Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-07-2021 14:11
Static task
static1
Behavioral task
behavioral1
Sample
10d70826cad122454a101ba1e1ac4b2c.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
10d70826cad122454a101ba1e1ac4b2c.exe
Resource
win10v20210410
General
-
Target
10d70826cad122454a101ba1e1ac4b2c.exe
-
Size
727KB
-
MD5
10d70826cad122454a101ba1e1ac4b2c
-
SHA1
075e43ba2303d7de9e695a122baa0af0646b81f5
-
SHA256
c5db907c35fb4f5c61325e4c1ed3baadb8957f7d53f4a41d9388dcf19177d5f7
-
SHA512
ca95792e7c0915e1bd18224ccf5114faf16028e28346af28771729a0ed6993f0ceb665657742e5609af021cdae9742bc15788ab93764d65bbffb49cbd7b85434
Malware Config
Extracted
azorult
http://136.144.41.23/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
10d70826cad122454a101ba1e1ac4b2c.exedescription pid process target process PID 752 set thread context of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
10d70826cad122454a101ba1e1ac4b2c.exepid process 752 10d70826cad122454a101ba1e1ac4b2c.exe 752 10d70826cad122454a101ba1e1ac4b2c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10d70826cad122454a101ba1e1ac4b2c.exedescription pid process Token: SeDebugPrivilege 752 10d70826cad122454a101ba1e1ac4b2c.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
10d70826cad122454a101ba1e1ac4b2c.exedescription pid process target process PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe PID 752 wrote to memory of 516 752 10d70826cad122454a101ba1e1ac4b2c.exe 10d70826cad122454a101ba1e1ac4b2c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d70826cad122454a101ba1e1ac4b2c.exe"C:\Users\Admin\AppData\Local\Temp\10d70826cad122454a101ba1e1ac4b2c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10d70826cad122454a101ba1e1ac4b2c.exeC:\Users\Admin\AppData\Local\Temp\10d70826cad122454a101ba1e1ac4b2c.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-69-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/516-70-0x000000000041A1F8-mapping.dmp
-
memory/516-71-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/516-72-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/752-59-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/752-61-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/752-62-0x0000000000600000-0x0000000000644000-memory.dmpFilesize
272KB
-
memory/752-67-0x0000000004EF0000-0x0000000004F49000-memory.dmpFilesize
356KB
-
memory/752-68-0x0000000004C55000-0x0000000004C66000-memory.dmpFilesize
68KB