Analysis
-
max time kernel
67s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-12-2020 07:34
Static task
static1
Behavioral task
behavioral1
Sample
211d05482c1fd312825c60c66efc9422.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
211d05482c1fd312825c60c66efc9422.exe
Resource
win10v20201028
General
-
Target
211d05482c1fd312825c60c66efc9422.exe
-
Size
583KB
-
MD5
211d05482c1fd312825c60c66efc9422
-
SHA1
97bebe8dc282978e45a10c7fc2b4d3c557fa9208
-
SHA256
c63d4581dbe839bdb9865bcb6033e9e0ef459d1c5406e9f4fd3a05f48b46d0f1
-
SHA512
4b839ab094bc55153dbe3bd62516c389ed50942f2c18a44870e12a0f5e6eb793a0b47e63739c6c2fae854e45a9ef7130557bed367696798cc1737ad9fcf16a69
Malware Config
Extracted
azorult
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
211d05482c1fd312825c60c66efc9422.exedescription pid process target process PID 508 set thread context of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2068 3064 WerFault.exe mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
211d05482c1fd312825c60c66efc9422.exeWerFault.exedescription pid process Token: SeDebugPrivilege 508 211d05482c1fd312825c60c66efc9422.exe Token: SeRestorePrivilege 2068 WerFault.exe Token: SeBackupPrivilege 2068 WerFault.exe Token: SeDebugPrivilege 2068 WerFault.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
211d05482c1fd312825c60c66efc9422.exedescription pid process target process PID 508 wrote to memory of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe PID 508 wrote to memory of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe PID 508 wrote to memory of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe PID 508 wrote to memory of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe PID 508 wrote to memory of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe PID 508 wrote to memory of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe PID 508 wrote to memory of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe PID 508 wrote to memory of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe PID 508 wrote to memory of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\211d05482c1fd312825c60c66efc9422.exe"C:\Users\Admin\AppData\Local\Temp\211d05482c1fd312825c60c66efc9422.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 3323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/508-11-0x0000000007B80000-0x0000000007B81000-memory.dmpFilesize
4KB
-
memory/508-9-0x0000000007970000-0x0000000007971000-memory.dmpFilesize
4KB
-
memory/508-5-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/508-6-0x0000000004F90000-0x0000000004FA7000-memory.dmpFilesize
92KB
-
memory/508-2-0x0000000073940000-0x000000007402E000-memory.dmpFilesize
6.9MB
-
memory/508-8-0x0000000007D80000-0x0000000007D81000-memory.dmpFilesize
4KB
-
memory/508-3-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/508-10-0x0000000007950000-0x000000000795A000-memory.dmpFilesize
40KB
-
memory/508-7-0x0000000004FC0000-0x0000000004FDF000-memory.dmpFilesize
124KB
-
memory/2068-16-0x00000000046F0000-0x00000000046F1000-memory.dmpFilesize
4KB
-
memory/3064-13-0x000000000041A684-mapping.dmp
-
memory/3064-14-0x0000000000700000-0x0000000000720000-memory.dmpFilesize
128KB
-
memory/3064-15-0x0000000000700000-0x0000000000720000-memory.dmpFilesize
128KB
-
memory/3064-18-0x000000000041A684-mapping.dmp
-
memory/3064-17-0x000000000041A684-mapping.dmp
-
memory/3064-19-0x000000000041A684-mapping.dmp