Analysis Overview
SHA256
858645d9a1d4993c45c655908c7bc6f597e32892f99a9dbbab1f0223fc4f4771
Threat Level: Known bad
The file 858645d9a1d4993c45c655908c7bc6f597e32892f99a9dbbab1f0223fc4f4771 was found to be: Known bad.
Malicious Activity Summary
Azorult
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-20 13:37
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-20 13:37
Reported
2022-05-20 14:16
Platform
win7-20220414-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Azorult
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1880 set thread context of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe |
| PID 1880 set thread context of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp |
Files
memory/1880-54-0x00000000755A1000-0x00000000755A3000-memory.dmp
memory/1784-55-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/1784-57-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/1784-64-0x00000000000DA1F8-mapping.dmp
memory/1784-66-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/1880-68-0x00000000001A0000-0x00000000001D9000-memory.dmp
memory/1880-69-0x0000000000220000-0x0000000000259000-memory.dmp
memory/1460-72-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1460-79-0x000000000009A1F8-mapping.dmp
memory/1460-81-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1880-83-0x0000000000260000-0x0000000000280000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-20 13:37
Reported
2022-05-20 14:18
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
156s
Command Line
Signatures
Azorult
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2784 set thread context of 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe |
| PID 2784 set thread context of 4756 | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe |
| PID 2784 set thread context of 228 | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.247.210.254:80 | tcp | |
| BE | 67.27.153.254:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| US | 20.42.65.88:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp |
Files
memory/3448-130-0x0000000000000000-mapping.dmp
memory/3448-131-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3448-139-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2784-140-0x00000000028C0000-0x00000000028F9000-memory.dmp
memory/2784-141-0x00000000041C0000-0x00000000041F9000-memory.dmp
memory/4756-142-0x0000000000000000-mapping.dmp
memory/228-152-0x0000000000000000-mapping.dmp