Analysis
-
max time kernel
104s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe
Resource
win10v2004-20220414-en
General
-
Target
ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe
-
Size
405KB
-
MD5
e7993154a6aaf11628634216d9228ab6
-
SHA1
eaa844a817fd4dde1ba6c4138dfa4966f7937fd7
-
SHA256
ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899
-
SHA512
c1c9f91292996b997545c62083895e97693c6d46f32220c63e37984e2e725dc9cd276d0bff4a71b2a5b6adeb06520ac33e6c2d231c23a1573fd2e2931a88ef27
Malware Config
Extracted
azorult
http://46.183.223.118/chido/Panel/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2004 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exepid process 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exedescription pid process target process PID 1376 set thread context of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exepid process 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exedescription pid process Token: SeDebugPrivilege 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exedescription pid process target process PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe PID 1376 wrote to memory of 2004 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe"C:\Users\Admin\AppData\Local\Temp\ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
20KB
MD554a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
20KB
MD554a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
memory/1376-58-0x0000000000810000-0x0000000000816000-memory.dmpFilesize
24KB
-
memory/1376-55-0x0000000000540000-0x0000000000570000-memory.dmpFilesize
192KB
-
memory/1376-54-0x0000000000220000-0x000000000028C000-memory.dmpFilesize
432KB
-
memory/1376-56-0x0000000075361000-0x0000000075363000-memory.dmpFilesize
8KB
-
memory/1376-57-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/2004-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2004-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2004-64-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2004-65-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2004-67-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2004-61-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2004-68-0x000000000041A1F8-mapping.dmp
-
memory/2004-71-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2004-73-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB