azorult | addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51

General

Target

ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
Size

8.0MB
MD5

1ac70328ce1dea448647022c5b360a67
SHA1

4f295ccfc7b7a2eeeec53df66d22743dbac301a6
SHA256

addcdf9e3bac722442fb269492fea86e91d4e97ee5df4ca5c03515d534fb0c51
SHA512

26192e10e1b095739fd2b193c199aa689b0f7d26d57bef9718ef1cee41b95e5b4113cc987cd1847a7a1f3e727f0601099bde92591d3e153ddb37fa36e4f897c5
SSDEEP

196608:oKFIqkBPpjIwzMYsK6fg4/Lovsc+eQ5AdlH3sxAPflIKap:vkFAYsrfx8vJ+eQAd5sxAPmfp

Score

10^/10

azorult discovery infostealer trojan vmprotect

Malware Config

Extracted

Family

azorult

C2

http://f0355889.xsph.ru/Panel/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exeKMSAuto Net.exe

pid process

1376 csrss.exe
384 KMSAuto Net.exe

pid	process
1376	csrss.exe
384	KMSAuto Net.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
C:\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
C:\Users\Admin\AppData\Roaming\csrss.exe	vmprotect
behavioral2/memory/1376-166-0x0000000000400000-0x0000000000BBE000-memory.dmp	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

csrss.exe

pid process

1376 csrss.exe

pid	process
1376	csrss.exe

Drops file in Program Files directory 4 IoCs

Processes:

ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.execmd.exeKMSAuto Net.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
File opened for modification	C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test	cmd.exe
File opened for modification	C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test	KMSAuto Net.exe
File opened for modification	C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe	KMSAuto Net.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3668 1376 WerFault.exe csrss.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

csrss.exe

pid process

1376 csrss.exe
1376 csrss.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4828 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4828 AUDIODG.EXE

pid	pid_target	process	target process
3668	1376	WerFault.exe	csrss.exe

pid	process
1376	csrss.exe
1376	csrss.exe

description	pid	process
Token: 33	4828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4828	AUDIODG.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exeKMSAuto Net.exe

description	pid	process	target process
PID 1176 wrote to memory of 1376	1176	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	csrss.exe
PID 1176 wrote to memory of 1376	1176	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	csrss.exe
PID 1176 wrote to memory of 1376	1176	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	csrss.exe
PID 1176 wrote to memory of 384	1176	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	KMSAuto Net.exe
PID 1176 wrote to memory of 384	1176	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	KMSAuto Net.exe
PID 1176 wrote to memory of 384	1176	ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe	KMSAuto Net.exe
PID 384 wrote to memory of 760	384	KMSAuto Net.exe	cmd.exe
PID 384 wrote to memory of 760	384	KMSAuto Net.exe	cmd.exe
PID 384 wrote to memory of 760	384	KMSAuto Net.exe	cmd.exe
PID 384 wrote to memory of 2696	384	KMSAuto Net.exe	cmd.exe
PID 384 wrote to memory of 2696	384	KMSAuto Net.exe	cmd.exe
PID 384 wrote to memory of 2696	384	KMSAuto Net.exe	cmd.exe
PID 384 wrote to memory of 4908	384	KMSAuto Net.exe	cmd.exe
PID 384 wrote to memory of 4908	384	KMSAuto Net.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe
"C:\Users\Admin\AppData\Local\Temp\ADDCDF9E3BAC722442FB269492FEA86E91D4E97EE5DF4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\csrss.exe
"C:\Users\Admin\AppData\Roaming\csrss.exe" /nc /s
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1172
3⤵
- Program crash
PID:3668

C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
"C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe" /nc
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\cmd.exe
cmd /c md "C:\Users\Admin\AppData\Local\MSfree Inc"
3⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c echo test>>"C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test"
3⤵
- Drops file in Program Files directory
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /D /c del /F /Q "test.test"
3⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1376 -ip 1376
1⤵
PID:4004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\Program Files (x86)\KMSAuto\KMSAuto Net\KMSAuto Net.exe
Filesize
8.4MB

MD5
2fb86be791b4bb4389e55df0fec04eb7

SHA1
375dc8189059602f9eb571b473d723fad3ad3d8c

SHA256
b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31

SHA512
3230ab05eb876879aefc5e15bb726292640c1ddf476e4108f5c8eed2f373cb852964163ccb006e3d22bc1dc2f97ac2db391af9b289f21a7b099df4c4dd94ee38

Download Submit
C:\Program Files (x86)\KMSAuto\KMSAuto Net\test.test
Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe
Filesize
4.8MB

MD5
2a0c555c70eb25094c94e4ba5a6ba131

SHA1
aa23bc37987a9c802ba5331577776ef2af1d07d8

SHA256
cb0e4ffd650eab6aad6e30252d4ff8a0dc1f4f4c21227e18cb39a43f38eba1df

SHA512
e601bf86a855cfc1107a88ae27e8dbe27d00ecae99536218a46db9cf0102f9cd533e1a1b698914c202ed3e9aa681fdae1e8804407fee4a781511a9af7ff2508c

Download Submit
memory/384-167-0x0000000006220000-0x00000000062BC000-memory.dmp

Filesize
624KB

Download
memory/384-172-0x0000000006530000-0x0000000006586000-memory.dmp

Filesize
344KB

Download
memory/384-181-0x0000000003C40000-0x0000000003C50000-memory.dmp

Filesize
64KB

Download
memory/384-164-0x0000000000FD0000-0x0000000001830000-memory.dmp

Filesize
8.4MB

Download
memory/384-169-0x0000000006870000-0x0000000006E14000-memory.dmp

Filesize
5.6MB

Download
memory/384-170-0x0000000006360000-0x00000000063F2000-memory.dmp

Filesize
584KB

Download
memory/384-171-0x0000000003DA0000-0x0000000003DAA000-memory.dmp

Filesize
40KB

Download
memory/384-180-0x0000000003C40000-0x0000000003C50000-memory.dmp

Filesize
64KB

Download
memory/384-173-0x0000000003C40000-0x0000000003C50000-memory.dmp

Filesize
64KB

Download
memory/384-174-0x0000000003C40000-0x0000000003C50000-memory.dmp

Filesize
64KB

Download
memory/1176-179-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1376-163-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/1376-165-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1376-166-0x0000000000400000-0x0000000000BBE000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads