Analysis Overview
SHA256
3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b
Threat Level: Known bad
The file 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Executes dropped EXE
Loads dropped DLL
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-23 01:49
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:57
Platform
win7-20220414-en
Max time kernel
41s
Max time network
47s
Command Line
Signatures
Azorult
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ucxgm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ucxgm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ucxgm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ucxgm.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
"C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe"
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 120
Network
Files
memory/812-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp
\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
memory/1008-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
C:\Users\Admin\AppData\Local\Temp\joszbi
| MD5 | a5a523f60a17756e61e17ba513ff59d1 |
| SHA1 | d03b444c7c2d4ffb34d483427e69ec2116d90951 |
| SHA256 | 5519ce10c332d304d521a15d902d84e2feac7827a148284713402de837fd4755 |
| SHA512 | 99af33e2deb545c902c8663a67643b18ae2ee09924c8dee23c4ed93a6ff55305c020e3fd4e2d3781144450b14468c08799a3c59dfd1151893ec1a7e8352ef08d |
C:\Users\Admin\AppData\Local\Temp\jqrvq39gj49la
| MD5 | 664cb163be98c1035799694e2585cb16 |
| SHA1 | 30984822dc25b065f6476557361396282906c551 |
| SHA256 | 466b28f6c18c530ac94410a111fe1feb84b2363b03831cb3e39af96d37ad56cd |
| SHA512 | e723882a67c072413357da1d9950a363ffcdb38fd1554cfede3acc75a16b6b78497a736fed7c32a5b8431a4ce591d3610da561ebbfee03ce04d6661e32612985 |
\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
memory/1336-63-0x0000000000000000-mapping.dmp
memory/1336-65-0x0000000000080000-0x00000000000A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
memory/1336-67-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1336-70-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1328-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-23 01:49
Reported
2022-05-23 01:58
Platform
win10v2004-20220414-en
Max time kernel
105s
Max time network
183s
Command Line
Signatures
Azorult
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ucxgm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ucxgm.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
"C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe"
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi
Network
| Country | Destination | Domain | Proto |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| AU | 104.46.162.226:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| DE | 89.43.107.198:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| DE | 89.43.107.198:80 | tcp |
Files
memory/3924-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
C:\Users\Admin\AppData\Local\Temp\joszbi
| MD5 | a5a523f60a17756e61e17ba513ff59d1 |
| SHA1 | d03b444c7c2d4ffb34d483427e69ec2116d90951 |
| SHA256 | 5519ce10c332d304d521a15d902d84e2feac7827a148284713402de837fd4755 |
| SHA512 | 99af33e2deb545c902c8663a67643b18ae2ee09924c8dee23c4ed93a6ff55305c020e3fd4e2d3781144450b14468c08799a3c59dfd1151893ec1a7e8352ef08d |
C:\Users\Admin\AppData\Local\Temp\jqrvq39gj49la
| MD5 | 664cb163be98c1035799694e2585cb16 |
| SHA1 | 30984822dc25b065f6476557361396282906c551 |
| SHA256 | 466b28f6c18c530ac94410a111fe1feb84b2363b03831cb3e39af96d37ad56cd |
| SHA512 | e723882a67c072413357da1d9950a363ffcdb38fd1554cfede3acc75a16b6b78497a736fed7c32a5b8431a4ce591d3610da561ebbfee03ce04d6661e32612985 |
memory/4552-135-0x0000000000000000-mapping.dmp
memory/4552-137-0x0000000000C80000-0x0000000000CA0000-memory.dmp
memory/4552-139-0x0000000000C80000-0x0000000000CA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
| MD5 | 78673699f5e78cf7ecfbb9ef42f3cc20 |
| SHA1 | 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e |
| SHA256 | 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838 |
| SHA512 | 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016 |
memory/4552-142-0x0000000000C80000-0x0000000000CA0000-memory.dmp