azorult | 0b02dbd1b4dd17aa4f3517aefc2cfb83ead088a85f9d1f2a8b26d3dd69b0c3a6

General

Target

c9646cb64d64919831475ebef3a562e8.exe
Size

354KB
MD5

c9646cb64d64919831475ebef3a562e8
SHA1

11492bfad2d8b5c437d6147847c47e1fddb5c920
SHA256

0b02dbd1b4dd17aa4f3517aefc2cfb83ead088a85f9d1f2a8b26d3dd69b0c3a6
SHA512

11cdfdc950838c24f64eb4720c255b872bad08f1444386f486f74046574a8d7aa32be3c17fa6ff0176b7dfd4a55a9c27df7de8001c08774f2015a993830dfe17
SSDEEP

6144:yxgTOM/I1Hf9PBdIhNEhzuFuqUkQTJey+Q//4YL9FIxU8jqGUMuw:wHVP8hNEhzu4qUZfB/4U9KxVjEjw

Score

10^/10

azorult evasion infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

c9646cb64d64919831475ebef3a562e8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	c9646cb64d64919831475ebef3a562e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c9646cb64d64919831475ebef3a562e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c9646cb64d64919831475ebef3a562e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c9646cb64d64919831475ebef3a562e8.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c9646cb64d64919831475ebef3a562e8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	c9646cb64d64919831475ebef3a562e8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	c9646cb64d64919831475ebef3a562e8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c9646cb64d64919831475ebef3a562e8.exe

description pid process target process

PID 1864 set thread context of 4816 1864 c9646cb64d64919831475ebef3a562e8.exe c9646cb64d64919831475ebef3a562e8.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exec9646cb64d64919831475ebef3a562e8.exe

pid process

1008 powershell.exe
1008 powershell.exe
1864 c9646cb64d64919831475ebef3a562e8.exe
1864 c9646cb64d64919831475ebef3a562e8.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exec9646cb64d64919831475ebef3a562e8.exe

description pid process

Token: SeDebugPrivilege 1008 powershell.exe
Token: SeDebugPrivilege 1864 c9646cb64d64919831475ebef3a562e8.exe

description	pid	process	target process
PID 1864 set thread context of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe

pid	process
1008	powershell.exe
1008	powershell.exe
1864	c9646cb64d64919831475ebef3a562e8.exe
1864	c9646cb64d64919831475ebef3a562e8.exe

description	pid	process
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1864	c9646cb64d64919831475ebef3a562e8.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c9646cb64d64919831475ebef3a562e8.exe

C:\Users\Admin\AppData\Local\Temp\c9646cb64d64919831475ebef3a562e8.exe
"C:\Users\Admin\AppData\Local\Temp\c9646cb64d64919831475ebef3a562e8.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\AppData\Local\Temp\c9646cb64d64919831475ebef3a562e8.exe
"{path}"
2⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\c9646cb64d64919831475ebef3a562e8.exe
"{path}"
2⤵
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

2

T1562

Disable or Modify Tools

2

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lctr0vpe.smu.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1008-36-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/1008-4-0x00000000726C0000-0x0000000072E70000-memory.dmp

Filesize
7.7MB

Download
memory/1008-25-0x000000006EBA0000-0x000000006EBEC000-memory.dmp

Filesize
304KB

Download
memory/1008-50-0x00000000726C0000-0x0000000072E70000-memory.dmp

Filesize
7.7MB

Download
memory/1008-5-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/1008-6-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/1008-7-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/1008-8-0x0000000005610000-0x0000000005632000-memory.dmp

Filesize
136KB

Download
memory/1008-47-0x00000000073E0000-0x00000000073E8000-memory.dmp

Filesize
32KB

Download
memory/1008-14-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/1008-15-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/1008-20-0x0000000005950000-0x0000000005CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1008-21-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/1008-22-0x00000000060A0000-0x00000000060EC000-memory.dmp

Filesize
304KB

Download
memory/1008-23-0x000000007F690000-0x000000007F6A0000-memory.dmp

Filesize
64KB

Download
memory/1008-24-0x0000000006320000-0x0000000006352000-memory.dmp

Filesize
200KB

Download
memory/1008-3-0x00000000047C0000-0x00000000047F6000-memory.dmp

Filesize
216KB

Download
memory/1008-35-0x0000000006F80000-0x0000000006F9E000-memory.dmp

Filesize
120KB

Download
memory/1008-46-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/1008-37-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/1008-38-0x0000000006FA0000-0x0000000007043000-memory.dmp

Filesize
652KB

Download
memory/1008-39-0x0000000007700000-0x0000000007D7A000-memory.dmp

Filesize
6.5MB

Download
memory/1008-40-0x00000000070C0000-0x00000000070DA000-memory.dmp

Filesize
104KB

Download
memory/1008-41-0x0000000007130000-0x000000000713A000-memory.dmp

Filesize
40KB

Download
memory/1008-42-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/1008-43-0x00000000072C0000-0x00000000072D1000-memory.dmp

Filesize
68KB

Download
memory/1008-44-0x00000000072F0000-0x00000000072FE000-memory.dmp

Filesize
56KB

Download
memory/1008-45-0x0000000007300000-0x0000000007314000-memory.dmp

Filesize
80KB

Download
memory/1864-2-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/1864-1-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1864-0-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1864-56-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4816-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4816-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4816-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4816-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

description	pid	process	target process
PID 1864 wrote to memory of 1008	1864	c9646cb64d64919831475ebef3a562e8.exe	powershell.exe
PID 1864 wrote to memory of 1008	1864	c9646cb64d64919831475ebef3a562e8.exe	powershell.exe
PID 1864 wrote to memory of 1008	1864	c9646cb64d64919831475ebef3a562e8.exe	powershell.exe
PID 1864 wrote to memory of 1124	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 1124	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 1124	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe
PID 1864 wrote to memory of 4816	1864	c9646cb64d64919831475ebef3a562e8.exe	c9646cb64d64919831475ebef3a562e8.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads