Analysis
-
max time kernel
121s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
30-04-2021 11:01
Static task
static1
Behavioral task
behavioral1
Sample
PaymentNotification.pdf.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PaymentNotification.pdf.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
PaymentNotification.pdf.exe
-
Size
1.5MB
-
MD5
533080297cda36f79983aac2531cd490
-
SHA1
8ee3fef2355beba65935e9bc3eed95f5ec01ff2e
-
SHA256
214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6
-
SHA512
4e764550c8edb05f3e5a1bb49566952d650c3b74476c47795bc7e3a92b4419a96eb84d6adcd2520c92a03f2cd50bf294c7f03c16916efa881c74f5976705b309
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://203.159.80.91/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PaymentNotification.pdf.exedescription pid process target process PID 484 set thread context of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PaymentNotification.pdf.exedescription pid process target process PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe PID 484 wrote to memory of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PaymentNotification.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PaymentNotification.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\AppData\Local\Temp\PaymentNotification.pdf.exe"{path}"2⤵PID:1224
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/484-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/484-61-0x0000000000520000-0x0000000000521000-memory.dmpFilesize
4KB
-
memory/484-65-0x0000000000521000-0x0000000000522000-memory.dmpFilesize
4KB
-
memory/1224-63-0x000000000041A1F8-mapping.dmp
-
memory/1224-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1224-66-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB