Analysis
-
max time kernel
90s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-07-2021 03:41
General
-
Target
034.exe
-
Size
391KB
-
MD5
2763355e57b326d3b984f0ac394f7ac6
-
SHA1
ceb54e6f4b044fe78e4acd5e2935831118d57baf
-
SHA256
dcbd6522b7ba8bfb856038cf4dcb24782cab61a9e3ce15bbf9afcdff9c6c4f4a
-
SHA512
6b402d5ee4ab1213ddd054f4478ff5cd81a01f75b9327fc8e3d09309cf42b811a998ae96ad0c3fe8ee8e2b9fce994f227ed3bdc74a1e7ae9658108061628e13a
Score
10/10
Malware Config
Extracted
Family
azorult
C2
https://www.nirjhara.com/mine/32/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M17
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\034.exe"C:\Users\Admin\AppData\Local\Temp\034.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\034.exe"034.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\034.exe"034.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 16563⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/508-114-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/508-116-0x0000000002B10000-0x0000000002B35000-memory.dmpFilesize
148KB
-
memory/508-118-0x0000000002B90000-0x0000000002B93000-memory.dmpFilesize
12KB
-
memory/1776-117-0x000000000041A1F8-mapping.dmp
-
memory/1776-119-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB