Analysis
-
max time kernel
35s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 18:03
Static task
static1
Behavioral task
behavioral1
Sample
c0741e25484d3ed9ab786a852564500602186b59638397ffbe37eab9182a7512.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
c0741e25484d3ed9ab786a852564500602186b59638397ffbe37eab9182a7512.exe
Resource
win10v20210410
General
-
Target
c0741e25484d3ed9ab786a852564500602186b59638397ffbe37eab9182a7512.exe
-
Size
112KB
-
MD5
fdef96d4d036ae3dd5a1d87b6d04481d
-
SHA1
cc8dc1dc65acacc01f262490b9f1952d07cf3124
-
SHA256
c0741e25484d3ed9ab786a852564500602186b59638397ffbe37eab9182a7512
-
SHA512
b242485aa77f736ba4ab789091f70d39ead8ab1326596e7233e8be2f1cd76a23ddf1d5f8ca91b069e339206e2dd65c846e4e9f52899aef72307d410634997165
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2676 3944 WerFault.exe c0741e25484d3ed9ab786a852564500602186b59638397ffbe37eab9182a7512.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe 2676 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2676 WerFault.exe Token: SeBackupPrivilege 2676 WerFault.exe Token: SeDebugPrivilege 2676 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0741e25484d3ed9ab786a852564500602186b59638397ffbe37eab9182a7512.exe"C:\Users\Admin\AppData\Local\Temp\c0741e25484d3ed9ab786a852564500602186b59638397ffbe37eab9182a7512.exe"1⤵PID:3944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 12362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676