Analysis
-
max time kernel
90s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-07-2021 03:41
Static task
static1
Behavioral task
behavioral1
Sample
034.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
034.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
034.exe
-
Size
391KB
-
MD5
2763355e57b326d3b984f0ac394f7ac6
-
SHA1
ceb54e6f4b044fe78e4acd5e2935831118d57baf
-
SHA256
dcbd6522b7ba8bfb856038cf4dcb24782cab61a9e3ce15bbf9afcdff9c6c4f4a
-
SHA512
6b402d5ee4ab1213ddd054f4478ff5cd81a01f75b9327fc8e3d09309cf42b811a998ae96ad0c3fe8ee8e2b9fce994f227ed3bdc74a1e7ae9658108061628e13a
Score
10/10
Malware Config
Extracted
Family
azorult
C2
https://www.nirjhara.com/mine/32/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M17
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
034.exedescription pid process target process PID 508 set thread context of 1776 508 034.exe 034.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3456 1776 WerFault.exe 034.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe 3456 WerFault.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
034.exepid process 508 034.exe 508 034.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
034.exeWerFault.exedescription pid process Token: SeDebugPrivilege 508 034.exe Token: SeRestorePrivilege 3456 WerFault.exe Token: SeBackupPrivilege 3456 WerFault.exe Token: SeDebugPrivilege 3456 WerFault.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
034.exedescription pid process target process PID 508 wrote to memory of 1764 508 034.exe 034.exe PID 508 wrote to memory of 1764 508 034.exe 034.exe PID 508 wrote to memory of 1764 508 034.exe 034.exe PID 508 wrote to memory of 1776 508 034.exe 034.exe PID 508 wrote to memory of 1776 508 034.exe 034.exe PID 508 wrote to memory of 1776 508 034.exe 034.exe PID 508 wrote to memory of 1776 508 034.exe 034.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\034.exe"C:\Users\Admin\AppData\Local\Temp\034.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\034.exe"034.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\034.exe"034.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 16563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/508-114-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/508-116-0x0000000002B10000-0x0000000002B35000-memory.dmpFilesize
148KB
-
memory/508-118-0x0000000002B90000-0x0000000002B93000-memory.dmpFilesize
12KB
-
memory/1776-117-0x000000000041A1F8-mapping.dmp
-
memory/1776-119-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB