Analysis Overview
SHA256
7a2c5d70d2dd4d8cc557da080f1a7937aa62e48da44b0de6ad3743e100f7e372
Threat Level: Known bad
The file s.exe was found to be: Known bad.
Malicious Activity Summary
Azorult family
Azorult
Credentials from Password Stores: Credentials from Web Browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Loads dropped DLL
Reads local data of messenger clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Accesses Microsoft Outlook profiles
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Delays execution with timeout.exe
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-26 01:20
Signatures
Azorult family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-26 01:20
Reported
2024-08-26 01:23
Platform
win10-20240404-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Azorult
Credentials from Password Stores: Credentials from Web Browsers
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1448 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1448 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1448 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\s.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4888 wrote to memory of 5112 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 4888 wrote to memory of 5112 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 4888 wrote to memory of 5112 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\s.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\s.exe
"C:\Users\Admin\AppData\Local\Temp\s.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "s.exe"
C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | l0h5.shop | udp |
| US | 172.67.180.170:80 | l0h5.shop | tcp |
| US | 8.8.8.8:53 | 170.180.67.172.in-addr.arpa | udp |
| US | 172.67.180.170:80 | l0h5.shop | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
\Users\Admin\AppData\Local\Temp\7B10FDB9\nss3.dll
| MD5 | 556ea09421a0f74d31c4c0a89a70dc23 |
| SHA1 | f739ba9b548ee64b13eb434a3130406d23f836e3 |
| SHA256 | f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb |
| SHA512 | 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2 |
\Users\Admin\AppData\Local\Temp\7B10FDB9\mozglue.dll
| MD5 | 9e682f1eb98a9d41468fc3e50f907635 |
| SHA1 | 85e0ceca36f657ddf6547aa0744f0855a27527ee |
| SHA256 | 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d |
| SHA512 | 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed |
\Users\Admin\AppData\Local\Temp\7B10FDB9\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\Local\Temp\7B10FDB9\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
memory/1448-111-0x0000000000400000-0x0000000000420000-memory.dmp