Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20/05/2022, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
Order Specification.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Order Specification.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
Order Specification.exe
-
Size
1.2MB
-
MD5
a7b338e379ecec86752301abbca0539f
-
SHA1
d10cd55ff0d859303c4daac582c56c569ce45e24
-
SHA256
f2dcf747bef15584ddd0242430a2374ef9b3b3b542b25cfd75589ec2d3dc66d6
-
SHA512
25b9e23bee501ac26fd537c09c363949a47f658736f2f691309ffee9a356e493c9873c323f00237b09c217c4764b75211241636fb23f5a31afa33fa7c2924670
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://165.22.94.14/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3328 set thread context of 1416 3328 Order Specification.exe 77 PID 3328 set thread context of 2952 3328 Order Specification.exe 85 PID 3328 set thread context of 224 3328 Order Specification.exe 86 -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe 3328 Order Specification.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3328 wrote to memory of 1416 3328 Order Specification.exe 77 PID 3328 wrote to memory of 1416 3328 Order Specification.exe 77 PID 3328 wrote to memory of 1416 3328 Order Specification.exe 77 PID 3328 wrote to memory of 1416 3328 Order Specification.exe 77 PID 3328 wrote to memory of 1416 3328 Order Specification.exe 77 PID 3328 wrote to memory of 2952 3328 Order Specification.exe 85 PID 3328 wrote to memory of 2952 3328 Order Specification.exe 85 PID 3328 wrote to memory of 2952 3328 Order Specification.exe 85 PID 3328 wrote to memory of 2952 3328 Order Specification.exe 85 PID 3328 wrote to memory of 2952 3328 Order Specification.exe 85 PID 3328 wrote to memory of 224 3328 Order Specification.exe 86 PID 3328 wrote to memory of 224 3328 Order Specification.exe 86 PID 3328 wrote to memory of 224 3328 Order Specification.exe 86 PID 3328 wrote to memory of 224 3328 Order Specification.exe 86 PID 3328 wrote to memory of 224 3328 Order Specification.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:224
-