Analysis Overview
SHA256
fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a
Threat Level: Known bad
The file fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-23 01:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:56
Platform
win7-20220414-en
Max time kernel
73s
Max time network
75s
Command Line
Signatures
Azorult
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1652 set thread context of 1336 | N/A | C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe | C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"
C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | e4v5sa.xyz | udp |
| US | 8.8.8.8:53 | e4v5sa.xyz | udp |
Files
memory/1652-54-0x0000000001130000-0x0000000001204000-memory.dmp
memory/1652-55-0x0000000076461000-0x0000000076463000-memory.dmp
memory/1652-56-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1652-57-0x0000000006080000-0x0000000006124000-memory.dmp
memory/1652-58-0x0000000000B20000-0x0000000000B82000-memory.dmp
memory/1336-60-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1336-59-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1336-62-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1336-63-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1336-64-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1336-67-0x000000000041A684-mapping.dmp
memory/1336-66-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1336-69-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1336-71-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:57
Platform
win10v2004-20220414-en
Max time kernel
104s
Max time network
158s
Command Line
Signatures
Azorult
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3692 set thread context of 3168 | N/A | C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe | C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"
C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | e4v5sa.xyz | udp |
| US | 8.8.8.8:53 | e4v5sa.xyz | udp |
Files
memory/3692-130-0x00000000001A0000-0x0000000000274000-memory.dmp
memory/3692-131-0x0000000005220000-0x00000000057C4000-memory.dmp
memory/3692-132-0x0000000004C70000-0x0000000004D02000-memory.dmp
memory/3692-133-0x0000000004D10000-0x0000000004DAC000-memory.dmp
memory/3692-134-0x00000000027D0000-0x00000000027DA000-memory.dmp
memory/3692-135-0x0000000008B50000-0x0000000008BB6000-memory.dmp
memory/3168-136-0x0000000000000000-mapping.dmp
memory/3168-137-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3168-139-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3168-140-0x0000000000400000-0x0000000000420000-memory.dmp