File name: | Invoice payment.doc |
Full analysis: | https://app.any.run/tasks/992d1193-4d4e-4c3a-af5c-7eef9eec86f4 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | August 02, 2022, 11:52:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | data |
MD5: | 8610A71B4BDADBDA429909C6873EBC25 |
SHA1: | 959D4AF0B1A2A183BA1E56F9D1E6FBC7750B9B82 |
SHA256: | 89CEB7FCC31C99A1D898F00F1C03C03FADEA562A3AD85456EE70E6E3F29C0C18 |
SSDEEP: | 384:Zs9X1BoJ7c3mPREKFqGqhjaZpw6XssXhsKdxgue5AYwdMSvCs:CGcWJEKdZp7XssXhsKEhSf |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2584 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice payment.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 Modules
| |||||||||||||||
3044 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | ||||||||||||
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 Modules
| |||||||||||||||
3088 | "C:\Users\admin\AppData\Roaming\kendriknk8523.exe" | C:\Users\admin\AppData\Roaming\kendriknk8523.exe | — | EQNEDT32.EXE | |||||||||||
User: admin Company: Software by Ben Pty Ltd Integrity Level: MEDIUM Description: Swxbean Windows Exit code: 0 Version: 1.10.0.0 Modules
| |||||||||||||||
2312 | "C:\Users\admin\AppData\Roaming\kendriknk8523.exe" | C:\Users\admin\AppData\Roaming\kendriknk8523.exe | kendriknk8523.exe | ||||||||||||
User: admin Company: Software by Ben Pty Ltd Integrity Level: MEDIUM Description: Swxbean Windows Version: 1.10.0.0 Modules
azorult(PID) Process(2312) kendriknk8523.exe Hostshttp://208.67.105.161/kendrick/index.php |
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | 1z9 |
Value: 317A3900180A0000010000000000000000000000 | |||
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (2584) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
2584 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5EB1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2584 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:FE6BB1E1474DF1A0CAC63E6A240E1E82 | SHA256:8EBB779E753C66B90A03683A0E7F4EF8873D6C7D1E85AFB15F8175E9CC20DDAD | |||
3044 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\kendrickzx[1].exe | executable | |
MD5:6146E00B16D35F03D1BE912592E27576 | SHA256:9B26B242E62B7ED9F8BF214F0B752866E83F13981E11B9E7C70D5AEB0CBB0F5D | |||
3044 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\kendriknk8523.exe | executable | |
MD5:6146E00B16D35F03D1BE912592E27576 | SHA256:9B26B242E62B7ED9F8BF214F0B752866E83F13981E11B9E7C70D5AEB0CBB0F5D | |||
2584 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$voice payment.doc | pgc | |
MD5:E7CCDA54157BC90B251D9A1F715EE1D9 | SHA256:33CB599F19BB9A26825E77DF22F9F28AD15C8FE7EB03AA8869BC5474C84007E4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3044 | EQNEDT32.EXE | GET | 200 | 208.67.105.179:80 | http://208.67.105.179/kendrickzx.exe | US | executable | 699 Kb | malicious |
2312 | kendriknk8523.exe | POST | — | 208.67.105.161:80 | http://208.67.105.161/kendrick/index.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 208.67.105.161:80 | — | — | US | malicious |
3044 | EQNEDT32.EXE | 208.67.105.179:80 | — | — | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
— | — | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
— | — | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
— | — | A Network Trojan was detected | ET TROJAN Win32/AZORult V3.3 Client Checkin M2 |
— | — | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
— | — | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |
— | — | A Network Trojan was detected | ET TROJAN AZORult v3.3 Server Response M2 |