID 1988 wrote to memory of 1072	1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	KMSAuto Net.exe
PID 1988 wrote to memory of 1072	1988	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	KMSAuto Net.exe
PID 1072 wrote to memory of 996	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 996	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 996	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 996	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 1184	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 1184	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 1184	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 1184	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 1924	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 1924	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 1924	1072	KMSAuto Net.exe	cmd.exe
PID 1072 wrote to memory of 1924	1072	KMSAuto Net.exe	cmd.exe
PID 1004 wrote to memory of 1544	1004	csrss.exe	WerFault.exe
PID 1004 wrote to memory of 1544	1004	csrss.exe	WerFault.exe
PID 1004 wrote to memory of 1544	1004	csrss.exe	WerFault.exe
PID 1004 wrote to memory of 1544	1004	csrss.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
"C:\Users\Admin\AppData\Local\Temp\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\csrss.exe
"C:\Users\Admin\AppData\Roaming\csrss.exe" /nc /s
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 728
3⤵
- Loads dropped DLL
- Program crash
PID:1544

C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
"C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe" /nc
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
3⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /c echo test>>"C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test"
3⤵
- Drops file in Program Files directory
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
3⤵
PID:1924

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test
Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
memory/1004-94-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1004-92-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1004-91-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1004-93-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1004-95-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1004-90-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1004-96-0x0000000000400000-0x0000000000BBE000-memory.dmp

Filesize
7.7MB

Download
memory/1072-99-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/1072-105-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/1072-98-0x0000000001220000-0x0000000001A80000-memory.dmp

Filesize
8.4MB

Download
memory/1072-111-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/1072-112-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/1072-117-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/1072-119-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/1988-100-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download