Technical Analysis of AZORult Malware on ANY.RUN’s Cybersecurity Blog

MITRE Techniques

• [T1059.001] PowerShell – The malware uses a hidden PowerShell command to run a script: “powershell.exe” -windowstyle hidden “$Nummmeret=Get-Content ‘C:UsersadminAppDataLocalTempforgrovelsekonstituerendesPrintermanualens.Ear’;$Trojanerens=$Nummmeret.SubString(42833,3);.$Trojanerens($Nummmeret) “.
• [T1059] Command and Scripting Interpreter – The sample relies on scripting/command execution flow (PowerShell usage shown above).
• [T1106] Native API – It uses LoadLibraryA and GetProcAddress to resolve APIs: “LoadLibraryA and GetProcAddress to resolve these APIs.”
• [T1112] Modify Registry – The malware queries, deletes, and modifies some registry keys and uses registry-based persistence.
• [T1547] Boot or Logon Autostart Execution – Persistence via registry-related autostart mechanisms.
• [T1574] Hijack Execution Flow – The code shows attempts to alter execution flow, including DLL side-loading strategies.
• [T1574.002] DLL Side-Loading – The malware leverages DLL loading techniques to gain execution or capabilities.
• [T1055] Process Injection – The sample’s behavior includes process-level manipulation to inject or influence other processes.
• [T1070] Indicator Removal – The malware includes steps to cover its tracks and reduce artifact visibility.
• [T1070.006] Timestomp – Time-stamping techniques to obscure timeline evidence.
• [T1027] Obfuscated Files or Information – Obfuscation/packing techniques are used to hinder analysis.
• [T1027.002] Software Packing – The sample employs packing methods as part of defense evasion.
• [T1027.009] Embedded Payloads – Payloads are embedded within the sample to complicate analysis.
• [T1036] Masquerading – The malware uses masquerading techniques to blend with legitimate artifacts.
• [T1552] Credentials in Registry – Sensitive credentials may be located/read from registry locations.
• [T1003] OS Credential Dumping – Credentials token operations and elevation-related actions are observed.
• [T1010] Application Window Discovery – Discovery of application windows as part of environment reconnaissance.
• [T1012] Query Registry – Registry queries are used to glean system/config information.
• [T1018] Remote System Discovery – The malware enumerates or interacts with remote systems as part of its spread.
• [T1057] Process Discovery – The malware checks running processes to understand the system state.
• [T1082] System Information Discovery – System information gathering is performed to tailor actions.
• [T1083] File and Directory Discovery – The malware locates relevant files/directories for operation.
• [T1518] Software Discovery – Identification of software on the host to adapt behavior.
• [T1518.001] Security Software Discovery – Detection of security software to avoid analysis/detection.
• [T1071] Application Layer Protocol – Network communication uses application-layer protocols for C2 or data exfiltration.
• [T1095] Non-Application Layer Protocol – Uses non-application-layer protocols for covert traffic.
• [T1573] Encrypted Channel – Some communications may be encrypted to evade network monitoring.
• [T1529] System Shutdown/Reboot – The malware can trigger or exploit shutdown/restart scenarios for persistence or impact.