Analysis Overview
SHA256
37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79
Threat Level: Known bad
The file 37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-23 01:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:57
Platform
win7-20220414-en
Max time kernel
51s
Max time network
55s
Command Line
Signatures
Azorult
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaven = "\"C:\\Users\\Admin\\AppData\\Local\\heaven.exe\"" | C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 112 set thread context of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe
"C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAGgAZQBhAHYAZQBuAC4AZQB4AGUAJwA=
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bl1we4t.xyz | udp |
| US | 8.8.8.8:53 | bl1we4t.xyz | udp |
Files
memory/112-54-0x00000000010B0000-0x0000000001220000-memory.dmp
memory/112-55-0x0000000075451000-0x0000000075453000-memory.dmp
memory/112-56-0x0000000005C20000-0x0000000005D88000-memory.dmp
memory/1704-57-0x0000000000000000-mapping.dmp
memory/1704-59-0x000000006FA00000-0x000000006FFAB000-memory.dmp
memory/112-60-0x0000000004B40000-0x0000000004B78000-memory.dmp
memory/1144-61-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1144-62-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1144-64-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1144-65-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1144-66-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1144-68-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1144-69-0x000000000041A684-mapping.dmp
memory/1144-71-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1144-73-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:57
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
158s
Command Line
Signatures
Azorult
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heaven = "\"C:\\Users\\Admin\\AppData\\Local\\heaven.exe\"" | C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3472 set thread context of 4860 | N/A | C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe
"C:\Users\Admin\AppData\Local\Temp\37aa3833c138e4863d8df4066521ad81b920c5801663d7e7c9da8487f684db79.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAGgAZQBhAHYAZQBuAC4AZQB4AGUAJwA=
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.248.21.254:80 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| US | 8.8.8.8:53 | bl1we4t.xyz | udp |
| US | 8.8.8.8:53 | bl1we4t.xyz | udp |
| IE | 13.69.239.72:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| US | 8.248.21.254:80 | tcp |
Files
memory/3472-130-0x0000000000430000-0x00000000005A0000-memory.dmp
memory/3472-131-0x0000000005530000-0x0000000005AD4000-memory.dmp
memory/3472-132-0x0000000004F80000-0x0000000005012000-memory.dmp
memory/3472-133-0x0000000004F40000-0x0000000004F4A000-memory.dmp
memory/4816-134-0x0000000000000000-mapping.dmp
memory/4816-135-0x0000000002700000-0x0000000002736000-memory.dmp
memory/4816-136-0x0000000004EF0000-0x0000000005518000-memory.dmp
memory/4816-137-0x0000000004C00000-0x0000000004C22000-memory.dmp
memory/4816-138-0x0000000005520000-0x0000000005586000-memory.dmp
memory/4816-139-0x0000000005680000-0x00000000056E6000-memory.dmp
memory/4816-140-0x0000000005CE0000-0x0000000005CFE000-memory.dmp
memory/4816-141-0x00000000062A0000-0x00000000062D2000-memory.dmp
memory/4816-142-0x000000006FB00000-0x000000006FB4C000-memory.dmp
memory/4816-143-0x0000000006280000-0x000000000629E000-memory.dmp
memory/4816-144-0x0000000007630000-0x0000000007CAA000-memory.dmp
memory/4816-145-0x0000000006FE0000-0x0000000006FFA000-memory.dmp
memory/4816-146-0x0000000007050000-0x000000000705A000-memory.dmp
memory/4816-147-0x0000000007260000-0x00000000072F6000-memory.dmp
memory/4816-148-0x0000000007210000-0x000000000721E000-memory.dmp
memory/4816-149-0x0000000007320000-0x000000000733A000-memory.dmp
memory/4816-150-0x0000000007300000-0x0000000007308000-memory.dmp
memory/3516-151-0x0000000000000000-mapping.dmp
memory/4860-152-0x0000000000000000-mapping.dmp
memory/4860-153-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4860-155-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4860-156-0x0000000000400000-0x0000000000420000-memory.dmp