Analysis Overview
SHA256
67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126
Threat Level: Known bad
The file 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-23 01:49
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:57
Platform
win10v2004-20220414-en
Max time kernel
119s
Max time network
153s
Command Line
Signatures
Azorult
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibjyf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibjyf.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl
Network
| Country | Destination | Domain | Proto |
| NL | 2.56.59.31:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 2.56.59.31:80 | tcp | |
| NL | 88.221.144.179:80 | tcp | |
| US | 20.42.73.25:443 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp |
Files
memory/1560-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
C:\Users\Admin\AppData\Local\Temp\zjpvfl
| MD5 | ad4a34c660bd08739bde04685d83743c |
| SHA1 | 8930ea55e26562c033dca1c6aab8d50fb4bf786b |
| SHA256 | 584c5e9c39032e13e4a22e10f6810c5a16eebd4e6176b7b10f60125de48946e2 |
| SHA512 | ecd73bd232804a7940e2c211923fe504ff0ad857456f9cb68ebb0c164ead9f9c475c38c784a383461059dc355b7977d18b18078320332b32d2b99f7822351f4f |
C:\Users\Admin\AppData\Local\Temp\3rvv473x9d9doywn24w0
| MD5 | d68efd53b46be72c468deb58e648d035 |
| SHA1 | 2f7ce2bd0076bf6530905ee8863a93eed5feab56 |
| SHA256 | e9db77d19a967335c3408db51f4c693cf663ed1d4c5c4f193b6d0bafe9049af5 |
| SHA512 | ec67672126fcf2a47ae4b845396121185c35791a6c5b024c33162ab0370f70fa6e7e101897c083b09b6c95ab36bf977abdb9f04e9cfbec4b98fff1c80c842c57 |
memory/2012-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
memory/2012-137-0x0000000001320000-0x0000000001340000-memory.dmp
memory/2012-139-0x0000000001320000-0x0000000001340000-memory.dmp
memory/2012-142-0x0000000001320000-0x0000000001340000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:57
Platform
win7-20220414-en
Max time kernel
39s
Max time network
45s
Command Line
Signatures
Azorult
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibjyf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibjyf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ibjyf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ibjyf.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 120
Network
Files
memory/1004-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
memory/1516-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
C:\Users\Admin\AppData\Local\Temp\zjpvfl
| MD5 | ad4a34c660bd08739bde04685d83743c |
| SHA1 | 8930ea55e26562c033dca1c6aab8d50fb4bf786b |
| SHA256 | 584c5e9c39032e13e4a22e10f6810c5a16eebd4e6176b7b10f60125de48946e2 |
| SHA512 | ecd73bd232804a7940e2c211923fe504ff0ad857456f9cb68ebb0c164ead9f9c475c38c784a383461059dc355b7977d18b18078320332b32d2b99f7822351f4f |
C:\Users\Admin\AppData\Local\Temp\3rvv473x9d9doywn24w0
| MD5 | d68efd53b46be72c468deb58e648d035 |
| SHA1 | 2f7ce2bd0076bf6530905ee8863a93eed5feab56 |
| SHA256 | e9db77d19a967335c3408db51f4c693cf663ed1d4c5c4f193b6d0bafe9049af5 |
| SHA512 | ec67672126fcf2a47ae4b845396121185c35791a6c5b024c33162ab0370f70fa6e7e101897c083b09b6c95ab36bf977abdb9f04e9cfbec4b98fff1c80c842c57 |
\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
memory/1652-65-0x0000000000180000-0x00000000001A0000-memory.dmp
memory/1652-67-0x0000000000180000-0x00000000001A0000-memory.dmp
memory/1652-70-0x0000000000180000-0x00000000001A0000-memory.dmp
memory/1652-63-0x0000000000000000-mapping.dmp
memory/2000-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |
\Users\Admin\AppData\Local\Temp\ibjyf.exe
| MD5 | 3ce2e03927cfb19ced6be0d1a4df16b9 |
| SHA1 | 67812421bfad08fa0d0ec9a6fa7341cab5687860 |
| SHA256 | 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa |
| SHA512 | 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc |