File name:

Invoice payment.doc

Full analysis: https://app.any.run/tasks/992d1193-4d4e-4c3a-af5c-7eef9eec86f4
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: August 02, 2022, 11:52:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
cve-2017-11882
loader
trojan
rat
azorult
Indicators:
MIME: application/octet-stream
File info: data
MD5:

8610A71B4BDADBDA429909C6873EBC25

SHA1:

959D4AF0B1A2A183BA1E56F9D1E6FBC7750B9B82

SHA256:

89CEB7FCC31C99A1D898F00F1C03C03FADEA562A3AD85456EE70E6E3F29C0C18

SSDEEP:

384:Zs9X1BoJ7c3mPREKFqGqhjaZpw6XssXhsKdxgue5AYwdMSvCs:CGcWJEKdZp7XssXhsKEhSf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3044)
    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 3044)
    • Application was dropped or rewritten from another process

      • kendriknk8523.exe (PID: 3088)
      • kendriknk8523.exe (PID: 2312)
    • AZORULT detected by memory dumps

      • kendriknk8523.exe (PID: 2312)
    • AZORULT was detected

      • kendriknk8523.exe (PID: 2312)
    • Connects to CnC server

      • kendriknk8523.exe (PID: 2312)
  • SUSPICIOUS

    • Reads the computer name

      • EQNEDT32.EXE (PID: 3044)
      • kendriknk8523.exe (PID: 3088)
      • kendriknk8523.exe (PID: 2312)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3044)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3044)
    • Checks supported languages

      • EQNEDT32.EXE (PID: 3044)
      • kendriknk8523.exe (PID: 3088)
      • kendriknk8523.exe (PID: 2312)
    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 3044)
    • Application launched itself

      • kendriknk8523.exe (PID: 3088)
    • Reads Environment values

      • kendriknk8523.exe (PID: 2312)
  • INFO

    • Reads the computer name

      • WINWORD.EXE (PID: 2584)
    • Checks supported languages

      • WINWORD.EXE (PID: 2584)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

azorult

(PID) Process(2312) kendriknk8523.exe
Hostshttp://208.67.105.161/kendrick/index.php
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe kendriknk8523.exe no specs #AZORULT kendriknk8523.exe

Process information

PID
CMD
Path
Indicators
Parent process
2584"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Invoice payment.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\user32.dll
3044"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
Modules
Images
c:\program files\common files\microsoft shared\equation\eqnedt32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3088"C:\Users\admin\AppData\Roaming\kendriknk8523.exe"C:\Users\admin\AppData\Roaming\kendriknk8523.exeEQNEDT32.EXE
User:
admin
Company:
Software by Ben Pty Ltd
Integrity Level:
MEDIUM
Description:
Swxbean Windows
Exit code:
0
Version:
1.10.0.0
Modules
Images
c:\users\admin\appdata\roaming\kendriknk8523.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2312"C:\Users\admin\AppData\Roaming\kendriknk8523.exe"C:\Users\admin\AppData\Roaming\kendriknk8523.exe
kendriknk8523.exe
User:
admin
Company:
Software by Ben Pty Ltd
Integrity Level:
MEDIUM
Description:
Swxbean Windows
Version:
1.10.0.0
Modules
Images
c:\users\admin\appdata\roaming\kendriknk8523.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
azorult
(PID) Process(2312) kendriknk8523.exe
Hostshttp://208.67.105.161/kendrick/index.php
Total events
3 950
Read events
3 228
Write events
594
Delete events
128

Modification events

(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:1z9
Value:
317A3900180A0000010000000000000000000000
(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(2584) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
2
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2584WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5EB1.tmp.cvr
MD5:
SHA256:
3044EQNEDT32.EXEC:\Users\admin\AppData\Roaming\kendriknk8523.exeexecutable
MD5:6146E00B16D35F03D1BE912592E27576
SHA256:9B26B242E62B7ED9F8BF214F0B752866E83F13981E11B9E7C70D5AEB0CBB0F5D
3044EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\kendrickzx[1].exeexecutable
MD5:6146E00B16D35F03D1BE912592E27576
SHA256:9B26B242E62B7ED9F8BF214F0B752866E83F13981E11B9E7C70D5AEB0CBB0F5D
2584WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:FE6BB1E1474DF1A0CAC63E6A240E1E82
SHA256:8EBB779E753C66B90A03683A0E7F4EF8873D6C7D1E85AFB15F8175E9CC20DDAD
2584WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$voice payment.docpgc
MD5:E7CCDA54157BC90B251D9A1F715EE1D9
SHA256:33CB599F19BB9A26825E77DF22F9F28AD15C8FE7EB03AA8869BC5474C84007E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
0
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3044
EQNEDT32.EXE
GET
200
208.67.105.179:80
http://208.67.105.179/kendrickzx.exe
US
executable
699 Kb
malicious
2312
kendriknk8523.exe
POST
208.67.105.161:80
http://208.67.105.161/kendrick/index.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
208.67.105.161:80
US
malicious
3044
EQNEDT32.EXE
208.67.105.179:80
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
A Network Trojan was detected
ET TROJAN Win32/AZORult V3.3 Client Checkin M2
A Network Trojan was detected
AV TROJAN Azorult CnC Beacon
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
A Network Trojan was detected
ET TROJAN AZORult v3.3 Server Response M2
1 ETPRO signatures available at the full report
No debug info