Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20/05/2022, 15:33
Static task
static1
Behavioral task
behavioral1
Sample
Order Specification.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Order Specification.exe
Resource
win10v2004-20220414-en
General
-
Target
Order Specification.exe
-
Size
1.1MB
-
MD5
1a2d79996f534571873d714d86863814
-
SHA1
e75450cdd0a7e1c93a0f215064e974ab5e1ab768
-
SHA256
f5053d63c375cee3c53f33df04dc76dfaa3560c35bb5f166e8238804e3ba3204
-
SHA512
a61c70b8fbc9713f6bc2f14cc2e0bf3924a1e82c81266a61fcdf244e01d78901b2d7a88ae2f5d12cedb6a8292d4b77d6bf6dbc0bb6069e56c1f5ed9f86c4389e
Malware Config
Extracted
azorult
http://217.160.170.24/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult Variant.4 Checkin M2
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M5
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M5
-
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 1564 set thread context of 904 1564 Order Specification.exe 27 PID 1564 set thread context of 1180 1564 Order Specification.exe 30 PID 1564 set thread context of 268 1564 Order Specification.exe 31 PID 1564 set thread context of 1448 1564 Order Specification.exe 32 PID 1564 set thread context of 1004 1564 Order Specification.exe 33 PID 1564 set thread context of 1236 1564 Order Specification.exe 34 PID 1564 set thread context of 2008 1564 Order Specification.exe 35 PID 1564 set thread context of 468 1564 Order Specification.exe 36 PID 1564 set thread context of 1624 1564 Order Specification.exe 37 PID 1564 set thread context of 836 1564 Order Specification.exe 38 PID 1564 set thread context of 956 1564 Order Specification.exe 39 PID 1564 set thread context of 1720 1564 Order Specification.exe 40 PID 1564 set thread context of 1512 1564 Order Specification.exe 41 PID 1564 set thread context of 848 1564 Order Specification.exe 42 -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1564 Order Specification.exe 1564 Order Specification.exe 1564 Order Specification.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1564 wrote to memory of 904 1564 Order Specification.exe 27 PID 1564 wrote to memory of 904 1564 Order Specification.exe 27 PID 1564 wrote to memory of 904 1564 Order Specification.exe 27 PID 1564 wrote to memory of 904 1564 Order Specification.exe 27 PID 1564 wrote to memory of 904 1564 Order Specification.exe 27 PID 1564 wrote to memory of 904 1564 Order Specification.exe 27 PID 1564 wrote to memory of 1180 1564 Order Specification.exe 30 PID 1564 wrote to memory of 1180 1564 Order Specification.exe 30 PID 1564 wrote to memory of 1180 1564 Order Specification.exe 30 PID 1564 wrote to memory of 1180 1564 Order Specification.exe 30 PID 1564 wrote to memory of 1180 1564 Order Specification.exe 30 PID 1564 wrote to memory of 1180 1564 Order Specification.exe 30 PID 1564 wrote to memory of 268 1564 Order Specification.exe 31 PID 1564 wrote to memory of 268 1564 Order Specification.exe 31 PID 1564 wrote to memory of 268 1564 Order Specification.exe 31 PID 1564 wrote to memory of 268 1564 Order Specification.exe 31 PID 1564 wrote to memory of 268 1564 Order Specification.exe 31 PID 1564 wrote to memory of 268 1564 Order Specification.exe 31 PID 1564 wrote to memory of 1448 1564 Order Specification.exe 32 PID 1564 wrote to memory of 1448 1564 Order Specification.exe 32 PID 1564 wrote to memory of 1448 1564 Order Specification.exe 32 PID 1564 wrote to memory of 1448 1564 Order Specification.exe 32 PID 1564 wrote to memory of 1448 1564 Order Specification.exe 32 PID 1564 wrote to memory of 1448 1564 Order Specification.exe 32 PID 1564 wrote to memory of 1004 1564 Order Specification.exe 33 PID 1564 wrote to memory of 1004 1564 Order Specification.exe 33 PID 1564 wrote to memory of 1004 1564 Order Specification.exe 33 PID 1564 wrote to memory of 1004 1564 Order Specification.exe 33 PID 1564 wrote to memory of 1004 1564 Order Specification.exe 33 PID 1564 wrote to memory of 1004 1564 Order Specification.exe 33 PID 1564 wrote to memory of 1236 1564 Order Specification.exe 34 PID 1564 wrote to memory of 1236 1564 Order Specification.exe 34 PID 1564 wrote to memory of 1236 1564 Order Specification.exe 34 PID 1564 wrote to memory of 1236 1564 Order Specification.exe 34 PID 1564 wrote to memory of 1236 1564 Order Specification.exe 34 PID 1564 wrote to memory of 1236 1564 Order Specification.exe 34 PID 1564 wrote to memory of 2008 1564 Order Specification.exe 35 PID 1564 wrote to memory of 2008 1564 Order Specification.exe 35 PID 1564 wrote to memory of 2008 1564 Order Specification.exe 35 PID 1564 wrote to memory of 2008 1564 Order Specification.exe 35 PID 1564 wrote to memory of 2008 1564 Order Specification.exe 35 PID 1564 wrote to memory of 2008 1564 Order Specification.exe 35 PID 1564 wrote to memory of 468 1564 Order Specification.exe 36 PID 1564 wrote to memory of 468 1564 Order Specification.exe 36 PID 1564 wrote to memory of 468 1564 Order Specification.exe 36 PID 1564 wrote to memory of 468 1564 Order Specification.exe 36 PID 1564 wrote to memory of 468 1564 Order Specification.exe 36 PID 1564 wrote to memory of 468 1564 Order Specification.exe 36 PID 1564 wrote to memory of 1624 1564 Order Specification.exe 37 PID 1564 wrote to memory of 1624 1564 Order Specification.exe 37 PID 1564 wrote to memory of 1624 1564 Order Specification.exe 37 PID 1564 wrote to memory of 1624 1564 Order Specification.exe 37 PID 1564 wrote to memory of 1624 1564 Order Specification.exe 37 PID 1564 wrote to memory of 1624 1564 Order Specification.exe 37 PID 1564 wrote to memory of 836 1564 Order Specification.exe 38 PID 1564 wrote to memory of 836 1564 Order Specification.exe 38 PID 1564 wrote to memory of 836 1564 Order Specification.exe 38 PID 1564 wrote to memory of 836 1564 Order Specification.exe 38 PID 1564 wrote to memory of 836 1564 Order Specification.exe 38 PID 1564 wrote to memory of 836 1564 Order Specification.exe 38 PID 1564 wrote to memory of 956 1564 Order Specification.exe 39 PID 1564 wrote to memory of 956 1564 Order Specification.exe 39 PID 1564 wrote to memory of 956 1564 Order Specification.exe 39 PID 1564 wrote to memory of 956 1564 Order Specification.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:268
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1004
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:468
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:956
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:848
-