Analysis
-
max time kernel
118s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe
Resource
win10v2004-20220901-en
General
-
Target
54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe
-
Size
129KB
-
MD5
0386ed817dfa5d59b18ca55b08837bef
-
SHA1
54ab27d1eef9de4b873f1bbcdb831a702aca1c9b
-
SHA256
69bf90b66674ea72cec01a85291f00da3b76e39abaf3455d1ba793928afe3243
-
SHA512
a489ea814502abb10cbcf93611be73e02de5c28264ae7078fe9798219d2673ba5ab825eddea50c2d6bf94aaf74a3693f3dfb58118a38e16ffe9ccbf0d8788151
-
SSDEEP
3072:lOLyMIlnd1n/OSvKnYKAIl0XUbkxdFDkU0Ke6CZ5NfdjW:ILHIFdFOdAIl+Ubk2Uze3dj
Malware Config
Extracted
azorult
https://discaredforftp.000webhostapp.com/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exedescription pid process target process PID 5060 set thread context of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4764 3056 WerFault.exe RegSvcs.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exedescription pid process target process PID 5060 wrote to memory of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe PID 5060 wrote to memory of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe PID 5060 wrote to memory of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe PID 5060 wrote to memory of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe PID 5060 wrote to memory of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe PID 5060 wrote to memory of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe PID 5060 wrote to memory of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe PID 5060 wrote to memory of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe PID 5060 wrote to memory of 3056 5060 54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe"C:\Users\Admin\AppData\Local\Temp\54ab27d1eef9de4b873f1bbcdb831a702aca1c9b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 15643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3056 -ip 30561⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3056-138-0x0000000000000000-mapping.dmp
-
memory/3056-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3056-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3056-142-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3056-143-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5060-132-0x0000000000260000-0x0000000000286000-memory.dmpFilesize
152KB
-
memory/5060-133-0x0000000005260000-0x0000000005804000-memory.dmpFilesize
5.6MB
-
memory/5060-134-0x0000000004CB0000-0x0000000004D42000-memory.dmpFilesize
584KB
-
memory/5060-135-0x0000000004C30000-0x0000000004C3A000-memory.dmpFilesize
40KB
-
memory/5060-136-0x0000000004EC0000-0x0000000004F36000-memory.dmpFilesize
472KB
-
memory/5060-137-0x00000000051D0000-0x00000000051EE000-memory.dmpFilesize
120KB