azorult | ec74076a06ebf53fbdf50828b8f1b2f1fd950a901f1fdd85b1e13f513249626b

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
1980	vnc.exe
4616	windef.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\k:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\m:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\n:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\v:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\e:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\i:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\r:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\s:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\y:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\x:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\a:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\b:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\h:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\j:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\p:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\u:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\z:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\g:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\l:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\o:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\q:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\t:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
File opened (read-only)	\??\w:	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com
77	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023260-51.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 4780	1980	vnc.exe	93
PID 868 set thread context of 2096	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4104	2448	WerFault.exe	101
4952	436	WerFault.exe	126
2960	3400	WerFault.exe	135

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1008	schtasks.exe
2188	schtasks.exe
1216	schtasks.exe
3700	schtasks.exe
1548	schtasks.exe
616	schtasks.exe
1684	schtasks.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4828	PING.EXE
4588	PING.EXE
3236	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1980	vnc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1980	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	91
PID 868 wrote to memory of 1980	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	91
PID 868 wrote to memory of 1980	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	91
PID 1980 wrote to memory of 4780	1980	vnc.exe	93
PID 1980 wrote to memory of 4780	1980	vnc.exe	93
PID 1980 wrote to memory of 4780	1980	vnc.exe	93
PID 868 wrote to memory of 4616	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	94
PID 868 wrote to memory of 4616	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	94
PID 868 wrote to memory of 4616	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	94
PID 868 wrote to memory of 2096	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	95
PID 868 wrote to memory of 2096	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	95
PID 868 wrote to memory of 2096	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	95
PID 1980 wrote to memory of 4780	1980	vnc.exe	93
PID 868 wrote to memory of 2096	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	95
PID 868 wrote to memory of 2096	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	95
PID 868 wrote to memory of 616	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	96
PID 868 wrote to memory of 616	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	96
PID 868 wrote to memory of 616	868	b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe	96
PID 1980 wrote to memory of 4780	1980	vnc.exe	93

C:\Users\Admin\AppData\Local\Temp\b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    - Maps connected drives based on registry
    PID:4780
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  - Executes dropped EXE
  PID:4616
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1684
- - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
    3⤵
    PID:2448
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P9kV4V8r47oE.bat" "
      4⤵
      PID:4080
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4828
    - - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        5⤵
        
        PID:436
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:1216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X7E7d5TJDkX3.bat" "
        6⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:4588
        
        C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        7⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKyYiJoyADTu.bat" "
        8⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3236
        
        C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        9⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        10⤵
        Creates scheduled task(s)
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 2260
        8⤵
        Program crash
        
        PID:2960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 2008
        6⤵
        Program crash
        
        PID:4952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 2272
      4⤵
      Program crash
      PID:4104
- C:\Users\Admin\AppData\Local\Temp\b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\b3975d4dacd50dfcec2c1de7b06f1390_NeikiAnalytics.exe"
  2⤵
  PID:2096
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:616

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  PID:720
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:2156
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  PID:3548
- C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
  "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
  2⤵
  PID:1928
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3636 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2448 -ip 2448
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 436 -ip 436
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3400 -ip 3400
1⤵
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery