Analysis
-
max time kernel
85s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en -
submitted
20-09-2021 10:12
Static task
static1
Behavioral task
behavioral1
Sample
ORDER WORKBOOK.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ORDER WORKBOOK.exe
Resource
win10-en
General
-
Target
ORDER WORKBOOK.exe
-
Size
1.3MB
-
MD5
38c3c643e80618c83b80b990ae16abe2
-
SHA1
ee93f02563f008c2715c26b4f8478410e09babcd
-
SHA256
ff2f7cc30d0eca889fbe37a6ea28172ac1dc0b2ea3563a622cc7de25a96e07f6
-
SHA512
26328038bbbb4523fd0dbfa8338a1bb09833a5c70de4240aa29944f4d103d358afe673246b924bb69a1f4134b0e945cf03b40685970e863a7f29d5ed02c24111
Malware Config
Extracted
azorult
http://136.144.41.34/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M17
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M17
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ORDER WORKBOOK.exedescription pid process target process PID 4020 set thread context of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ORDER WORKBOOK.exepid process 4020 ORDER WORKBOOK.exe 4020 ORDER WORKBOOK.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ORDER WORKBOOK.exedescription pid process Token: SeDebugPrivilege 4020 ORDER WORKBOOK.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ORDER WORKBOOK.exedescription pid process target process PID 4020 wrote to memory of 3144 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3144 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3144 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe PID 4020 wrote to memory of 3212 4020 ORDER WORKBOOK.exe ORDER WORKBOOK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER WORKBOOK.exe"C:\Users\Admin\AppData\Local\Temp\ORDER WORKBOOK.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER WORKBOOK.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ORDER WORKBOOK.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3212-117-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3212-118-0x000000000041A1F8-mapping.dmp
-
memory/3212-119-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4020-115-0x0000000001600000-0x0000000001601000-memory.dmpFilesize
4KB
-
memory/4020-116-0x0000000001601000-0x0000000001602000-memory.dmpFilesize
4KB