Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20/05/2022, 15:33
Static task
static1
Behavioral task
behavioral1
Sample
Order Specification.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Order Specification.exe
Resource
win10v2004-20220414-en
General
-
Target
Order Specification.exe
-
Size
1.1MB
-
MD5
1a2d79996f534571873d714d86863814
-
SHA1
e75450cdd0a7e1c93a0f215064e974ab5e1ab768
-
SHA256
f5053d63c375cee3c53f33df04dc76dfaa3560c35bb5f166e8238804e3ba3204
-
SHA512
a61c70b8fbc9713f6bc2f14cc2e0bf3924a1e82c81266a61fcdf244e01d78901b2d7a88ae2f5d12cedb6a8292d4b77d6bf6dbc0bb6069e56c1f5ed9f86c4389e
Malware Config
Extracted
azorult
http://217.160.170.24/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult Variant.4 Checkin M2
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
-
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 1512 set thread context of 4476 1512 Order Specification.exe 79 PID 1512 set thread context of 3088 1512 Order Specification.exe 81 PID 1512 set thread context of 4872 1512 Order Specification.exe 86 PID 1512 set thread context of 1112 1512 Order Specification.exe 89 PID 1512 set thread context of 3580 1512 Order Specification.exe 90 PID 1512 set thread context of 448 1512 Order Specification.exe 91 PID 1512 set thread context of 2632 1512 Order Specification.exe 92 PID 1512 set thread context of 2816 1512 Order Specification.exe 93 PID 1512 set thread context of 1796 1512 Order Specification.exe 94 -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1512 Order Specification.exe 1512 Order Specification.exe 1512 Order Specification.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 1512 wrote to memory of 4476 1512 Order Specification.exe 79 PID 1512 wrote to memory of 4476 1512 Order Specification.exe 79 PID 1512 wrote to memory of 4476 1512 Order Specification.exe 79 PID 1512 wrote to memory of 4476 1512 Order Specification.exe 79 PID 1512 wrote to memory of 4476 1512 Order Specification.exe 79 PID 1512 wrote to memory of 3088 1512 Order Specification.exe 81 PID 1512 wrote to memory of 3088 1512 Order Specification.exe 81 PID 1512 wrote to memory of 3088 1512 Order Specification.exe 81 PID 1512 wrote to memory of 3088 1512 Order Specification.exe 81 PID 1512 wrote to memory of 3088 1512 Order Specification.exe 81 PID 1512 wrote to memory of 4872 1512 Order Specification.exe 86 PID 1512 wrote to memory of 4872 1512 Order Specification.exe 86 PID 1512 wrote to memory of 4872 1512 Order Specification.exe 86 PID 1512 wrote to memory of 4872 1512 Order Specification.exe 86 PID 1512 wrote to memory of 4872 1512 Order Specification.exe 86 PID 1512 wrote to memory of 1112 1512 Order Specification.exe 89 PID 1512 wrote to memory of 1112 1512 Order Specification.exe 89 PID 1512 wrote to memory of 1112 1512 Order Specification.exe 89 PID 1512 wrote to memory of 1112 1512 Order Specification.exe 89 PID 1512 wrote to memory of 1112 1512 Order Specification.exe 89 PID 1512 wrote to memory of 3580 1512 Order Specification.exe 90 PID 1512 wrote to memory of 3580 1512 Order Specification.exe 90 PID 1512 wrote to memory of 3580 1512 Order Specification.exe 90 PID 1512 wrote to memory of 3580 1512 Order Specification.exe 90 PID 1512 wrote to memory of 3580 1512 Order Specification.exe 90 PID 1512 wrote to memory of 448 1512 Order Specification.exe 91 PID 1512 wrote to memory of 448 1512 Order Specification.exe 91 PID 1512 wrote to memory of 448 1512 Order Specification.exe 91 PID 1512 wrote to memory of 448 1512 Order Specification.exe 91 PID 1512 wrote to memory of 448 1512 Order Specification.exe 91 PID 1512 wrote to memory of 2632 1512 Order Specification.exe 92 PID 1512 wrote to memory of 2632 1512 Order Specification.exe 92 PID 1512 wrote to memory of 2632 1512 Order Specification.exe 92 PID 1512 wrote to memory of 2632 1512 Order Specification.exe 92 PID 1512 wrote to memory of 2632 1512 Order Specification.exe 92 PID 1512 wrote to memory of 2816 1512 Order Specification.exe 93 PID 1512 wrote to memory of 2816 1512 Order Specification.exe 93 PID 1512 wrote to memory of 2816 1512 Order Specification.exe 93 PID 1512 wrote to memory of 2816 1512 Order Specification.exe 93 PID 1512 wrote to memory of 2816 1512 Order Specification.exe 93 PID 1512 wrote to memory of 1796 1512 Order Specification.exe 94 PID 1512 wrote to memory of 1796 1512 Order Specification.exe 94 PID 1512 wrote to memory of 1796 1512 Order Specification.exe 94 PID 1512 wrote to memory of 1796 1512 Order Specification.exe 94 PID 1512 wrote to memory of 1796 1512 Order Specification.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:4476
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:3088
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:4872
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:3580
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:448
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"2⤵PID:1796
-