Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 05:40
Static task
static1
Behavioral task
behavioral1
Sample
b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe
Resource
win10v2004-20220414-en
General
-
Target
b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe
-
Size
802KB
-
MD5
8ea07f15dc6ffa24f8e03005566e044f
-
SHA1
05afcd0e5052d7987232fa0b317a62cf78476168
-
SHA256
b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7
-
SHA512
f701238fa7510cc80caaad101bd444e95534235aa9b15def21781f85c428d7f1c27ea77733f65fab302dc3fc8dcfc196f6a489df1a45e88745ebd93bc06601c7
Malware Config
Extracted
azorult
http://waresustem.live/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exedescription pid process target process PID 1092 set thread context of 2020 1092 b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exepid process 1092 b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exepid process 1092 b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe 1092 b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exedescription pid process target process PID 1092 wrote to memory of 2020 1092 b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe PID 1092 wrote to memory of 2020 1092 b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe PID 1092 wrote to memory of 2020 1092 b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe PID 1092 wrote to memory of 2020 1092 b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe"C:\Users\Admin\AppData\Local\Temp\b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe"C:\Users\Admin\AppData\Local\Temp\b2dc28fabf18dc1c84e056f4b052d58ffa650d74e1142743caff1ab12d3c12c7.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1092-54-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB
-
memory/2020-55-0x000000000041A684-mapping.dmp
-
memory/2020-56-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2020-58-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2020-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB