Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 12:37
Static task
static1
Behavioral task
behavioral1
Sample
FDEF96D4D036AE3DD5A1D87B6D04481D.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
FDEF96D4D036AE3DD5A1D87B6D04481D.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
FDEF96D4D036AE3DD5A1D87B6D04481D.exe
-
Size
112KB
-
MD5
fdef96d4d036ae3dd5a1d87b6d04481d
-
SHA1
cc8dc1dc65acacc01f262490b9f1952d07cf3124
-
SHA256
c0741e25484d3ed9ab786a852564500602186b59638397ffbe37eab9182a7512
-
SHA512
b242485aa77f736ba4ab789091f70d39ead8ab1326596e7233e8be2f1cd76a23ddf1d5f8ca91b069e339206e2dd65c846e4e9f52899aef72307d410634997165
Score
10/10
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 640 1348 WerFault.exe FDEF96D4D036AE3DD5A1D87B6D04481D.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 640 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 640 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
FDEF96D4D036AE3DD5A1D87B6D04481D.exedescription pid process target process PID 1348 wrote to memory of 640 1348 FDEF96D4D036AE3DD5A1D87B6D04481D.exe WerFault.exe PID 1348 wrote to memory of 640 1348 FDEF96D4D036AE3DD5A1D87B6D04481D.exe WerFault.exe PID 1348 wrote to memory of 640 1348 FDEF96D4D036AE3DD5A1D87B6D04481D.exe WerFault.exe PID 1348 wrote to memory of 640 1348 FDEF96D4D036AE3DD5A1D87B6D04481D.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FDEF96D4D036AE3DD5A1D87B6D04481D.exe"C:\Users\Admin\AppData\Local\Temp\FDEF96D4D036AE3DD5A1D87B6D04481D.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 7322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:640