Analysis Overview
SHA256
6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327
Threat Level: Known bad
The file 6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Gozi, Gozi IFSB
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-22 07:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-22 07:01
Reported
2022-03-22 07:13
Platform
win7-20220311-en
Max time kernel
4294181s
Max time network
132s
Command Line
Signatures
Azorult
Gozi, Gozi IFSB
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1648 set thread context of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe | C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"
C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 744
Network
| Country | Destination | Domain | Proto |
| NL | 85.202.169.121:80 | tcp | |
| NL | 85.202.169.121:80 | 85.202.169.121 | tcp |
Files
memory/1648-54-0x00000000009C0000-0x0000000000A78000-memory.dmp
memory/1648-55-0x0000000074640000-0x0000000074D2E000-memory.dmp
memory/1648-56-0x0000000004950000-0x0000000004951000-memory.dmp
memory/1648-57-0x0000000000510000-0x000000000052A000-memory.dmp
memory/1648-58-0x0000000004951000-0x0000000004952000-memory.dmp
memory/1648-59-0x0000000005C10000-0x0000000005CB2000-memory.dmp
memory/1648-60-0x00000000009A0000-0x00000000009C2000-memory.dmp
memory/1936-61-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1936-63-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1936-65-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1936-69-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1936-67-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1936-71-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1936-73-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1936-74-0x00000000752C1000-0x00000000752C3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-22 07:01
Reported
2022-03-22 07:12
Platform
win10v2004-en-20220113
Max time kernel
79s
Max time network
169s
Command Line
Signatures
Azorult
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3832 set thread context of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe | C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"
C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1220
Network
| Country | Destination | Domain | Proto |
| NL | 85.202.169.121:80 | 85.202.169.121 | tcp |
| NL | 104.110.191.133:80 | tcp |
Files
memory/3832-130-0x00000000001C0000-0x0000000000278000-memory.dmp
memory/3832-131-0x0000000005190000-0x0000000005734000-memory.dmp
memory/3832-132-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/3832-133-0x0000000004C80000-0x0000000004D12000-memory.dmp
memory/3832-134-0x0000000004C40000-0x0000000004C4A000-memory.dmp
memory/3832-135-0x00000000089A0000-0x0000000008A3C000-memory.dmp
memory/3832-136-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
memory/4212-137-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4212-139-0x0000000000400000-0x0000000000420000-memory.dmp