azorult | 3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe

Executes dropped EXE 3 IoCs

pid	Process
3276	vnc.exe
3156	windef.exe
4804	winsock.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\n:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\o:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\s:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\y:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\j:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\k:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\q:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\u:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\i:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\l:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\g:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\m:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\p:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\r:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\v:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\w:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\a:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\b:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\t:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\x:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\z:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\e:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
File opened (read-only)	\??\h:	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
60	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023211-65.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 2532	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	91
PID 3276 set thread context of 3312	3276	vnc.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1412	4804	WerFault.exe	97
3392	404	WerFault.exe	119
1168	4600	WerFault.exe	130
1156	2164	WerFault.exe	139

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4328	schtasks.exe
3512	schtasks.exe
5084	schtasks.exe
4456	schtasks.exe
4532	schtasks.exe
4656	schtasks.exe
3100	schtasks.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
1500	PING.EXE
3096	PING.EXE
4360	PING.EXE
3924	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3276	vnc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	windef.exe
Token: SeDebugPrivilege	4804	winsock.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 3276	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	87
PID 2044 wrote to memory of 3276	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	87
PID 2044 wrote to memory of 3276	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	87
PID 3276 wrote to memory of 3312	3276	vnc.exe	89
PID 3276 wrote to memory of 3312	3276	vnc.exe	89
PID 3276 wrote to memory of 3312	3276	vnc.exe	89
PID 2044 wrote to memory of 3156	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	90
PID 2044 wrote to memory of 3156	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	90
PID 2044 wrote to memory of 3156	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	90
PID 2044 wrote to memory of 2532	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	91
PID 2044 wrote to memory of 2532	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	91
PID 2044 wrote to memory of 2532	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	91
PID 2044 wrote to memory of 2532	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	91
PID 2044 wrote to memory of 2532	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	91
PID 3276 wrote to memory of 3312	3276	vnc.exe	89
PID 2044 wrote to memory of 4328	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	92
PID 2044 wrote to memory of 4328	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	92
PID 2044 wrote to memory of 4328	2044	3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe	92
PID 3276 wrote to memory of 3312	3276	vnc.exe	89
PID 3156 wrote to memory of 3512	3156	windef.exe	95
PID 3156 wrote to memory of 3512	3156	windef.exe	95
PID 3156 wrote to memory of 3512	3156	windef.exe	95
PID 3156 wrote to memory of 4804	3156	windef.exe	97
PID 3156 wrote to memory of 4804	3156	windef.exe	97
PID 3156 wrote to memory of 4804	3156	windef.exe	97
PID 4804 wrote to memory of 5084	4804	winsock.exe	98
PID 4804 wrote to memory of 5084	4804	winsock.exe	98
PID 4804 wrote to memory of 5084	4804	winsock.exe	98

C:\Users\Admin\AppData\Local\Temp\3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
"C:\Users\Admin\AppData\Local\Temp\3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe"
1⤵
- Quasar RAT
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    - Maps connected drives based on registry
    PID:3312
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3512
- - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:5084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\es2boG9n5P8D.bat" "
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:3096
    - - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        5⤵
        
        PID:404
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ziLLexGXXOLp.bat" "
        6⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:4360
        
        C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        7⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKN5P0PjOQuM.bat" "
        8⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        9⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        10⤵
        Creates scheduled task(s)
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\omoR4WUvWvf1.bat" "
        10⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 2000
        10⤵
        Program crash
        
        PID:1156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 2236
        8⤵
        Program crash
        
        PID:1168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 2264
        6⤵
        Program crash
        
        PID:3392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2276
      4⤵
      Program crash
      PID:1412
- C:\Users\Admin\AppData\Local\Temp\3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe
  "C:\Users\Admin\AppData\Local\Temp\3c09914d1be33c74bd5aca8378266a1304f3de4d913f9aa20da4d9d5fa92e136.exe"
  2⤵
  PID:2532
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4804 -ip 4804
1⤵
PID:652

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
1⤵
PID:5032
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  PID:4176
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:2880
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  PID:4528
- C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
  "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
  2⤵
  PID:4688
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 404 -ip 404
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4600 -ip 4600
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2164 -ip 2164
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery