Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20/05/2022, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
Order Specification.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Order Specification.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
Order Specification.exe
-
Size
1.2MB
-
MD5
a7b338e379ecec86752301abbca0539f
-
SHA1
d10cd55ff0d859303c4daac582c56c569ce45e24
-
SHA256
f2dcf747bef15584ddd0242430a2374ef9b3b3b542b25cfd75589ec2d3dc66d6
-
SHA512
25b9e23bee501ac26fd537c09c363949a47f658736f2f691309ffee9a356e493c9873c323f00237b09c217c4764b75211241636fb23f5a31afa33fa7c2924670
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://165.22.94.14/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1880 set thread context of 1784 1880 Order Specification.exe 27 PID 1880 set thread context of 432 1880 Order Specification.exe 30 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1880 Order Specification.exe 1880 Order Specification.exe 1880 Order Specification.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1880 wrote to memory of 1784 1880 Order Specification.exe 27 PID 1880 wrote to memory of 1784 1880 Order Specification.exe 27 PID 1880 wrote to memory of 1784 1880 Order Specification.exe 27 PID 1880 wrote to memory of 1784 1880 Order Specification.exe 27 PID 1880 wrote to memory of 1784 1880 Order Specification.exe 27 PID 1880 wrote to memory of 1784 1880 Order Specification.exe 27 PID 1880 wrote to memory of 432 1880 Order Specification.exe 30 PID 1880 wrote to memory of 432 1880 Order Specification.exe 30 PID 1880 wrote to memory of 432 1880 Order Specification.exe 30 PID 1880 wrote to memory of 432 1880 Order Specification.exe 30 PID 1880 wrote to memory of 432 1880 Order Specification.exe 30 PID 1880 wrote to memory of 432 1880 Order Specification.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:432
-