Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 12:33
Static task
static1
Behavioral task
behavioral1
Sample
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
Resource
win10v2004-20241007-en
General
-
Target
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
-
Size
2.4MB
-
MD5
66b8734bf63417e42501295ae9897c49
-
SHA1
052e282d2d6fb1ef51594a01496421c1d5953d1e
-
SHA256
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff
-
SHA512
b351e270cbd07bc2e2ed2d1a247a19c215792671177ee3b78aaae4f2d3a5106002749c289ef4c75a17925edbf34da2dfe047b6c46565a8e7edbfd7cc420302aa
-
SSDEEP
49152:bh+ZkldoPK8Ya8bh+ZkldoPK8YauAcfjCb:E2cPK8J2cPK8FAI
Malware Config
Extracted
nanocore
1.2.2.0
asorock0011.ddns.net:3883
wcbradley.duckdns.org:3883
085f7dcc-185c-430c-8509-24ff72383d6e
-
activate_away_mode
true
-
backup_connection_host
wcbradley.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-11-25T14:42:34.851485336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3883
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
085f7dcc-185c-430c-8509-24ff72383d6e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
asorock0011.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
azorult
http://fortillinco.com/raeymnbvcxz/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Nanocore family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msco.url 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe -
Executes dropped EXE 2 IoCs
pid Process 2080 azo.exe 2684 azo.exe -
Loads dropped DLL 5 IoCs
pid Process 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 2080 azo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe" RegAsm.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000d000000012263-2.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1644 set thread context of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2080 set thread context of 2684 2080 azo.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\WPA Service\wpasv.exe RegAsm.exe File opened for modification C:\Program Files (x86)\WPA Service\wpasv.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2876 RegAsm.exe 2876 RegAsm.exe 2876 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2876 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2876 RegAsm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2080 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 30 PID 1644 wrote to memory of 2080 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 30 PID 1644 wrote to memory of 2080 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 30 PID 1644 wrote to memory of 2080 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 30 PID 1644 wrote to memory of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 1644 wrote to memory of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 1644 wrote to memory of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 1644 wrote to memory of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 1644 wrote to memory of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 1644 wrote to memory of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 1644 wrote to memory of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 1644 wrote to memory of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 1644 wrote to memory of 2876 1644 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 31 PID 2080 wrote to memory of 2684 2080 azo.exe 32 PID 2080 wrote to memory of 2684 2080 azo.exe 32 PID 2080 wrote to memory of 2684 2080 azo.exe 32 PID 2080 wrote to memory of 2684 2080 azo.exe 32 PID 2080 wrote to memory of 2684 2080 azo.exe 32 PID 2080 wrote to memory of 2684 2080 azo.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe"C:\Users\Admin\AppData\Local\Temp\10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\azo.exe"C:\Users\Admin\AppData\Local\Temp\azo.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\azo.exe"C:\Users\Admin\AppData\Local\Temp\azo.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD59ff456db9d73f0e2bf40b9dd88da80da
SHA1d95790dc876c3b092a1e94df2ac6da5ba2a60351
SHA25668b5f994f6e7d486f31e6259f0088e8e95f5db4a86457d321c141d94bb72e6b0
SHA512a2ff739cb36de9c5bab32b0083f11ef5a1191e93cb21d4b9df8762c1baf8e0e9fb73f3be3eb5be8d74be576f3a6bde70002ceb4487b052a1b48e37ae0f2f2fb2