File name:	Invoice payment.doc
Full analysis:	https://app.any.run/tasks/992d1193-4d4e-4c3a-af5c-7eef9eec86f4
Verdict:	Malicious activity
Threats:	AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	August 02, 2022, 11:52:41
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	exploit cve-2017-11882 loader trojan rat azorult
Indicators:
MIME:	application/octet-stream
File info:	data
MD5:	8610A71B4BDADBDA429909C6873EBC25
SHA1:	959D4AF0B1A2A183BA1E56F9D1E6FBC7750B9B82
SHA256:	89CEB7FCC31C99A1D898F00F1C03C03FADEA562A3AD85456EE70E6E3F29C0C18
SSDEEP:	384:Zs9X1BoJ7c3mPREKFqGqhjaZpw6XssXhsKdxgue5AYwdMSvCs:CGcWJEKdZp7XssXhsKEhSf


(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:	write	Name:	1z9
Value: 317A3900180A0000010000000000000000000000
(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1041
Value: Off
(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1046
Value: Off
(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1036
Value: Off
(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1031
Value: Off
(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1040
Value: Off
(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1049
Value: Off
(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	3082
Value: Off
(PID) Process:	(2584) WINWORD.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1042
Value: Off

PID	Process	Filename		Type
2584	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR5EB1.tmp.cvr		—
		MD5:—	SHA256:—
2584	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:FE6BB1E1474DF1A0CAC63E6A240E1E82	SHA256:8EBB779E753C66B90A03683A0E7F4EF8873D6C7D1E85AFB15F8175E9CC20DDAD
3044	EQNEDT32.EXE	C:\Users\admin\AppData\Roaming\kendriknk8523.exe		executable
		MD5:6146E00B16D35F03D1BE912592E27576	SHA256:9B26B242E62B7ED9F8BF214F0B752866E83F13981E11B9E7C70D5AEB0CBB0F5D
3044	EQNEDT32.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\kendrickzx[1].exe		executable
		MD5:6146E00B16D35F03D1BE912592E27576	SHA256:9B26B242E62B7ED9F8BF214F0B752866E83F13981E11B9E7C70D5AEB0CBB0F5D
2584	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$voice payment.doc		pgc
		MD5:E7CCDA54157BC90B251D9A1F715EE1D9	SHA256:33CB599F19BB9A26825E77DF22F9F28AD15C8FE7EB03AA8869BC5474C84007E4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3044	EQNEDT32.EXE	GET	200	208.67.105.179:80	http://208.67.105.179/kendrickzx.exe	US	executable	699 Kb	malicious
2312	kendriknk8523.exe	POST	—	208.67.105.161:80	http://208.67.105.161/kendrick/index.php	US	—	—	malicious

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET INFO Executable Download from dotted-quad Host
—	—	A Network Trojan was detected	ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	A Network Trojan was detected	ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
—	—	Potentially Bad Traffic	ET INFO SUSPICIOUS Dotted Quad Host MZ Response
—	—	A Network Trojan was detected	ET TROJAN Win32/AZORult V3.3 Client Checkin M2
—	—	A Network Trojan was detected	AV TROJAN Azorult CnC Beacon
—	—	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
—	—	A Network Trojan was detected	ET TROJAN AZORult v3.3 Server Response M2

General Info

Invoice payment.doc

8610A71B4BDADBDA429909C6873EBC25

959D4AF0B1A2A183BA1E56F9D1E6FBC7750B9B82

89CEB7FCC31C99A1D898F00F1C03C03FADEA562A3AD85456EE70E6E3F29C0C18

384:Zs9X1BoJ7c3mPREKFqGqhjaZpw6XssXhsKdxgue5AYwdMSvCs:CGcWJEKdZp7XssXhsKEhSf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops executable file immediately after starts

Equation Editor starts application (CVE-2017-11882)

Application was dropped or rewritten from another process

AZORULT was detected

Connects to CnC server

AZORULT detected by memory dumps

SUSPICIOUS

Checks supported languages

Reads the computer name

Executed via COM

Drops a file with a compile date too recent

Executable content was dropped or overwritten

Application launched itself

Reads Environment values

INFO

Reads the computer name

Checks supported languages

Reads Microsoft Office registry keys

Malware configuration

azorult

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

azorult

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings