azorult | d6af1ba026c010e4d006842da28b478419bbc4c711f907a28c52079bc7fea1bf

Analysis

max time kernel
50s
max time network
52s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-09-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Azorult 3.3‌.exe
Size

1.1MB
MD5

b91fe4c246efc048b78c9e162754a7a9
SHA1

15e1c4fe989290b07b60f93340476a9ba025bfa9
SHA256

d6af1ba026c010e4d006842da28b478419bbc4c711f907a28c52079bc7fea1bf
SHA512

4538a437fb2241ee38b1ab256618bbf2ea752bab92146fbf9138c6dd9585c5a5291155e19c6004372c925f300c0c7cfa87b7dfc467b556e8dbab092d8d04a2d2
SSDEEP

24576:KMyijQZ+ZJLXrfQRTJ6/aIRQbhB0LrKqk:/D0Z+ZZr4RT/I2dB0yqk

Score

10^/10

azorult xworm discovery execution infostealer rat trojan

Malware Config

Extracted

Family

xworm

146.190.110.91:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2216-20-0x0000000000270000-0x0000000000288000-memory.dmp	family_xworm
behavioral1/files/0x000800000001ac40-14.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4636	powershell.exe
524	powershell.exe
3628	powershell.exe
5100	powershell.exe
4992	powershell.exe
4220	powershell.exe
1940	powershell.exe
3052	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
3836	Azorult 3.3.exe
2216	svchost.exe
4320	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azorult 3.3.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2216	svchost.exe
4320	csrss.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
524	powershell.exe
524	powershell.exe
524	powershell.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
5100	powershell.exe
5100	powershell.exe
5100	powershell.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
4636	powershell.exe
2216	svchost.exe
4636	powershell.exe
4636	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	svchost.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	4320	csrss.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeIncreaseQuotaPrivilege	524	powershell.exe
Token: SeSecurityPrivilege	524	powershell.exe
Token: SeTakeOwnershipPrivilege	524	powershell.exe
Token: SeLoadDriverPrivilege	524	powershell.exe
Token: SeSystemProfilePrivilege	524	powershell.exe
Token: SeSystemtimePrivilege	524	powershell.exe
Token: SeProfSingleProcessPrivilege	524	powershell.exe
Token: SeIncBasePriorityPrivilege	524	powershell.exe
Token: SeCreatePagefilePrivilege	524	powershell.exe
Token: SeBackupPrivilege	524	powershell.exe
Token: SeRestorePrivilege	524	powershell.exe
Token: SeShutdownPrivilege	524	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeSystemEnvironmentPrivilege	524	powershell.exe
Token: SeRemoteShutdownPrivilege	524	powershell.exe
Token: SeUndockPrivilege	524	powershell.exe
Token: SeManageVolumePrivilege	524	powershell.exe
Token: 33	524	powershell.exe
Token: 34	524	powershell.exe
Token: 35	524	powershell.exe
Token: 36	524	powershell.exe
Token: SeIncreaseQuotaPrivilege	3628	powershell.exe
Token: SeSecurityPrivilege	3628	powershell.exe
Token: SeTakeOwnershipPrivilege	3628	powershell.exe
Token: SeLoadDriverPrivilege	3628	powershell.exe
Token: SeSystemProfilePrivilege	3628	powershell.exe
Token: SeSystemtimePrivilege	3628	powershell.exe
Token: SeProfSingleProcessPrivilege	3628	powershell.exe
Token: SeIncBasePriorityPrivilege	3628	powershell.exe
Token: SeCreatePagefilePrivilege	3628	powershell.exe
Token: SeBackupPrivilege	3628	powershell.exe
Token: SeRestorePrivilege	3628	powershell.exe
Token: SeShutdownPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeSystemEnvironmentPrivilege	3628	powershell.exe
Token: SeRemoteShutdownPrivilege	3628	powershell.exe
Token: SeUndockPrivilege	3628	powershell.exe
Token: SeManageVolumePrivilege	3628	powershell.exe
Token: 33	3628	powershell.exe
Token: 34	3628	powershell.exe
Token: 35	3628	powershell.exe
Token: 36	3628	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeIncreaseQuotaPrivilege	5100	powershell.exe
Token: SeSecurityPrivilege	5100	powershell.exe
Token: SeTakeOwnershipPrivilege	5100	powershell.exe
Token: SeLoadDriverPrivilege	5100	powershell.exe
Token: SeSystemProfilePrivilege	5100	powershell.exe
Token: SeSystemtimePrivilege	5100	powershell.exe
Token: SeProfSingleProcessPrivilege	5100	powershell.exe
Token: SeIncBasePriorityPrivilege	5100	powershell.exe
Token: SeCreatePagefilePrivilege	5100	powershell.exe
Token: SeBackupPrivilege	5100	powershell.exe
Token: SeRestorePrivilege	5100	powershell.exe
Token: SeShutdownPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeSystemEnvironmentPrivilege	5100	powershell.exe
Token: SeRemoteShutdownPrivilege	5100	powershell.exe
Token: SeUndockPrivilege	5100	powershell.exe
Token: SeManageVolumePrivilege	5100	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2216	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 3836	3328	Azorult 3.3‌.exe	73
PID 3328 wrote to memory of 3836	3328	Azorult 3.3‌.exe	73
PID 3328 wrote to memory of 3836	3328	Azorult 3.3‌.exe	73
PID 3328 wrote to memory of 2216	3328	Azorult 3.3‌.exe	74
PID 3328 wrote to memory of 2216	3328	Azorult 3.3‌.exe	74
PID 3328 wrote to memory of 4320	3328	Azorult 3.3‌.exe	75
PID 3328 wrote to memory of 4320	3328	Azorult 3.3‌.exe	75
PID 2216 wrote to memory of 524	2216	svchost.exe	76
PID 2216 wrote to memory of 524	2216	svchost.exe	76
PID 4320 wrote to memory of 3628	4320	csrss.exe	78
PID 4320 wrote to memory of 3628	4320	csrss.exe	78
PID 2216 wrote to memory of 5100	2216	svchost.exe	81
PID 2216 wrote to memory of 5100	2216	svchost.exe	81
PID 4320 wrote to memory of 4992	4320	csrss.exe	83
PID 4320 wrote to memory of 4992	4320	csrss.exe	83
PID 2216 wrote to memory of 4220	2216	svchost.exe	85
PID 2216 wrote to memory of 4220	2216	svchost.exe	85
PID 4320 wrote to memory of 1940	4320	csrss.exe	87
PID 4320 wrote to memory of 1940	4320	csrss.exe	87
PID 2216 wrote to memory of 3052	2216	svchost.exe	89
PID 2216 wrote to memory of 3052	2216	svchost.exe	89
PID 4320 wrote to memory of 4636	4320	csrss.exe	91
PID 4320 wrote to memory of 4636	4320	csrss.exe	91

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe
"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3‌.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3836
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3052
- C:\ProgramData\csrss.exe
  "C:\ProgramData\csrss.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe

Filesize
30KB

MD5
0998890ccf8a3d8702db7a84fe6dd7b3

SHA1
18e561e0ef68fb08d8f391eacd45c7d573206b92

SHA256
c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220

SHA512
8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b721b21f475be36eee76eb7dc3e479b8

SHA1
e4ec21b1f2ed4a3d29e55ad4350fa54c9b13e53c

SHA256
caff144bf4be3976720feb58d440318d242c86a89f0c3b0133a360391015fe4d

SHA512
fcc865cab4dcc809efb5559f7882764e30d7db05284515e150cf2b43b4ed22af2cb37139302f69fed4c31fc8bcf1aaee9ebb6dddeaa85b7426a8db15509d551b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d26e61b05e1a82bc1ed5078b6f020fbb

SHA1
5a7b374a664e5975e3aacab00e30fb499bbc5dd8

SHA256
7788aceab7325c7eaeb0c7c6ef1def257f8ffe731874f9b9d3247590528b6011

SHA512
75bfdbfc5e79404951e82448f68cb14b70091ba5abf4119029c826b403ca30d0612d3ab8cdb8190f1c8269ccd5cea27e17736b123990c96557d1cbb61f1a5f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
feea8d6f8250de52fcd3693783c40a27

SHA1
4e56e1e6ce74490a5c12cfd7d12bab0c4e518ff3

SHA256
faa6d6e6aae83d484b2aa47c15fed5e631ec90e10f70caaa4ab9aae7e247c7b3

SHA512
559e26c7b384860fd8de7b9d0b8581cdf360cb1715b8f1b589a208d321c1560589ab85fba8c1b29eb0bcb1e24908dc7bd029e828cb613f9880fb4f134d9f216a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f3a77fddce80e2459933641b72404720

SHA1
43f29c7710ccdf53140456e0721e4f5b327c12f2

SHA256
9199ba2bca3d294818252d576e8ce2b76ee65a9c0746092e5ba877120710855b

SHA512
0582bcfd7b54b32e147bc643e6bc2a8ccf1f5c9959d31602de73d31f378cff01d6c218f1ab5a2d7d752199480da4df96585b8138dd0c260039f7058239869d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d65fde5c872d59436685b946ea909d45

SHA1
312037e8abf5616a8dba9f9df024d0f7560b4371

SHA256
3e9a7d6652bdaef973a920b7ab52949485dfcad9793a5baa6369c5b9d90db9c5

SHA512
b593a9d423f0bc4021252afdaedae9ec5038b04a26abce1e05c142e112f39a48e0e9506d32955b3cbb32c389e7abd035b7ed5f0d36f9daa8b2b5c8562569fc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe

Filesize
1.3MB

MD5
8440a861c68965a66c009b140e1bee47

SHA1
801a8c77156a2c6cbc5899f36c961dc8fdc56665

SHA256
a8add4815bce2e26df3cd492c5686e22ab842bfa52c68af3f33c23adb820d06f

SHA512
c42903216f9f35368d41853ae96aaa7a7a07ce0730ca99b26909b98f5525b4fd772e0868c683fae0ca71730c0586ad3130be4ef3e6af68e299a933d9accca266

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4f0r41e.nnr.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
67KB

MD5
50dce71a753bad01a07904f2af283123

SHA1
1beab766071ddeff0c8e577c6717debcee0d21e6

SHA256
8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3

SHA512
7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01

Download Submit
memory/524-38-0x0000026435AC0000-0x0000026435B36000-memory.dmp

Filesize
472KB

Download
memory/524-35-0x000002641D430000-0x000002641D452000-memory.dmp

Filesize
136KB

Download
memory/2216-20-0x0000000000270000-0x0000000000288000-memory.dmp

Filesize
96KB

Download
memory/2216-24-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

Filesize
9.9MB

Download
memory/2216-381-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

Filesize
9.9MB

Download
memory/3328-4-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

Filesize
9.9MB

Download
memory/3328-1-0x0000000000220000-0x000000000033E000-memory.dmp

Filesize
1.1MB

Download
memory/3328-23-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp

Filesize
9.9MB

Download
memory/3328-0-0x00007FFC73053000-0x00007FFC73054000-memory.dmp

Filesize
4KB

Download
memory/3836-105-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/3836-30-0x000000000A950000-0x000000000A9E2000-memory.dmp

Filesize
584KB

Download
memory/3836-29-0x000000000E630000-0x000000000EB2E000-memory.dmp

Filesize
5.0MB

Download
memory/3836-28-0x000000000A800000-0x000000000A868000-memory.dmp

Filesize
416KB

Download
memory/3836-27-0x00000000052D0000-0x00000000052D6000-memory.dmp

Filesize
24KB

Download
memory/3836-26-0x0000000000270000-0x00000000003CA000-memory.dmp

Filesize
1.4MB

Download
memory/4320-25-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download