Analysis
-
max time kernel
78s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice scan copy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proforma Invoice scan copy.exe
Resource
win10v2004-20220414-en
General
-
Target
Proforma Invoice scan copy.exe
-
Size
391KB
-
MD5
2763355e57b326d3b984f0ac394f7ac6
-
SHA1
ceb54e6f4b044fe78e4acd5e2935831118d57baf
-
SHA256
dcbd6522b7ba8bfb856038cf4dcb24782cab61a9e3ce15bbf9afcdff9c6c4f4a
-
SHA512
6b402d5ee4ab1213ddd054f4478ff5cd81a01f75b9327fc8e3d09309cf42b811a998ae96ad0c3fe8ee8e2b9fce994f227ed3bdc74a1e7ae9658108061628e13a
Malware Config
Extracted
azorult
https://www.nirjhara.com/mine/32/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult Variant.4 Checkin M2
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proforma Invoice scan copy.exedescription pid process target process PID 4044 set thread context of 3420 4044 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4464 3420 WerFault.exe Proforma Invoice scan copy.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Proforma Invoice scan copy.exepid process 4044 Proforma Invoice scan copy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Proforma Invoice scan copy.exedescription pid process Token: SeDebugPrivilege 4044 Proforma Invoice scan copy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Proforma Invoice scan copy.exedescription pid process target process PID 4044 wrote to memory of 3420 4044 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe PID 4044 wrote to memory of 3420 4044 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe PID 4044 wrote to memory of 3420 4044 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe PID 4044 wrote to memory of 3420 4044 Proforma Invoice scan copy.exe Proforma Invoice scan copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice scan copy.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice scan copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice scan copy.exe"Proforma Invoice scan copy.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 11923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3420 -ip 34201⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3420-132-0x0000000000000000-mapping.dmp
-
memory/3420-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4044-130-0x0000000000070000-0x00000000000D8000-memory.dmpFilesize
416KB
-
memory/4044-131-0x0000000004AF0000-0x0000000004AF3000-memory.dmpFilesize
12KB