Analysis
-
max time kernel
51s -
max time network
54s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 13:10
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v20201028
General
-
Target
New Order.exe
-
Size
964KB
-
MD5
03f50d159989c51c9d1a53aa4ab329e3
-
SHA1
d5564e5676412a6cfc7e6403201baeafafec72a2
-
SHA256
7d616629dceb30f4c3f4dec759fc0e802371115a1e8cd289aa731555df6be3ae
-
SHA512
66347700e3b597b3c01b6bd85700d86bbb2128adc6d20f63aab0525623803543049024591d4177208cffde88ae0dff77880cec31864954da42b07acca7f7f081
Malware Config
Extracted
azorult
http://45.137.22.102/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order.exedescription pid process target process PID 1856 set thread context of 616 1856 New Order.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
New Order.exedescription pid process target process PID 1856 wrote to memory of 672 1856 New Order.exe schtasks.exe PID 1856 wrote to memory of 672 1856 New Order.exe schtasks.exe PID 1856 wrote to memory of 672 1856 New Order.exe schtasks.exe PID 1856 wrote to memory of 672 1856 New Order.exe schtasks.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe PID 1856 wrote to memory of 616 1856 New Order.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FbzLqkUY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28B6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp28B6.tmpMD5
460d8895ee56f4e1841331750381ac1e
SHA12c083b7f12df0325306cbf75e93f8a8aad134f0f
SHA256b0ecdbfac00648947a8f4b1bc231e56eca5a858ef6b1a5018fdb8da7ff1d48dc
SHA5129d43ce3bb86aed4d22527230348d49f15894ffa29771df496c8f145b8e3c9fb8435ad1342b38b9f5e827c1d247abebd94535cd283570e7f32f04bad64b51101b
-
memory/616-10-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/616-11-0x000000000041A1F8-mapping.dmp
-
memory/616-12-0x00000000767E1000-0x00000000767E3000-memory.dmpFilesize
8KB
-
memory/616-14-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/672-8-0x0000000000000000-mapping.dmp
-
memory/1624-13-0x000007FEF67C0000-0x000007FEF6A3A000-memory.dmpFilesize
2.5MB
-
memory/1856-2-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6.9MB
-
memory/1856-3-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/1856-5-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/1856-6-0x00000000002F0000-0x00000000002FE000-memory.dmpFilesize
56KB
-
memory/1856-7-0x00000000007E0000-0x000000000081B000-memory.dmpFilesize
236KB