Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 20:34
Static task
static1
Behavioral task
behavioral1
Sample
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
Resource
win10v2004-20241007-en
General
-
Target
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
-
Size
2.4MB
-
MD5
66b8734bf63417e42501295ae9897c49
-
SHA1
052e282d2d6fb1ef51594a01496421c1d5953d1e
-
SHA256
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff
-
SHA512
b351e270cbd07bc2e2ed2d1a247a19c215792671177ee3b78aaae4f2d3a5106002749c289ef4c75a17925edbf34da2dfe047b6c46565a8e7edbfd7cc420302aa
-
SSDEEP
49152:bh+ZkldoPK8Ya8bh+ZkldoPK8YauAcfjCb:E2cPK8J2cPK8FAI
Malware Config
Extracted
nanocore
1.2.2.0
asorock0011.ddns.net:3883
wcbradley.duckdns.org:3883
085f7dcc-185c-430c-8509-24ff72383d6e
-
activate_away_mode
true
-
backup_connection_host
wcbradley.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-11-25T14:42:34.851485336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3883
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
085f7dcc-185c-430c-8509-24ff72383d6e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
asorock0011.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
azorult
http://fortillinco.com/raeymnbvcxz/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Nanocore family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msco.url 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe -
Executes dropped EXE 2 IoCs
pid Process 2776 azo.exe 2760 azo.exe -
Loads dropped DLL 5 IoCs
pid Process 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 2776 azo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe" RegAsm.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0003000000012000-2.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2068 set thread context of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2776 set thread context of 2760 2776 azo.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\UDP Service\udpsv.exe RegAsm.exe File opened for modification C:\Program Files (x86)\UDP Service\udpsv.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azo.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2552 RegAsm.exe 2552 RegAsm.exe 2552 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2552 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2552 RegAsm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2776 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 30 PID 2068 wrote to memory of 2776 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 30 PID 2068 wrote to memory of 2776 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 30 PID 2068 wrote to memory of 2776 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 30 PID 2068 wrote to memory of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2068 wrote to memory of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2068 wrote to memory of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2068 wrote to memory of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2068 wrote to memory of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2068 wrote to memory of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2068 wrote to memory of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2068 wrote to memory of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2068 wrote to memory of 2552 2068 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2776 wrote to memory of 2760 2776 azo.exe 32 PID 2776 wrote to memory of 2760 2776 azo.exe 32 PID 2776 wrote to memory of 2760 2776 azo.exe 32 PID 2776 wrote to memory of 2760 2776 azo.exe 32 PID 2776 wrote to memory of 2760 2776 azo.exe 32 PID 2776 wrote to memory of 2760 2776 azo.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe"C:\Users\Admin\AppData\Local\Temp\10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\azo.exe"C:\Users\Admin\AppData\Local\Temp\azo.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\azo.exe"C:\Users\Admin\AppData\Local\Temp\azo.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD59ff456db9d73f0e2bf40b9dd88da80da
SHA1d95790dc876c3b092a1e94df2ac6da5ba2a60351
SHA25668b5f994f6e7d486f31e6259f0088e8e95f5db4a86457d321c141d94bb72e6b0
SHA512a2ff739cb36de9c5bab32b0083f11ef5a1191e93cb21d4b9df8762c1baf8e0e9fb73f3be3eb5be8d74be576f3a6bde70002ceb4487b052a1b48e37ae0f2f2fb2