azorult | 0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4

Reason

Machine shutdown

General

Target

??????????? ??????????????.exe
Size

234KB
MD5

38d378ff52ea3dba53a07eee3ed769c7
SHA1

94181ebcbe353d496701681b6bd03e06c1c63751
SHA256

0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4
SHA512

ab096595c92f3bca5659b2156e3daed47f70dd8ab3ddff1506ff164a50fa4d15f2503776d43633056ebcb569255295f8f7af53a031f552da1a3f73d017c105cc
SSDEEP

6144:gYa6oBsctoZqfq4S4JV2p9wubvEjRTsObhUXLbPp:gYxcCZqHp2prEVs+C7F

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://141.98.6.162/office/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

jjhluxw.exejjhluxw.exe

pid process

3352 jjhluxw.exe
4836 jjhluxw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jjhluxw.exe

description pid process target process

PID 3352 set thread context of 4836 3352 jjhluxw.exe jjhluxw.exe

pid	process
3352	jjhluxw.exe
4836	jjhluxw.exe

description	pid	process	target process
PID 3352 set thread context of 4836	3352	jjhluxw.exe	jjhluxw.exe

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "124"	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3648 WINWORD.EXE
3648 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

jjhluxw.exe

pid process

3352 jjhluxw.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXELogonUI.exe

pid process

3648 WINWORD.EXE
3648 WINWORD.EXE
3648 WINWORD.EXE
3648 WINWORD.EXE
3648 WINWORD.EXE
3648 WINWORD.EXE
3648 WINWORD.EXE
3648 WINWORD.EXE
4996 LogonUI.exe

pid	process
3648	WINWORD.EXE
3648	WINWORD.EXE

pid	process
3352	jjhluxw.exe

pid	process
3648	WINWORD.EXE
3648	WINWORD.EXE
3648	WINWORD.EXE
3648	WINWORD.EXE
3648	WINWORD.EXE
3648	WINWORD.EXE
3648	WINWORD.EXE
3648	WINWORD.EXE
4996	LogonUI.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

___________ ______________.exejjhluxw.exe

description	pid	process	target process
PID 4312 wrote to memory of 3352	4312	___________ ______________.exe	jjhluxw.exe
PID 4312 wrote to memory of 3352	4312	___________ ______________.exe	jjhluxw.exe
PID 4312 wrote to memory of 3352	4312	___________ ______________.exe	jjhluxw.exe
PID 3352 wrote to memory of 4836	3352	jjhluxw.exe	jjhluxw.exe
PID 3352 wrote to memory of 4836	3352	jjhluxw.exe	jjhluxw.exe
PID 3352 wrote to memory of 4836	3352	jjhluxw.exe	jjhluxw.exe
PID 3352 wrote to memory of 4836	3352	jjhluxw.exe	jjhluxw.exe

C:\Users\Admin\AppData\Local\Temp\___________ ______________.exe
"C:\Users\Admin\AppData\Local\Temp\___________ ______________.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe
  "C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe" C:\Users\Admin\AppData\Local\Temp\izwmcwjt.yhc
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe
    "C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe"
    3⤵
    - Executes dropped EXE
    PID:4836

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4528

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1616

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2432

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\izwmcwjt.yhc

Filesize
6KB

MD5
19e06b8c8c60c69e11228b250568400a

SHA1
7c49e0aca8637c2adf258f98b1e7e45bcefaef53

SHA256
fb8e5832ac5a98dd0ab1030628a559627279ae256593510b0fbc6da2a43f2ad8

SHA512
e67eaebb28cab7784446cc3fbbdfb8fa3c4229225e4abdff26091a65f8adf8a912414a0bedd4b0458594776814c14f0f9cf9f18c71e3d3a75bef70b2056a389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe

Filesize
108KB

MD5
5f16ae72eb6fbd3040d5d3c18c5ac304

SHA1
4e1604b5e763aa9f336996c75cb3e8436f16850f

SHA256
3b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16

SHA512
7ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe

Filesize
108KB

MD5
5f16ae72eb6fbd3040d5d3c18c5ac304

SHA1
4e1604b5e763aa9f336996c75cb3e8436f16850f

SHA256
3b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16

SHA512
7ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe

Filesize
108KB

MD5
5f16ae72eb6fbd3040d5d3c18c5ac304

SHA1
4e1604b5e763aa9f336996c75cb3e8436f16850f

SHA256
3b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16

SHA512
7ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvgovin.j

Filesize
132KB

MD5
f495dbd405842d0cee36e9ff9d3be29e

SHA1
35e5f6e880f2069a94d7cfa8847040fb1bb0c8e9

SHA256
aa7ec70ab30285dcd735aa0c1feb12729c10198a4eb2ebcce50e3a1afca58da4

SHA512
44fd0a274c612094c150be66d4ab447d474f81900388fc8b1dbc9828a195bc43a05f6337132a1438612a6f329cc99880dba3c6eb997755e02713d877cc675e8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
827b64ac76db73ca12b583996c1d7fdc

SHA1
3885af33bef5d0a34a05758ba6252fa75264df33

SHA256
1915f83ac37c12553bf0d2451027a4c9a0a126435dc2fd7ad3e95cfcbd94a1e7

SHA512
9051cc3b9d3683fd9edc74536dfcdc17cd88f7237479d4478b0658f1c82fb163cdd7fc847c24559ba3cfcb144fe245cc9fca8509b07a5143e6fb61f60a2faf52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
928cac767268f96acd0b13715428ade9

SHA1
9ba3780254c4ff463878307391494b926dfb3733

SHA256
815026181f786b2f0e70272d6ed844eb812294fda17ff59edfe60a115dec4f7a

SHA512
2f58d6f0e0399bb7f788ebdcc484d361a9da8799b0f9ef1b877bb2eb1c02bf71f5686ce18488c1c7958782e235ab95876a667dc7fce0c9f322bcd84183a75dff

Download Submit
memory/3352-7-0x0000000001A80000-0x0000000001A82000-memory.dmp

Filesize
8KB

Download
memory/3648-19-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-33-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-92-0x00007FF9772D0000-0x00007FF97738D000-memory.dmp

Filesize
756KB

Download
memory/3648-17-0x00007FF937D30000-0x00007FF937D40000-memory.dmp

Filesize
64KB

Download
memory/3648-91-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-18-0x00007FF937D30000-0x00007FF937D40000-memory.dmp

Filesize
64KB

Download
memory/3648-21-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-23-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-24-0x00007FF937D30000-0x00007FF937D40000-memory.dmp

Filesize
64KB

Download
memory/3648-25-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-26-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-27-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-22-0x00007FF937D30000-0x00007FF937D40000-memory.dmp

Filesize
64KB

Download
memory/3648-20-0x00007FF937D30000-0x00007FF937D40000-memory.dmp

Filesize
64KB

Download
memory/3648-28-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-30-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-29-0x00007FF935190000-0x00007FF9351A0000-memory.dmp

Filesize
64KB

Download
memory/3648-31-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-32-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-89-0x00007FF937D30000-0x00007FF937D40000-memory.dmp

Filesize
64KB

Download
memory/3648-35-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-36-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-37-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-39-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-41-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-40-0x00007FF9772D0000-0x00007FF97738D000-memory.dmp

Filesize
756KB

Download
memory/3648-38-0x00007FF935190000-0x00007FF9351A0000-memory.dmp

Filesize
64KB

Download
memory/3648-34-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-90-0x00007FF937D30000-0x00007FF937D40000-memory.dmp

Filesize
64KB

Download
memory/3648-88-0x00007FF937D30000-0x00007FF937D40000-memory.dmp

Filesize
64KB

Download
memory/3648-67-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-68-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-69-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-70-0x00007FF977CA0000-0x00007FF977EA9000-memory.dmp

Filesize
2.0MB

Download
memory/3648-87-0x00007FF937D30000-0x00007FF937D40000-memory.dmp

Filesize
64KB

Download
memory/4836-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4836-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4836-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4836-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4836-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads