Analysis Overview
SHA256
2dd59713bdfc82e98cb5dd6cff53b44006e5e110d13dc71ec779590b03da2d68
Threat Level: Known bad
The file 2dd59713bdfc82e98cb5dd6cff53b44006e5e110d13dc71ec779590b03da2d68 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M5
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
Azorult
AutoIT Executable
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-20 15:33
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-20 15:33
Reported
2022-05-20 16:32
Platform
win7-20220414-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Azorult
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M5
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
Files
memory/1564-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
memory/904-55-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/904-57-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/904-64-0x000000000009A1F8-mapping.dmp
memory/904-66-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1564-68-0x0000000000180000-0x00000000001B9000-memory.dmp
memory/1564-69-0x0000000000670000-0x00000000006A9000-memory.dmp
memory/1180-79-0x000000000009A1F8-mapping.dmp
memory/268-92-0x000000000009A1F8-mapping.dmp
memory/1448-105-0x000000000009A1F8-mapping.dmp
memory/1564-109-0x0000000003910000-0x0000000003A32000-memory.dmp
memory/1004-119-0x000000000009A1F8-mapping.dmp
memory/1236-132-0x000000000009A1F8-mapping.dmp
memory/2008-145-0x000000000009A1F8-mapping.dmp
memory/468-158-0x000000000009A1F8-mapping.dmp
memory/1624-171-0x000000000041A1F8-mapping.dmp
memory/836-184-0x000000000009A1F8-mapping.dmp
memory/956-197-0x000000000009A1F8-mapping.dmp
memory/1720-210-0x000000000009A1F8-mapping.dmp
memory/1512-223-0x000000000009A1F8-mapping.dmp
memory/848-236-0x000000000009A1F8-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-20 15:33
Reported
2022-05-20 16:33
Platform
win10v2004-20220414-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Azorult
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order Specification.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
C:\Users\Admin\AppData\Local\Temp\Order Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specification.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.20:443 | tcp | |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 40.125.122.151:443 | tcp | |
| DE | 217.160.170.24:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| GB | 51.105.71.136:443 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| DE | 217.160.170.24:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
| DE | 217.160.170.24:80 | 217.160.170.24 | tcp |
Files
memory/4476-130-0x0000000000000000-mapping.dmp
memory/4476-131-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4476-139-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1512-140-0x0000000000DE0000-0x0000000000E19000-memory.dmp
memory/1512-141-0x0000000000EB0000-0x0000000000EE9000-memory.dmp
memory/3088-142-0x0000000000000000-mapping.dmp
memory/4872-152-0x0000000000000000-mapping.dmp
memory/1112-162-0x0000000000000000-mapping.dmp
memory/1112-163-0x00000000003B0000-0x00000000003D0000-memory.dmp
memory/1112-171-0x00000000003B0000-0x00000000003D0000-memory.dmp
memory/1512-172-0x00000000009B0000-0x00000000009D0000-memory.dmp
memory/3580-173-0x0000000000000000-mapping.dmp
memory/448-183-0x0000000000000000-mapping.dmp
memory/448-184-0x00000000003C0000-0x00000000003E0000-memory.dmp
memory/448-192-0x00000000003C0000-0x00000000003E0000-memory.dmp
memory/2632-193-0x0000000000000000-mapping.dmp
memory/2816-203-0x0000000000000000-mapping.dmp
memory/1796-213-0x0000000000000000-mapping.dmp