Analysis
-
max time kernel
117s -
max time network
140s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
22-05-2020 12:09
Static task
static1
Behavioral task
behavioral1
Sample
f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe
Resource
win10v200430
General
-
Target
f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe
-
Size
259KB
-
MD5
b55f731add11aec9c9b00fe42d8f0f53
-
SHA1
7114fbda0e1ce247dd227e3d54d22fa809a0c5ee
-
SHA256
f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21
-
SHA512
f9291667b8c1ae07e9993cee4269e19765b1c506a2c24411459f60f65da7c513b383cc328345961e8350642cebf0448d85ee93a2594607dd0ee866c39e2d7cb9
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 1 IoCs
Processes:
cbxncdb.exepid process 3680 cbxncdb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exedescription pid process target process PID 2016 set thread context of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3664 3680 WerFault.exe cbxncdb.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe 3664 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3664 WerFault.exe Token: SeBackupPrivilege 3664 WerFault.exe Token: SeDebugPrivilege 3664 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exedescription pid process target process PID 2016 wrote to memory of 3680 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe cbxncdb.exe PID 2016 wrote to memory of 3680 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe cbxncdb.exe PID 2016 wrote to memory of 3680 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe cbxncdb.exe PID 2016 wrote to memory of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe PID 2016 wrote to memory of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe PID 2016 wrote to memory of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe PID 2016 wrote to memory of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe PID 2016 wrote to memory of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe PID 2016 wrote to memory of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe PID 2016 wrote to memory of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe PID 2016 wrote to memory of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe PID 2016 wrote to memory of 2316 2016 f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe"C:\Users\Admin\AppData\Local\Temp\f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cbxncdb.exe"C:\Users\Admin\AppData\Local\Temp\cbxncdb.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 11043⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cbxncdb.exeMD5
598216c1f4df42b96265e40d826a029b
SHA15299280a7093ece1ce4cc8bd9dbbd57115cf93a2
SHA25674bd0a0f99f46bfc7106edc3f4d360d9c0bdcba209cbedb685f2131c9482cc3b
SHA512ea4d008e55c16157e1374b03d142ddb34fe219114f42c6f49fb0f9b0a7c9e0abe5be0e97162a2fe820ec7b7d3a8daa4acdf2324df44445d1190e23da1a0d59b2
-
C:\Users\Admin\AppData\Local\Temp\cbxncdb.exeMD5
598216c1f4df42b96265e40d826a029b
SHA15299280a7093ece1ce4cc8bd9dbbd57115cf93a2
SHA25674bd0a0f99f46bfc7106edc3f4d360d9c0bdcba209cbedb685f2131c9482cc3b
SHA512ea4d008e55c16157e1374b03d142ddb34fe219114f42c6f49fb0f9b0a7c9e0abe5be0e97162a2fe820ec7b7d3a8daa4acdf2324df44445d1190e23da1a0d59b2
-
memory/2316-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2316-3-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3664-4-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/3664-5-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/3664-7-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB