Analysis Overview
SHA256
d6af1ba026c010e4d006842da28b478419bbc4c711f907a28c52079bc7fea1bf
Threat Level: Known bad
The file Azorult 3.3.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Azorult
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 16:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 16:27
Reported
2024-09-01 16:30
Platform
win7-20240708-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Azorult
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000007f3cff158c5919e7a8443e3d5350a343e2c96786da7f3c741fe799a07eaf1852000000000e80000000020000200000007d6062e7dac47758d6e5bd03448af532af69921a847319ae5c4689c77afbdd36900000003463342f326fd3cc6dc177cd66cb3ff96a8b96fd344fc6f6ee9ec49f465924ac9470483ca5c10ac60a40da31cdef028efb9e0fd8d5a1c37eb2866fd2980595f7ed505c6b2bac7d888580808b173414ca7847e72891011b10652d5bc6d0072cb445d814e590a232dd932a33c0d8250d07a2528e8b0785adc493f01c7851f5fda5721de31fc93a7886781b8cd460faeb724000000059a4fc6f3287eb6816e8c0852849feb9deacc0e960038c04d8daccd45eb927e97b150657572a76117e9a5a8019916383c9a855e98ed583347e612d19f2e155c3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffffe0ffffff620100006604000009040000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3DE64861-687F-11EF-8334-424588269AE0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431369986" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000846e2e4ab40ccd1d01b7cfd9d7c69909751ac05e58d712824d3dd1934d5a7aa5000000000e80000000020000200000000f576b30904febc9bf8001f417be6a9b7237cd60934626b78b6533e0ded20da720000000900cdea3537baee018ea18937266772380804eb49350c36ba7a3d325db1abecf4000000044b7bb5ed55351096637d85ff7ca8f725d4ad36de636614449102098e6560d37b708d4b189ac007a938107dcdaedd6ce1cfea5a8f31d221625db436574d15772 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20dcc2088cfcda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\ProgramData\csrss.exe
"C:\ProgramData\csrss.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://xakfor.net/forum
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:406544 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| SG | 146.190.110.91:3389 | tcp | |
| US | 8.8.8.8:53 | xakfor.net | udp |
| NL | 37.48.65.144:443 | xakfor.net | tcp |
| NL | 37.48.65.144:443 | xakfor.net | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.18.190.73:80 | r11.o.lencr.org | tcp |
| GB | 2.18.190.80:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 8.8.8.8:53 | ww1.xakfor.net | udp |
| US | 199.59.243.226:80 | ww1.xakfor.net | tcp |
| US | 199.59.243.226:80 | ww1.xakfor.net | tcp |
| NL | 37.48.65.144:443 | xakfor.net | tcp |
| NL | 37.48.65.144:443 | xakfor.net | tcp |
| US | 199.59.243.226:80 | ww1.xakfor.net | tcp |
| US | 199.59.243.226:80 | ww1.xakfor.net | tcp |
| SG | 146.190.110.91:3389 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FR | 2.22.57.219:80 | www.microsoft.com | tcp |
| SG | 146.190.110.91:3389 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp |
Files
memory/2976-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp
memory/2976-1-0x0000000000BF0000-0x0000000000D0E000-memory.dmp
memory/2976-5-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
| MD5 | 8440a861c68965a66c009b140e1bee47 |
| SHA1 | 801a8c77156a2c6cbc5899f36c961dc8fdc56665 |
| SHA256 | a8add4815bce2e26df3cd492c5686e22ab842bfa52c68af3f33c23adb820d06f |
| SHA512 | c42903216f9f35368d41853ae96aaa7a7a07ce0730ca99b26909b98f5525b4fd772e0868c683fae0ca71730c0586ad3130be4ef3e6af68e299a933d9accca266 |
C:\ProgramData\csrss.exe
| MD5 | 0998890ccf8a3d8702db7a84fe6dd7b3 |
| SHA1 | 18e561e0ef68fb08d8f391eacd45c7d573206b92 |
| SHA256 | c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220 |
| SHA512 | 8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1 |
memory/1056-22-0x00000000000D0000-0x00000000000E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 50dce71a753bad01a07904f2af283123 |
| SHA1 | 1beab766071ddeff0c8e577c6717debcee0d21e6 |
| SHA256 | 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3 |
| SHA512 | 7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01 |
memory/2976-24-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp
memory/2076-23-0x0000000000200000-0x000000000020E000-memory.dmp
memory/2364-25-0x00000000001F0000-0x000000000034A000-memory.dmp
memory/2364-26-0x0000000000530000-0x0000000000536000-memory.dmp
memory/2364-27-0x00000000021A0000-0x0000000002208000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 793209850878547c7f9973a626248878 |
| SHA1 | b8a9b6802819f79a6c6e0cf1e5b60b9d013634e9 |
| SHA256 | 1ec676462084deca8949dc193f67c468ad18e16c9baccdf21cf1bd782f1ab663 |
| SHA512 | 68e4cb18eb4b64cef6eec2c3aee47ab2102399836afdfe466ae054347cefe1bd451e976e8eda60e4af36d1d8caf1340a8888b870e4babb8d7ca90e91561785f9 |
memory/2120-37-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/2120-38-0x0000000001FB0000-0x0000000001FB8000-memory.dmp
memory/3060-44-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
memory/3060-51-0x0000000001E70000-0x0000000001E78000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2788-68-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/2364-76-0x0000000008EC0000-0x0000000008EC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar3F24.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\Cab3F25.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 383c40ec38334466886dfddba2bf6ec9 |
| SHA1 | d9a2720174dc74511c4854e09fc727185e672835 |
| SHA256 | 4f5845940d7237c9ef25af7029cf99c3011a0489967826c3ae272757ffb50a0a |
| SHA512 | 29feb2930c5b231d175b82d957130e71a76b1117b14352ab2f8bf8666c2b63797292a0cfe17a61a686e20a910592735108480fcb4d7a31822e22849a33efa709 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b9319cf04c5e1f32faef730c1c1b2fc |
| SHA1 | b5467995e16f82f1fe8d8e801cdaadf542793e0b |
| SHA256 | 9b7c55bab5a0853f8764a10eaba7a5ce4864c02a3dc0660c460a198d56c42fba |
| SHA512 | becd168aaf27744551a70caae2fcde81ad0b82ba63f7fe5ff9f75346f805a2e4b54bf21b51b49b31d5653db482dfa9754e0e1d60b6847a84795a57ac850de91a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d504f1bbb02c72b16034e2cf88f8303d |
| SHA1 | 0a3ee01580d5141dd8e895f9aac2b5d5edc2c320 |
| SHA256 | 0845de5c5ff583ceb7ae8d947bd4a8632451666205fdf079314865e76c09fe54 |
| SHA512 | 531666305c349345ad638b5417ea5177a71f1f60ef2c7e950221a90c065848bc1be927c7f1d0332a917f418489348a616ea91f5ac3feaa11193205887ca2e79d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb1ed370249fa495ef0bb7d302e4a4f5 |
| SHA1 | 129af7b6ebf57d3486c434d25cd402f94d39f92f |
| SHA256 | a467039b26aa45311e444d9857a2a313127286a0daeea488b0c0322901a603e8 |
| SHA512 | 8884032e8ab2bd59434139c93fe388edfaf43abb868792c1fb52b6cc001c7e0c57e916cbc3f0a8ec1c63cfe4833a276e918035db0aad915969192191f189121c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c20c11d9ca7f98e0399e5ccdfc889030 |
| SHA1 | 7b730c0bae23a1f121ca85246ecb40ac54a00d36 |
| SHA256 | c013aa27a867948cf1a466b33f39b231c4f60ae381c3189f0b5f0ff19c9544d2 |
| SHA512 | f488fba7ebbe6ea6c5c417cf9360e43af09c38b502c898a9698f68c69a104a5e81ac593ac4f24702b7913da7b9d1e1e9036b95c4ac79e5d97acbfc357f053499 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b79c1cf72f34acb031475ab642c17e40 |
| SHA1 | 642b355d365e04213bb73c0dcbdfd247c0b81bef |
| SHA256 | c8362ac4623cec9eeed88cffc07f742aba55e4d4ec1877977f3ca906ead361fc |
| SHA512 | 8f8de0bebc007ad9f0c2129fa2a0f22c854293cc88272c96d6f580c1e13cf5f75fc4d45253f51faa29c50772d8f95cdf3fda14a6e36ae4f95329909a77f9015e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a120e445c6da708a4199cd6aae4b7115 |
| SHA1 | a8e1fc6912d3456d9f062609d31fd56d810523c1 |
| SHA256 | 2a61ce9b7f169bdd0db3fe10d79880d26f790e125a5c5c47ee25b59413ba93b2 |
| SHA512 | c0ac1cdb84a71b1a650735720d9243b49dd275cbbce78965897212e034517ca814834a5b8b16689db2bce7373f095b1ddda2246b07036255d104c54c2475aec9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7bdfa34ceaeebb60322159bbc8a161b1 |
| SHA1 | dcb0775fce344f4fac8b02d17a5ee0cb4dec8251 |
| SHA256 | 931c4a033771ff8a296be106dd0a8ec9de9bfbae9abdbd7496346324a95c4bb9 |
| SHA512 | ff77453eeb8a029f2f06f5d5edc671588c9f7d05ce6be4f3e0e8969b74c39affba6cb5aa2dd65112eccbe3974d7ac0892c237a1e41b5921cb31c84ca3b31a5a7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PV4UUA1D.txt
| MD5 | 542ad0f97ffddeefb9845c19441ef7c3 |
| SHA1 | 71476a18c234cfbc428bc8737d8b0bee0ef19be6 |
| SHA256 | 0a52d543e6699655123d462aa8a019d751df653895c236377f241bc7ffb3c418 |
| SHA512 | da39ffef6a5e80278c7b192696f04082eb8817dfe09bc05fe6f5d3b59e5f4966e76d2c805fb5c2dfdcac0e56fd7225c22421c34e88dc912e3e4ea94c7ee792c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\10A18B4E3A1EFF2159C89DEBDD93AEDE
| MD5 | dd16d56ac3ae8f000433e15835e7ad6a |
| SHA1 | 6c69213dcd09af9cc52af09c0635a5295e60f53d |
| SHA256 | 9b7ae127fbb9ed7d2782579496e01ed5fc6194e53b0ebac3712107d5171033c4 |
| SHA512 | 4553578ec0537466216d4d20250b7b4e054e04f8def9db3298f7ac24a850326670f773113c797c523f316ba264ca48a3f864ce913878b1adacad1a4ebd5e6f2a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d35721440539516dbf5b836e59da6b2 |
| SHA1 | 71307eaa7498b1ea6862499d5174fff698baca7f |
| SHA256 | 4040a56d8409f269a7a6e12dc81bd4e6f92451a08fd2e3b1729dde8a0a1ca686 |
| SHA512 | f2b634d8f307805ac573b686beee32b348c5bbcc6a23031d4dc52f7e5a4d804712b1c56c50d8edc8cdb0a1d8c7daa4bedd898adbd81c3232478bde3313f0de16 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\10A18B4E3A1EFF2159C89DEBDD93AEDE
| MD5 | 5e895f1e5fb265c96d1960f97a551d7c |
| SHA1 | 98f75337e31a863bc179f8628c1f97272812c2cd |
| SHA256 | 7360cfc093129ff3b308f5c29c6416520e5faf23ea6694d163a9ea7393723132 |
| SHA512 | b6f0abff6e220e43db512396829acfac57a3c5770290a0d9126da056174431d981186d7e1182a6c12abbc98367868357383f98678d9456da8a3fe15367c34943 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 822467b728b7a66b081c91795373789a |
| SHA1 | d8f2f02e1eef62485a9feffd59ce837511749865 |
| SHA256 | af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9 |
| SHA512 | bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | ab0ad66f97ddcab4ca6d485f92cd1cf9 |
| SHA1 | 5fe04980078f6ed7d5670730cee79c35ec92da26 |
| SHA256 | c69b02d3dfda425389364045f486ac66203b3ad0b1cbbc48cb3d12188f888888 |
| SHA512 | bf733a33fad76e1211259ffbc671db1398b71eccfb248432645bb88e564b38bafe027d35bdee246d85f1a923635b170f21e653236a20c41d50e5a82ab3631bf0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AWSQ4YT7.txt
| MD5 | 9c054e3f9261c4af34030adf6d35d0f2 |
| SHA1 | 10042c1684839bc817de178fa985432d021ce194 |
| SHA256 | c8d8c4171b09c87880ef38c395dba9303f1507576200fc4f1a68af5601e17e0f |
| SHA512 | 7af60d1f89410914ab616572830f85ea55bf418d38690a961ff5c35e3013628627612b5305146449c9080a0d8d8e66db586ce3d759bb0f426dc4a6a72e9c782f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\btSVMKKaV[1].js
| MD5 | e2ec36d427fa4a992d76c0ee5e8dfd4d |
| SHA1 | 47ec4ace4851c6c3a4fe23ad2c842885f6d973f2 |
| SHA256 | 36488e81afcbc4d7018b8764c18032b10be21aa45521c9671fde0cc77f70b2d8 |
| SHA512 | d1ae29d19f65ce74b9b480c82b87315634ec2e96d199f5feb423918af9ad6e24c8b436e03904d452f71562f04c42acbb250256eed73bcd592a79c08911c74976 |
C:\Users\Admin\AppData\Local\Temp\~DF376B3E66C67784AF.TMP
| MD5 | e1fe10f7137e19656d6332025a7f7cd8 |
| SHA1 | 7588aca4803aa9bd4fd1c0f83b78e503b7c27a13 |
| SHA256 | 4cd6b829057e50c2ac92aa23a6d92fc625ec1ac89cebbb95a12d9aa299a193b0 |
| SHA512 | 1f2a65d04c6c25eaa2f9a8c4319283e96828d1c301d6cd5a25d44e0202c5a517fe03a53f9f77a951443d70b8a2d49be0c6c6ce540b67ac1c8e1b00f659d193a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3b6211347c8d784c7adb5043360480d |
| SHA1 | aff0f9ddcc56bbd5d8913d4cd63111c5da78b133 |
| SHA256 | 55e2195bb57017fadb47412990965d5fc7083806d1fd9662f10831fed490ae38 |
| SHA512 | b656f782e9adb2233652e0711a1cd3a09e3d54da8e1b8d2bffb2be09ac9e7d614cc5cb87fbc85e764275ea00a847b9066fd09624ee0b02a2c7f551608486ab2f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9c95408628cd307317109d7a9a1b2ce |
| SHA1 | bf998bdf6212f90bd3cb4d59a39f3d1c663d7d65 |
| SHA256 | 465aa4619e95369a48c8d625190970e37f348f79c9c61b347f5140db66c81b5b |
| SHA512 | ca9957d65b582a881864eb34d9df1a1e9de5023c49f5b6987df853b817ffa9b8fe1404aa5750794be36c6e002f44173a0ab661627e1356acd27c3eba3a421cfc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 01d2195b6e3122358790f0cdc732e67c |
| SHA1 | 946f983b371d301f71ff7e623e65bc723b2415b1 |
| SHA256 | 32a4395abcd02d2e14040ed06b21396fc55627bc00b3da0615b6fa6f48f94a0d |
| SHA512 | 14bdea38aa9edbae40806addfd8b420f70b26d78080ca98b0c6c46620f3ee0fd913e27860021f6b3db99cf4ca9af8e49456146ecca5396ddcd8c5ab469a9efb1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0d3a0db43ad1734dadbac7f5182dc991 |
| SHA1 | 9f15cf69f72594f5c46fcf7aeee1d96878dc10f6 |
| SHA256 | 83c9627b238c5f3ec9870eb67ff0115a34fb5139514c762744c6ffb237b1644e |
| SHA512 | 89f9f4c90db47fbdec249d119d8d00c4ed05ef630efc93da7d1e39e0503e9f58a4fd2c056ba232bf4285635b867c22a7402ac6dd17ad134d9e9fd8a35f59d586 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e901e867fa0d8b0e0bbba1fa9a500d9b |
| SHA1 | 0c03936dbc6dd080d3b0e740c86ca3bca25f58be |
| SHA256 | cc3fd933fa873ac4d4b587716d019d0fd81259a21fc8ffd72bcf7b711864c8c4 |
| SHA512 | d8c350bafadf0750d4c317c179cf9b87429b9cbd7b1d811be63d29a284cb7b2936261e90c790cb2e1d55ec77e3876ba94277eb2e8b4d183057871ae23cfe45a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eb90e27097a7ec063cce39f0abc5d548 |
| SHA1 | ac9e96371623c8ad5e9028222655ef9e4ae6d2af |
| SHA256 | 01c942a487be30416b8abee1e3e3b59438ca90a3f115016258a2f9c5b9b8cea9 |
| SHA512 | 809539ef8fc471f042cdb53361edd1838b0ba141fb7c16d31b595dd84581c13ff6067fa3862e4369fdccbc5612f51b16fc0c1301bc56fe25fcd4f53d02be2abd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9617e517cecbc5c9049eb96fe13928f3 |
| SHA1 | edb1cc6426fa18aef96d1a6f73a8eea38e34e159 |
| SHA256 | a1d16e8672e30e123d7f16983616055ddcadcb8ead93a18a24d85155d30adc06 |
| SHA512 | b7407e041c971e715d795f948e50bd11cfc3ea118baa2e86861d7d00a81f2672dcee4b45db6cfa24b2a849e83001f04351df8d30802ea208531ac5273b5c3622 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82bbc9da701a687cbf6cd01faa49125a |
| SHA1 | 7482a5e63f3c6f2ec0072014710ba796288826a6 |
| SHA256 | bcb46c13531aae8ac18031bd4ec8512a58a96e296910c22db2782748ef83865b |
| SHA512 | 16239e09d809b6f81f9b7d9b4a39bbb09a6a5e8a70e56f29cd203954e7347538a1848c55c8eca1c483278446055fc8bc1b3c0f1a8413afa4d72cab91a5e5f064 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2373d7862b5adc3cee7f9b3c66552b1d |
| SHA1 | 4ab749cbe23f1baa9060898bfa29bcffd0d4107c |
| SHA256 | 998728b2d78357bb9047152fae2487b8f15d92c77828d7dc5a1c0c435c719a2a |
| SHA512 | d16664fec798b60eca9d616c28ce128b1014cbf2c4a59570bb5e1bb5dd6e68aab794d4bfda15d42e7c46dcb7fccb94a0f1199d7632ab30e9b387ce825f2840f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | b47ac1c52aea415244d6ae946d0a6cab |
| SHA1 | 2bbc28264b1afe43159195287b5a2ddfbaa40ab5 |
| SHA256 | c2353ed407b555fa4cb04156585d10df481b7097b1acc5a3e29e9d1f32c1d96e |
| SHA512 | 6376897fc7be8fa1fd89716c3823635dbb8c4b3e78a26a6fff4506d7a7eff7e118e6d6eb57c6c09fa19abaf1925a6dce8de1c4e14a27b132a130d37be8c8db64 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f8c4cc4e44b9ecb3eb222ad2624dd14c |
| SHA1 | bc00981596903d091171bff6beef8f9feeb2c316 |
| SHA256 | ba9051a54a98ad77934e637e5dea344f9d34c5c74a66703b900dc1032e3e66ee |
| SHA512 | 762cb9b748dc22ac4615deafa0fe2e2843e8fd70a2fa0cb0d6d28e95631cf5bf5c6a2cd82ce25aeea4462b011d3d92eac202651aed34b59261842f1147634b24 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f0b060d1d5d6471ad24110e23e7d6a0 |
| SHA1 | 87ba341de167fa573771306414837337d5b41062 |
| SHA256 | 51a480328aafe803fac360db37b60a7c10dab52d862c9f590ad8148f661e3507 |
| SHA512 | e0ca46feb4aaef9aba3b5aeae8f0fb4f697a9e5dff36189d07a31161b4b5c7e3d1dc84ca156395945d620d6c4bff7b0762ee02a505acfb61ae830a35f939b434 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-01 16:27
Reported
2024-09-01 16:30
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Azorult
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\ProgramData\csrss.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\ProgramData\csrss.exe
"C:\ProgramData\csrss.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| SG | 146.190.110.91:3389 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| SG | 146.190.110.91:3389 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp |
Files
memory/4200-0-0x00007FFED23B3000-0x00007FFED23B5000-memory.dmp
memory/4200-1-0x0000000000020000-0x000000000013E000-memory.dmp
memory/4200-4-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
| MD5 | 8440a861c68965a66c009b140e1bee47 |
| SHA1 | 801a8c77156a2c6cbc5899f36c961dc8fdc56665 |
| SHA256 | a8add4815bce2e26df3cd492c5686e22ab842bfa52c68af3f33c23adb820d06f |
| SHA512 | c42903216f9f35368d41853ae96aaa7a7a07ce0730ca99b26909b98f5525b4fd772e0868c683fae0ca71730c0586ad3130be4ef3e6af68e299a933d9accca266 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 50dce71a753bad01a07904f2af283123 |
| SHA1 | 1beab766071ddeff0c8e577c6717debcee0d21e6 |
| SHA256 | 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3 |
| SHA512 | 7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01 |
memory/4364-41-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp
C:\ProgramData\csrss.exe
| MD5 | 0998890ccf8a3d8702db7a84fe6dd7b3 |
| SHA1 | 18e561e0ef68fb08d8f391eacd45c7d573206b92 |
| SHA256 | c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220 |
| SHA512 | 8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1 |
memory/4364-37-0x0000000000BF0000-0x0000000000C08000-memory.dmp
memory/2236-42-0x000000007528E000-0x000000007528F000-memory.dmp
memory/4200-43-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp
memory/2416-44-0x00000000000E0000-0x00000000000EE000-memory.dmp
memory/2236-45-0x00000000008E0000-0x0000000000A3A000-memory.dmp
memory/2236-46-0x00000000025A0000-0x00000000025A6000-memory.dmp
memory/2236-47-0x00000000046C0000-0x0000000004728000-memory.dmp
memory/2236-48-0x0000000007770000-0x0000000007D14000-memory.dmp
memory/2236-49-0x00000000071C0000-0x0000000007252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vnx13dxc.mjg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1428-57-0x000001B0F20A0000-0x000001B0F20C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cbc41bceec6e8cf6d23f68d952487858 |
| SHA1 | f52edbceff042ded7209e8be90ec5e09086d62eb |
| SHA256 | b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d |
| SHA512 | 0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb |
memory/2236-85-0x0000000002630000-0x000000000263A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 865d30ef81d6f5d8cb94ccd6bd627d1d |
| SHA1 | 13fbe1cfd95fecd018929b220078b9b6ae4aeaf1 |
| SHA256 | 9094c4736c6c3cfe381c2eb7c2b01461ce35dbbb87dd9d16606561a8ba5324dd |
| SHA512 | 03906c48756aeec397a71431f0fc7fbe43246f88ce49087c320d97c10203290beb53bf0b80cb8c1bb5eda5c0278dc8459fb5b61cedcea6a98b537ea72fca8766 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dbb22d95851b93abf2afe8fb96a8e544 |
| SHA1 | 920ec5fdb323537bcf78f7e29a4fc274e657f7a4 |
| SHA256 | e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465 |
| SHA512 | 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc |
memory/4364-143-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp
memory/2236-144-0x000000007528E000-0x000000007528F000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-01 16:27
Reported
2024-09-01 16:30
Platform
win11-20240802-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Azorult
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\ProgramData\csrss.exe
"C:\ProgramData\csrss.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp |
Files
memory/2484-0-0x00007FFF01FD3000-0x00007FFF01FD5000-memory.dmp
memory/2484-1-0x0000000000D60000-0x0000000000E7E000-memory.dmp
memory/2484-4-0x00007FFF01FD0000-0x00007FFF02A92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
| MD5 | 8440a861c68965a66c009b140e1bee47 |
| SHA1 | 801a8c77156a2c6cbc5899f36c961dc8fdc56665 |
| SHA256 | a8add4815bce2e26df3cd492c5686e22ab842bfa52c68af3f33c23adb820d06f |
| SHA512 | c42903216f9f35368d41853ae96aaa7a7a07ce0730ca99b26909b98f5525b4fd772e0868c683fae0ca71730c0586ad3130be4ef3e6af68e299a933d9accca266 |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 50dce71a753bad01a07904f2af283123 |
| SHA1 | 1beab766071ddeff0c8e577c6717debcee0d21e6 |
| SHA256 | 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3 |
| SHA512 | 7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01 |
memory/4824-23-0x000000007515E000-0x000000007515F000-memory.dmp
memory/4976-43-0x0000000000E90000-0x0000000000E9E000-memory.dmp
memory/1048-41-0x0000000000980000-0x0000000000998000-memory.dmp
C:\ProgramData\csrss.exe
| MD5 | 0998890ccf8a3d8702db7a84fe6dd7b3 |
| SHA1 | 18e561e0ef68fb08d8f391eacd45c7d573206b92 |
| SHA256 | c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220 |
| SHA512 | 8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1 |
memory/1048-38-0x00007FFF01FD3000-0x00007FFF01FD5000-memory.dmp
memory/4824-44-0x00000000008E0000-0x0000000000A3A000-memory.dmp
memory/2484-45-0x00007FFF01FD0000-0x00007FFF02A92000-memory.dmp
memory/4824-46-0x00000000026A0000-0x00000000026A6000-memory.dmp
memory/4824-47-0x00000000046C0000-0x0000000004728000-memory.dmp
memory/4824-48-0x0000000007660000-0x0000000007C06000-memory.dmp
memory/4824-49-0x0000000007190000-0x0000000007222000-memory.dmp
memory/1468-55-0x00000296F8E70000-0x00000296F8E92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axwj0a1s.yff.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e3840d9bcedfe7017e49ee5d05bd1c46 |
| SHA1 | 272620fb2605bd196df471d62db4b2d280a363c6 |
| SHA256 | 3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f |
| SHA512 | 76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
memory/4824-89-0x00000000025B0000-0x00000000025BA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0bdf1f3b17535062ac08020252a67de7 |
| SHA1 | 0bdfb9e03a0495d3348c44050fe2c2ad5b8ded5c |
| SHA256 | 868024d64b75b07c6848c7297ca32670af1ff5a4f961baaf873daddf3a8abbae |
| SHA512 | ec18062b156907365e198d99038b1616b28055b0f9fe1714489ff2bd5f2a5bd0affb7ac954763b1cf197d038d000566ba05fc6fb27da401e24ad9ac284ab6ba7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a13d86aa4aa93ee4e7b6a655edf6cc79 |
| SHA1 | b3172c58361cfc52fe51b7bd2971df38657e77db |
| SHA256 | d42c42ef46ed4341b7eb52572aa6c7bc7720401481c93b38d6cc7cbf00826066 |
| SHA512 | 6e55311ca9f9ec756eac30841c9564a679089b7a249a6d5841e97e7bc73e5dd213bd7683856b740bbae2fa46456558558f52ec78b4460ef932d363d3e7800fbf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34e3230cb2131270db1af79fb3d57752 |
| SHA1 | 21434dd7cf3c4624226b89f404fd7982825f8ac6 |
| SHA256 | 0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39 |
| SHA512 | 3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335 |
memory/4824-135-0x000000007515E000-0x000000007515F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 16:27
Reported
2024-09-01 16:29
Platform
win10-20240404-en
Max time kernel
50s
Max time network
52s
Command Line
Signatures
Azorult
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk | C:\ProgramData\csrss.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
"C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\ProgramData\csrss.exe
"C:\ProgramData\csrss.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | f.f.f.f.8.f.2.0.2.c.1.c.3.1.0.9.f.f.f.f.6.9.8.8.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| SG | 146.190.110.91:3389 | tcp | |
| SG | 146.190.110.91:3389 | tcp |
Files
memory/3328-0-0x00007FFC73053000-0x00007FFC73054000-memory.dmp
memory/3328-1-0x0000000000220000-0x000000000033E000-memory.dmp
memory/3328-4-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Azorult 3.3.exe
| MD5 | 8440a861c68965a66c009b140e1bee47 |
| SHA1 | 801a8c77156a2c6cbc5899f36c961dc8fdc56665 |
| SHA256 | a8add4815bce2e26df3cd492c5686e22ab842bfa52c68af3f33c23adb820d06f |
| SHA512 | c42903216f9f35368d41853ae96aaa7a7a07ce0730ca99b26909b98f5525b4fd772e0868c683fae0ca71730c0586ad3130be4ef3e6af68e299a933d9accca266 |
C:\ProgramData\csrss.exe
| MD5 | 0998890ccf8a3d8702db7a84fe6dd7b3 |
| SHA1 | 18e561e0ef68fb08d8f391eacd45c7d573206b92 |
| SHA256 | c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220 |
| SHA512 | 8132312fb66a9d947eef3f625a4c18b8e640cec51616d0a9fd756e028d1bac5677f5de9a53c3ed32186cb238e8c46613b8c3d6641a6a953d7961412b030c6dd1 |
memory/3328-23-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp
memory/4320-25-0x0000000000620000-0x000000000062E000-memory.dmp
memory/2216-24-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp
memory/2216-20-0x0000000000270000-0x0000000000288000-memory.dmp
memory/3836-26-0x0000000000270000-0x00000000003CA000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 50dce71a753bad01a07904f2af283123 |
| SHA1 | 1beab766071ddeff0c8e577c6717debcee0d21e6 |
| SHA256 | 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3 |
| SHA512 | 7cdc64dcfa8a0cbc1375a1878f560beb083cd9778ff67c5c0f1b693927c35365b384affc9dc33cade4aeaafded11ac328001a18ccb34a559678c1f50fa886c01 |
memory/3836-27-0x00000000052D0000-0x00000000052D6000-memory.dmp
memory/3836-28-0x000000000A800000-0x000000000A868000-memory.dmp
memory/3836-29-0x000000000E630000-0x000000000EB2E000-memory.dmp
memory/3836-30-0x000000000A950000-0x000000000A9E2000-memory.dmp
memory/524-35-0x000002641D430000-0x000002641D452000-memory.dmp
memory/524-38-0x0000026435AC0000-0x0000026435B36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4f0r41e.nnr.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3836-105-0x0000000004E60000-0x0000000004E6A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b721b21f475be36eee76eb7dc3e479b8 |
| SHA1 | e4ec21b1f2ed4a3d29e55ad4350fa54c9b13e53c |
| SHA256 | caff144bf4be3976720feb58d440318d242c86a89f0c3b0133a360391015fe4d |
| SHA512 | fcc865cab4dcc809efb5559f7882764e30d7db05284515e150cf2b43b4ed22af2cb37139302f69fed4c31fc8bcf1aaee9ebb6dddeaa85b7426a8db15509d551b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d26e61b05e1a82bc1ed5078b6f020fbb |
| SHA1 | 5a7b374a664e5975e3aacab00e30fb499bbc5dd8 |
| SHA256 | 7788aceab7325c7eaeb0c7c6ef1def257f8ffe731874f9b9d3247590528b6011 |
| SHA512 | 75bfdbfc5e79404951e82448f68cb14b70091ba5abf4119029c826b403ca30d0612d3ab8cdb8190f1c8269ccd5cea27e17736b123990c96557d1cbb61f1a5f1c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | feea8d6f8250de52fcd3693783c40a27 |
| SHA1 | 4e56e1e6ce74490a5c12cfd7d12bab0c4e518ff3 |
| SHA256 | faa6d6e6aae83d484b2aa47c15fed5e631ec90e10f70caaa4ab9aae7e247c7b3 |
| SHA512 | 559e26c7b384860fd8de7b9d0b8581cdf360cb1715b8f1b589a208d321c1560589ab85fba8c1b29eb0bcb1e24908dc7bd029e828cb613f9880fb4f134d9f216a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f3a77fddce80e2459933641b72404720 |
| SHA1 | 43f29c7710ccdf53140456e0721e4f5b327c12f2 |
| SHA256 | 9199ba2bca3d294818252d576e8ce2b76ee65a9c0746092e5ba877120710855b |
| SHA512 | 0582bcfd7b54b32e147bc643e6bc2a8ccf1f5c9959d31602de73d31f378cff01d6c218f1ab5a2d7d752199480da4df96585b8138dd0c260039f7058239869d08 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d65fde5c872d59436685b946ea909d45 |
| SHA1 | 312037e8abf5616a8dba9f9df024d0f7560b4371 |
| SHA256 | 3e9a7d6652bdaef973a920b7ab52949485dfcad9793a5baa6369c5b9d90db9c5 |
| SHA512 | b593a9d423f0bc4021252afdaedae9ec5038b04a26abce1e05c142e112f39a48e0e9506d32955b3cbb32c389e7abd035b7ed5f0d36f9daa8b2b5c8562569fc59 |
memory/2216-381-0x00007FFC73050000-0x00007FFC73A3C000-memory.dmp