Analysis
-
max time kernel
44s -
max time network
46s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
31-05-2020 03:24
Static task
static1
Behavioral task
behavioral1
Sample
612.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
612.exe
-
Size
279KB
-
MD5
dcef7c1512ca4b9e9dd586e18f60529b
-
SHA1
37b3b93f24e1cb3dcac4f4fdce74bc6619d20d01
-
SHA256
eff1a51a16f9f22b0ad57e514fe337947eb9652117eaed82cca19998e49534e3
-
SHA512
03585583d0c550644bb699f76621f0c6809668b098249959d51a763418bf1b1e1279418272aff0e365b77bac86cc641f4e5965a7d6d97ce7abd26d33d1f782c8
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://bores.xyz/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
612.exedescription pid process target process PID 1300 set thread context of 2888 1300 612.exe 612.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3960 2888 WerFault.exe 612.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe 3960 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
612.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1300 612.exe Token: SeRestorePrivilege 3960 WerFault.exe Token: SeBackupPrivilege 3960 WerFault.exe Token: SeDebugPrivilege 3960 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
612.exedescription pid process target process PID 1300 wrote to memory of 2888 1300 612.exe 612.exe PID 1300 wrote to memory of 2888 1300 612.exe 612.exe PID 1300 wrote to memory of 2888 1300 612.exe 612.exe PID 1300 wrote to memory of 2888 1300 612.exe 612.exe PID 1300 wrote to memory of 2888 1300 612.exe 612.exe PID 1300 wrote to memory of 2888 1300 612.exe 612.exe PID 1300 wrote to memory of 2888 1300 612.exe 612.exe PID 1300 wrote to memory of 2888 1300 612.exe 612.exe PID 1300 wrote to memory of 2888 1300 612.exe 612.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\612.exe"C:\Users\Admin\AppData\Local\Temp\612.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\612.exe"C:\Users\Admin\AppData\Local\Temp\612.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 11963⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2888-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2888-3-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3960-4-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/3960-5-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB