azorult | 0b02dbd1b4dd17aa4f3517aefc2cfb83ead088a85f9d1f2a8b26d3dd69b0c3a6

General

Target

c9646cb64d64919831475ebef3a562e8.exe
Size

354KB
MD5

c9646cb64d64919831475ebef3a562e8
SHA1

11492bfad2d8b5c437d6147847c47e1fddb5c920
SHA256

0b02dbd1b4dd17aa4f3517aefc2cfb83ead088a85f9d1f2a8b26d3dd69b0c3a6
SHA512

11cdfdc950838c24f64eb4720c255b872bad08f1444386f486f74046574a8d7aa32be3c17fa6ff0176b7dfd4a55a9c27df7de8001c08774f2015a993830dfe17
SSDEEP

6144:yxgTOM/I1Hf9PBdIhNEhzuFuqUkQTJey+Q//4YL9FIxU8jqGUMuw:wHVP8hNEhzu4qUZfB/4U9KxVjEjw

Score

10^/10

azorult evasion infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

c9646cb64d64919831475ebef3a562e8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	c9646cb64d64919831475ebef3a562e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c9646cb64d64919831475ebef3a562e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c9646cb64d64919831475ebef3a562e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c9646cb64d64919831475ebef3a562e8.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c9646cb64d64919831475ebef3a562e8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	c9646cb64d64919831475ebef3a562e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c9646cb64d64919831475ebef3a562e8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c9646cb64d64919831475ebef3a562e8.exe

description pid process target process

PID 2208 set thread context of 2396 2208 c9646cb64d64919831475ebef3a562e8.exe c9646cb64d64919831475ebef3a562e8.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2480 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2480 powershell.exe

description	pid	process	target process
PID 2208 set thread context of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe

pid	process
2480	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2480	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c9646cb64d64919831475ebef3a562e8.exe

description	pid	process	target process
PID 2208 wrote to memory of 2480	2208	c9646cb64d64919831475ebef3a562e8.exe	powershell.exe
PID 2208 wrote to memory of 2480	2208	c9646cb64d64919831475ebef3a562e8.exe	powershell.exe
PID 2208 wrote to memory of 2480	2208	c9646cb64d64919831475ebef3a562e8.exe	powershell.exe
PID 2208 wrote to memory of 2480	2208	c9646cb64d64919831475ebef3a562e8.exe	powershell.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 2208 wrote to memory of 2396	2208	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe

C:\Users\Admin\AppData\Local\Temp\c9646cb64d64919831475ebef3a562e8.exe
"C:\Users\Admin\AppData\Local\Temp\c9646cb64d64919831475ebef3a562e8.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Users\Admin\AppData\Local\Temp\c9646cb64d64919831475ebef3a562e8.exe
"{path}"
2⤵
PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2208-0-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-1-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-2-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/2208-3-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/2208-27-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2396-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-26-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2396-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-8-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-7-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-10-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2480-9-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2480-6-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads