Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-09-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
Order R04-T4077 TBA-2022, pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Order R04-T4077 TBA-2022, pdf.exe
Resource
win10v2004-20220901-en
General
-
Target
Order R04-T4077 TBA-2022, pdf.exe
-
Size
186KB
-
MD5
c42bff2b027d01641cac47b363eaef63
-
SHA1
deb49ead9c64f834db57f7a5704321a7e684346e
-
SHA256
eb165382dbcc999a719a7f61a2c23b823eb2d89fc7648330065983586dc9a869
-
SHA512
591fea6ef966b327cca92fdbd13f7ac3de9740827774660dc7c758989765a6b6a81fffd3863c74b10550ab14ff3cc2a075b54c67061d86e08c2e1d9d871aa86b
-
SSDEEP
3072:yjFa0SeOyAVq3Vlfv+ZODb4941BVrJsQqe+/UajFVpCxBVOzyVjq:ASyAVEVGqkS1hsQqe+/xrI
Malware Config
Extracted
azorult
http://bl3ds2.shop/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order R04-T4077 TBA-2022, pdf.exedescription pid process target process PID 1836 set thread context of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Order R04-T4077 TBA-2022, pdf.exedescription pid process target process PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe PID 1836 wrote to memory of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order R04-T4077 TBA-2022, pdf.exe"C:\Users\Admin\AppData\Local\Temp\Order R04-T4077 TBA-2022, pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/960-69-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/960-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/960-72-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/960-71-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/960-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/960-59-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/960-70-0x0000000075771000-0x0000000075773000-memory.dmpFilesize
8KB
-
memory/960-62-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/960-67-0x000000000041A684-mapping.dmp
-
memory/960-64-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/960-66-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1836-58-0x0000000000310000-0x0000000000318000-memory.dmpFilesize
32KB
-
memory/1836-54-0x0000000000D10000-0x0000000000D40000-memory.dmpFilesize
192KB
-
memory/1836-55-0x00000000001F0000-0x00000000001F8000-memory.dmpFilesize
32KB
-
memory/1836-57-0x0000000000300000-0x000000000030C000-memory.dmpFilesize
48KB
-
memory/1836-56-0x00000000003B0000-0x00000000003B6000-memory.dmpFilesize
24KB