azorult | c9f9cac249b944a81dcaf942997c774b267cd4b27d64318dd5d91583274098f1

General

Target

7c79a1035c5735d3d0b304564a33ba1a.exe
Size

584KB
MD5

7c79a1035c5735d3d0b304564a33ba1a
SHA1

ecf62b17647c2db020119168e0eb12aa16984bc8
SHA256

c9f9cac249b944a81dcaf942997c774b267cd4b27d64318dd5d91583274098f1
SHA512

c86a3f3d311f1f512f4dda2dc768a85bbe5fd5473a62a0b9a1232490c656588e333a8906be2d2971fd39a6e389a211c886857a443b31a0a951b47c2f0b75229b
SSDEEP

12288:Acir1S2IoOAc6/5rZGmy4nqpyZno/oPVPfvU7cwFG5jD/kGDnLTdfHaWAe5I/ZQw:Oqpy9ocVPfvU7s5jD/konvd/aWBuZnq0

Score

10^/10

azorult discovery execution infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://h8m5b.shop/ML341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2684 powershell.exe
1480 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

7c79a1035c5735d3d0b304564a33ba1a.exe

description pid process target process

PID 1700 set thread context of 1168 1700 7c79a1035c5735d3d0b304564a33ba1a.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2684	powershell.exe
1480	powershell.exe

description	pid	process	target process
PID 1700 set thread context of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MSBuild.exe7c79a1035c5735d3d0b304564a33ba1a.exepowershell.exepowershell.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c79a1035c5735d3d0b304564a33ba1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2692 schtasks.exe

pid	process
2692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

7c79a1035c5735d3d0b304564a33ba1a.exepowershell.exepowershell.exe

pid	process
1700	7c79a1035c5735d3d0b304564a33ba1a.exe
1700	7c79a1035c5735d3d0b304564a33ba1a.exe
1700	7c79a1035c5735d3d0b304564a33ba1a.exe
1700	7c79a1035c5735d3d0b304564a33ba1a.exe
1700	7c79a1035c5735d3d0b304564a33ba1a.exe
1700	7c79a1035c5735d3d0b304564a33ba1a.exe
1480	powershell.exe
2684	powershell.exe
1700	7c79a1035c5735d3d0b304564a33ba1a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7c79a1035c5735d3d0b304564a33ba1a.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1700	7c79a1035c5735d3d0b304564a33ba1a.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

7c79a1035c5735d3d0b304564a33ba1a.exe

description	pid	process	target process
PID 1700 wrote to memory of 2684	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	powershell.exe
PID 1700 wrote to memory of 2684	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	powershell.exe
PID 1700 wrote to memory of 2684	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	powershell.exe
PID 1700 wrote to memory of 2684	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	powershell.exe
PID 1700 wrote to memory of 1480	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	powershell.exe
PID 1700 wrote to memory of 1480	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	powershell.exe
PID 1700 wrote to memory of 1480	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	powershell.exe
PID 1700 wrote to memory of 1480	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	powershell.exe
PID 1700 wrote to memory of 2692	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	schtasks.exe
PID 1700 wrote to memory of 2692	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	schtasks.exe
PID 1700 wrote to memory of 2692	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	schtasks.exe
PID 1700 wrote to memory of 2692	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	schtasks.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe
PID 1700 wrote to memory of 1168	1700	7c79a1035c5735d3d0b304564a33ba1a.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\7c79a1035c5735d3d0b304564a33ba1a.exe
"C:\Users\Admin\AppData\Local\Temp\7c79a1035c5735d3d0b304564a33ba1a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7c79a1035c5735d3d0b304564a33ba1a.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXACnJccZk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXACnJccZk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF299.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF299.tmp

Filesize
1KB

MD5
3d230fda5fbf00864f0d9029ed30bbb3

SHA1
5a458e8a46500c2723cad05e76077e29d4744202

SHA256
c675f5eeac271fd791cf463099a3ab909afb42b884b3891fcc310e777f2a94bd

SHA512
767193af79e04aeeb69944ee2d74863b617210cf7f3330b45ecb79217c06aae694beea544205231cb9d91f0e6c3666e83b7984cbaf40de86ee8287f47f48567d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
74da88c2174b86de7fb90dc794d889ff

SHA1
967563f39842582784b0c297a8e3f20cde1b5819

SHA256
9a3e910fe3bcf326407eb25fa57e3a6d604ee412686949afed11fd34a6e5aebc

SHA512
9a7bc9fc3e3b589b4d798ed55ea25e5cce75b2f2d3f4ddee72064e487ddacc74f00edb18aa121be0ea9ea9c0ca48a90e4172802d593cbba4807e4978de994e5f

Download Submit
memory/1168-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1168-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1168-32-0x00000000002E0000-0x0000000000338000-memory.dmp

Filesize
352KB

Download
memory/1168-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1168-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1168-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1168-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1168-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1168-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1700-1-0x00000000008F0000-0x0000000000988000-memory.dmp

Filesize
608KB

Download
memory/1700-0-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/1700-2-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-6-0x00000000046D0000-0x0000000004734000-memory.dmp

Filesize
400KB

Download
memory/1700-3-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/1700-5-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/1700-4-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-33-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads