Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 12:33
Static task
static1
Behavioral task
behavioral1
Sample
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
Resource
win10v2004-20241007-en
General
-
Target
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe
-
Size
2.4MB
-
MD5
66b8734bf63417e42501295ae9897c49
-
SHA1
052e282d2d6fb1ef51594a01496421c1d5953d1e
-
SHA256
10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff
-
SHA512
b351e270cbd07bc2e2ed2d1a247a19c215792671177ee3b78aaae4f2d3a5106002749c289ef4c75a17925edbf34da2dfe047b6c46565a8e7edbfd7cc420302aa
-
SSDEEP
49152:bh+ZkldoPK8Ya8bh+ZkldoPK8YauAcfjCb:E2cPK8J2cPK8FAI
Malware Config
Extracted
nanocore
1.2.2.0
asorock0011.ddns.net:3883
wcbradley.duckdns.org:3883
085f7dcc-185c-430c-8509-24ff72383d6e
-
activate_away_mode
true
-
backup_connection_host
wcbradley.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-11-25T14:42:34.851485336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3883
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
085f7dcc-185c-430c-8509-24ff72383d6e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
asorock0011.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
azorult
http://fortillinco.com/raeymnbvcxz/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Nanocore family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msco.url 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe -
Executes dropped EXE 2 IoCs
pid Process 4940 azo.exe 3140 azo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe" RegAsm.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023cb9-4.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5004 set thread context of 1600 5004 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 86 PID 4940 set thread context of 3140 4940 azo.exe 87 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ARP Host\arphost.exe RegAsm.exe File created C:\Program Files (x86)\ARP Host\arphost.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azo.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1600 RegAsm.exe 1600 RegAsm.exe 1600 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1600 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1600 RegAsm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 5004 wrote to memory of 4940 5004 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 84 PID 5004 wrote to memory of 4940 5004 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 84 PID 5004 wrote to memory of 4940 5004 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 84 PID 5004 wrote to memory of 1600 5004 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 86 PID 5004 wrote to memory of 1600 5004 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 86 PID 5004 wrote to memory of 1600 5004 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 86 PID 5004 wrote to memory of 1600 5004 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 86 PID 5004 wrote to memory of 1600 5004 10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe 86 PID 4940 wrote to memory of 3140 4940 azo.exe 87 PID 4940 wrote to memory of 3140 4940 azo.exe 87 PID 4940 wrote to memory of 3140 4940 azo.exe 87 PID 4940 wrote to memory of 3140 4940 azo.exe 87 PID 4940 wrote to memory of 3140 4940 azo.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe"C:\Users\Admin\AppData\Local\Temp\10c5d885e75da4ac61c900f1d648c5ea66a6d82c8d9430e635918fbd7d9836ff.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\azo.exe"C:\Users\Admin\AppData\Local\Temp\azo.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\azo.exe"C:\Users\Admin\AppData\Local\Temp\azo.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3140
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD59ff456db9d73f0e2bf40b9dd88da80da
SHA1d95790dc876c3b092a1e94df2ac6da5ba2a60351
SHA25668b5f994f6e7d486f31e6259f0088e8e95f5db4a86457d321c141d94bb72e6b0
SHA512a2ff739cb36de9c5bab32b0083f11ef5a1191e93cb21d4b9df8762c1baf8e0e9fb73f3be3eb5be8d74be576f3a6bde70002ceb4487b052a1b48e37ae0f2f2fb2