Analysis Overview
SHA256
19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82
Threat Level: Known bad
The file 19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82 was found to be: Known bad.
Malicious Activity Summary
Azorult
Suspicious use of SetThreadContext
AutoIT Executable
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-20 13:37
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-20 13:37
Reported
2022-05-20 14:24
Platform
win7-20220414-en
Max time kernel
36s
Max time network
41s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-20 13:37
Reported
2022-05-20 14:26
Platform
win10v2004-20220414-en
Max time kernel
141s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82.zip
Network
| Country | Destination | Domain | Proto |
| US | 20.42.73.26:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-05-20 13:37
Reported
2022-05-20 14:26
Platform
win7-20220414-en
Max time kernel
151s
Max time network
143s
Command Line
Signatures
Azorult
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1948 set thread context of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe |
| PID 1948 set thread context of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp |
Files
memory/1948-54-0x0000000076721000-0x0000000076723000-memory.dmp
memory/1928-55-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/1928-57-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/1928-64-0x00000000000DA1F8-mapping.dmp
memory/1928-66-0x00000000000C0000-0x00000000000E0000-memory.dmp
memory/1948-68-0x0000000000680000-0x00000000006B9000-memory.dmp
memory/1948-69-0x0000000000CE0000-0x0000000000D19000-memory.dmp
memory/1708-72-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1708-79-0x000000000009A1F8-mapping.dmp
memory/1708-81-0x0000000000080000-0x00000000000A0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-05-20 13:37
Reported
2022-05-20 14:25
Platform
win10v2004-20220414-en
Max time kernel
157s
Max time network
161s
Command Line
Signatures
Azorult
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2852 set thread context of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe |
| PID 2852 set thread context of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe |
| PID 2852 set thread context of 4704 | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 51.116.180.53:80 | tcp | |
| US | 104.208.16.89:443 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| NL | 8.238.21.254:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp | |
| DE | 51.116.180.53:80 | tcp |
Files
memory/2852-130-0x0000000000D40000-0x0000000000D79000-memory.dmp
memory/2852-131-0x0000000001330000-0x0000000001369000-memory.dmp
memory/2776-132-0x0000000000000000-mapping.dmp
memory/2776-133-0x0000000000A80000-0x0000000000AA0000-memory.dmp
memory/2776-141-0x0000000000A80000-0x0000000000AA0000-memory.dmp
memory/1324-142-0x0000000000000000-mapping.dmp
memory/1324-143-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1324-151-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2852-152-0x0000000002460000-0x0000000002480000-memory.dmp
memory/4704-153-0x0000000000000000-mapping.dmp
memory/4704-154-0x00000000001D0000-0x00000000001F0000-memory.dmp
memory/4704-162-0x00000000001D0000-0x00000000001F0000-memory.dmp