Analysis
-
max time kernel
70s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2025, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
Los107.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Los107.ps1
Resource
win10v2004-20250217-en
General
-
Target
a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54.exe
-
Size
715KB
-
MD5
66ef84b6805972a29ec37b229201a9ca
-
SHA1
a0bd886bfd638ad32eaf0a024aa02249a06ee96f
-
SHA256
a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54
-
SHA512
ecca6d0cc05d3fabb747a045ca3b6491db136ea1e3a6249b7324841ce118378001a6e6e3dc46ef57f2d7f8efc1f8392bd6fa49a9d08f76f352ed2c5997561834
-
SSDEEP
12288:2i6dsV0pMDI2RM5Sl96gUIfK/URUiPn98zC/2qvhHWUnHZW9dF/:cckemG96zIfmetn+hWBWU5WN/
Malware Config
Extracted
azorult
http://gd53.cfd/TL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1496 powershell.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 34 3660 msiexec.exe 36 3660 msiexec.exe 38 3660 msiexec.exe 42 3660 msiexec.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3660 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1496 powershell.exe 3660 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe 1496 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1496 powershell.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 1496 powershell.exe Token: SeIncreaseQuotaPrivilege 1496 powershell.exe Token: SeSecurityPrivilege 1496 powershell.exe Token: SeTakeOwnershipPrivilege 1496 powershell.exe Token: SeLoadDriverPrivilege 1496 powershell.exe Token: SeSystemProfilePrivilege 1496 powershell.exe Token: SeSystemtimePrivilege 1496 powershell.exe Token: SeProfSingleProcessPrivilege 1496 powershell.exe Token: SeIncBasePriorityPrivilege 1496 powershell.exe Token: SeCreatePagefilePrivilege 1496 powershell.exe Token: SeBackupPrivilege 1496 powershell.exe Token: SeRestorePrivilege 1496 powershell.exe Token: SeShutdownPrivilege 1496 powershell.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeSystemEnvironmentPrivilege 1496 powershell.exe Token: SeRemoteShutdownPrivilege 1496 powershell.exe Token: SeUndockPrivilege 1496 powershell.exe Token: SeManageVolumePrivilege 1496 powershell.exe Token: 33 1496 powershell.exe Token: 34 1496 powershell.exe Token: 35 1496 powershell.exe Token: 36 1496 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1496 2520 a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54.exe 86 PID 2520 wrote to memory of 1496 2520 a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54.exe 86 PID 2520 wrote to memory of 1496 2520 a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54.exe 86 PID 1496 wrote to memory of 3660 1496 powershell.exe 96 PID 1496 wrote to memory of 3660 1496 powershell.exe 96 PID 1496 wrote to memory of 3660 1496 powershell.exe 96 PID 1496 wrote to memory of 3660 1496 powershell.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54.exe"C:\Users\Admin\AppData\Local\Temp\a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Mannopyranosyl=GC -Raw 'C:\Users\Admin\AppData\Local\resider\actinidiaceae\Los107.Raj';$Sled=$Mannopyranosyl.SubString(56926,3);.$Sled($Mannopyranosyl)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
347KB
MD5d83ccec51bbcaba0f88b67aa85ddf261
SHA10dfe7c131dc15260f4b437534b1f175071726c7c
SHA2569653a0947b897a846b2f955278b84325a5e3267ea9e8dee86496eddca468289b
SHA5125666cc7f05ff52daa1520682a9d8e5a8177c8ad658ac3edfecafe8150028fc45a5e6fcb1a6beb592f2a87ac146043c12b10f4599f540bb7d9a791143b1733831
-
Filesize
55KB
MD5fd68605dede5dff48ac0498675704de0
SHA1f1150379e8b26b01329c9af71dcaee0baf3ce819
SHA256b4bcc505d66a46af9185af84e5472ef5045cf4abfe722207076d34fbf6df40d7
SHA51236f1b2ed7cfe46141deef05cc236941363bd2ef54b3e627312f3f81d3217403a65ee4e1c94e6dce3edad99178e1263ab80f5d10b821bbf585ebdfd1b1400491f