Analysis Overview
SHA256
b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a
Threat Level: Known bad
The file b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-23 01:49
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:57
Platform
win7-20220414-en
Max time kernel
32s
Max time network
48s
Command Line
Signatures
Azorult
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 120
Network
Files
memory/1432-54-0x0000000076C81000-0x0000000076C83000-memory.dmp
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
memory/1984-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
| MD5 | d794073cea5c25016fc9e10d9d561d3b |
| SHA1 | 0a864adb3a08b19cbadb52f70281c1a48ef62a90 |
| SHA256 | 850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2 |
| SHA512 | cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b |
C:\Users\Admin\AppData\Local\Temp\n29e5gb99yuq5sya
| MD5 | 664dc99256a895e016c2a583aa186011 |
| SHA1 | d543975302871a614057d02e12c3531698c0b706 |
| SHA256 | 67f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939 |
| SHA512 | 37799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39 |
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
memory/2024-66-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2024-69-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2024-64-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/2024-62-0x0000000000000000-mapping.dmp
memory/1248-70-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:57
Platform
win10v2004-20220414-en
Max time kernel
95s
Max time network
104s
Command Line
Signatures
Azorult
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| DE | 89.43.107.198:80 | tcp | |
| DE | 89.43.107.198:80 | tcp | |
| US | 52.109.8.19:443 | tcp | |
| US | 20.189.173.14:443 | tcp |
Files
memory/2628-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
| MD5 | d794073cea5c25016fc9e10d9d561d3b |
| SHA1 | 0a864adb3a08b19cbadb52f70281c1a48ef62a90 |
| SHA256 | 850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2 |
| SHA512 | cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b |
C:\Users\Admin\AppData\Local\Temp\n29e5gb99yuq5sya
| MD5 | 664dc99256a895e016c2a583aa186011 |
| SHA1 | d543975302871a614057d02e12c3531698c0b706 |
| SHA256 | 67f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939 |
| SHA512 | 37799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39 |
memory/2844-135-0x0000000000000000-mapping.dmp
memory/2844-137-0x00000000007E0000-0x0000000000800000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
| MD5 | 1398f625da2ce1ea75874863a150ed27 |
| SHA1 | 36f3466a87ba1d195658d4fda7dc724b7ccfbca5 |
| SHA256 | 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f |
| SHA512 | b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e |
memory/2844-139-0x00000000007E0000-0x0000000000800000-memory.dmp
memory/2844-142-0x00000000007E0000-0x0000000000800000-memory.dmp