Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
4ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
3Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1796s -
max time network
1806s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
2019-09-02_22-41-10.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
31.bin.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3guloadernanocoreqakbot86920224spx1291590734339agilenetbankerbotnetcoreentitycryptonedownloaderevasionguloaderkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
3DMark 11 Advanced Edition.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
DiskInternals_Uneraser_v5_keygen.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
ForceOp 2.8.7 - By RaiSence.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
HYDRA.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
Keygen.bin.exe
Resource
win10v20201028
asyncratazorultmodiloaderoskiraccoonc6f4c67877b4427c759f396ca4c1dff4761d3cc9discoveryevasioninfostealerpersistenceratspywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
LtHv0O2KZDK4M637.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
OnlineInstaller.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
VyprVPN.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
api.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
good.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
infected dot net installer.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
update.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
vir1.xls
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral22
Sample
xNet.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral23
Sample
1.bin.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3qakbot86920224spx1291590734339agilenetbankerbotnetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
VPN/VyprVPN.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral25
Sample
VPN/xNet.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral26
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
Malware Config
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Nirsoft 8 IoCs
resource yara_rule behavioral12/files/0x000200000001abaa-85.dat Nirsoft behavioral12/files/0x000200000001abaa-84.dat Nirsoft behavioral12/files/0x000400000001abaa-95.dat Nirsoft behavioral12/files/0x000400000001abaa-94.dat Nirsoft behavioral12/files/0x000600000001abaa-102.dat Nirsoft behavioral12/files/0x000600000001abaa-103.dat Nirsoft behavioral12/files/0x000800000001abaa-109.dat Nirsoft behavioral12/files/0x000800000001abaa-110.dat Nirsoft -
Executes dropped EXE 19 IoCs
pid Process 3492 intro.exe 3812 keygen-pr.exe 4068 keygen-step-1.exe 2188 keygen-step-4.exe 2376 key.exe 2936 002.exe 568 Setup.exe 1360 setup.exe 1740 aliens.exe 1956 jg2_2qua.exe 156 hjjgaa.exe 1808 jfiag_gg.exe 196 97535F5358BB4449.exe 3484 97535F5358BB4449.exe 3908 jfiag_gg.exe 3168 1605712613892.exe 3592 1605712618157.exe 2264 1605712623267.exe 2192 1605712627142.exe -
resource yara_rule behavioral12/files/0x000400000001aba4-53.dat office_xlm_macros -
resource yara_rule behavioral12/files/0x000100000001aba6-55.dat upx behavioral12/files/0x000100000001aba6-56.dat upx behavioral12/files/0x000100000001aba6-76.dat upx behavioral12/files/0x000100000001aba6-74.dat upx -
Loads dropped DLL 4 IoCs
pid Process 568 Setup.exe 568 Setup.exe 568 Setup.exe 3736 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe" hjjgaa.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg2_2qua.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aliens.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 97535F5358BB4449.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 41 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 97535F5358BB4449.exe File opened for modification \??\PhysicalDrive0 97535F5358BB4449.exe File opened for modification \??\PhysicalDrive0 aliens.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1740 aliens.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 196 set thread context of 2224 196 97535F5358BB4449.exe 106 PID 196 set thread context of 648 196 97535F5358BB4449.exe 113 PID 196 set thread context of 1928 196 97535F5358BB4449.exe 115 PID 196 set thread context of 3612 196 97535F5358BB4449.exe 117 -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dz7d9shn0mvi setup.exe File created C:\Program Files (x86)\dz7d9shn0mvi\__tmp_rar_sfx_access_check_261016515 setup.exe File created C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe setup.exe File opened for modification C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 97535F5358BB4449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 97535F5358BB4449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 97535F5358BB4449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 97535F5358BB4449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 97535F5358BB4449.exe -
Kills process with taskkill 1 IoCs
pid Process 3356 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD aliens.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 aliens.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 3820 PING.EXE 484 PING.EXE 836 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3908 jfiag_gg.exe 3908 jfiag_gg.exe 3168 1605712613892.exe 3168 1605712613892.exe 3592 1605712618157.exe 3592 1605712618157.exe 2264 1605712623267.exe 2264 1605712623267.exe 2192 1605712627142.exe 2192 1605712627142.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe 196 97535F5358BB4449.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeManageVolumePrivilege 1956 jg2_2qua.exe Token: SeManageVolumePrivilege 1956 jg2_2qua.exe Token: SeShutdownPrivilege 596 msiexec.exe Token: SeIncreaseQuotaPrivilege 596 msiexec.exe Token: SeSecurityPrivilege 1952 msiexec.exe Token: SeCreateTokenPrivilege 596 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 596 msiexec.exe Token: SeLockMemoryPrivilege 596 msiexec.exe Token: SeIncreaseQuotaPrivilege 596 msiexec.exe Token: SeMachineAccountPrivilege 596 msiexec.exe Token: SeTcbPrivilege 596 msiexec.exe Token: SeSecurityPrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeLoadDriverPrivilege 596 msiexec.exe Token: SeSystemProfilePrivilege 596 msiexec.exe Token: SeSystemtimePrivilege 596 msiexec.exe Token: SeProfSingleProcessPrivilege 596 msiexec.exe Token: SeIncBasePriorityPrivilege 596 msiexec.exe Token: SeCreatePagefilePrivilege 596 msiexec.exe Token: SeCreatePermanentPrivilege 596 msiexec.exe Token: SeBackupPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeShutdownPrivilege 596 msiexec.exe Token: SeDebugPrivilege 596 msiexec.exe Token: SeAuditPrivilege 596 msiexec.exe Token: SeSystemEnvironmentPrivilege 596 msiexec.exe Token: SeChangeNotifyPrivilege 596 msiexec.exe Token: SeRemoteShutdownPrivilege 596 msiexec.exe Token: SeUndockPrivilege 596 msiexec.exe Token: SeSyncAgentPrivilege 596 msiexec.exe Token: SeEnableDelegationPrivilege 596 msiexec.exe Token: SeManageVolumePrivilege 596 msiexec.exe Token: SeImpersonatePrivilege 596 msiexec.exe Token: SeCreateGlobalPrivilege 596 msiexec.exe Token: SeCreateTokenPrivilege 596 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 596 msiexec.exe Token: SeLockMemoryPrivilege 596 msiexec.exe Token: SeIncreaseQuotaPrivilege 596 msiexec.exe Token: SeMachineAccountPrivilege 596 msiexec.exe Token: SeTcbPrivilege 596 msiexec.exe Token: SeSecurityPrivilege 596 msiexec.exe Token: SeTakeOwnershipPrivilege 596 msiexec.exe Token: SeLoadDriverPrivilege 596 msiexec.exe Token: SeSystemProfilePrivilege 596 msiexec.exe Token: SeSystemtimePrivilege 596 msiexec.exe Token: SeProfSingleProcessPrivilege 596 msiexec.exe Token: SeIncBasePriorityPrivilege 596 msiexec.exe Token: SeCreatePagefilePrivilege 596 msiexec.exe Token: SeCreatePermanentPrivilege 596 msiexec.exe Token: SeBackupPrivilege 596 msiexec.exe Token: SeRestorePrivilege 596 msiexec.exe Token: SeShutdownPrivilege 596 msiexec.exe Token: SeDebugPrivilege 596 msiexec.exe Token: SeAuditPrivilege 596 msiexec.exe Token: SeSystemEnvironmentPrivilege 596 msiexec.exe Token: SeChangeNotifyPrivilege 596 msiexec.exe Token: SeRemoteShutdownPrivilege 596 msiexec.exe Token: SeUndockPrivilege 596 msiexec.exe Token: SeSyncAgentPrivilege 596 msiexec.exe Token: SeEnableDelegationPrivilege 596 msiexec.exe Token: SeManageVolumePrivilege 596 msiexec.exe Token: SeImpersonatePrivilege 596 msiexec.exe Token: SeCreateGlobalPrivilege 596 msiexec.exe Token: SeCreateTokenPrivilege 596 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 596 msiexec.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2936 002.exe 2936 002.exe 568 Setup.exe 1360 setup.exe 1740 aliens.exe 196 97535F5358BB4449.exe 3484 97535F5358BB4449.exe 2224 firefox.exe 3168 1605712613892.exe 648 firefox.exe 3592 1605712618157.exe 1928 firefox.exe 2264 1605712623267.exe 3612 firefox.exe 2192 1605712627142.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 504 wrote to memory of 1572 504 Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe 79 PID 504 wrote to memory of 1572 504 Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe 79 PID 504 wrote to memory of 1572 504 Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe 79 PID 1572 wrote to memory of 3492 1572 cmd.exe 82 PID 1572 wrote to memory of 3492 1572 cmd.exe 82 PID 1572 wrote to memory of 3492 1572 cmd.exe 82 PID 1572 wrote to memory of 3812 1572 cmd.exe 83 PID 1572 wrote to memory of 3812 1572 cmd.exe 83 PID 1572 wrote to memory of 3812 1572 cmd.exe 83 PID 1572 wrote to memory of 4068 1572 cmd.exe 84 PID 1572 wrote to memory of 4068 1572 cmd.exe 84 PID 1572 wrote to memory of 4068 1572 cmd.exe 84 PID 1572 wrote to memory of 2188 1572 cmd.exe 85 PID 1572 wrote to memory of 2188 1572 cmd.exe 85 PID 1572 wrote to memory of 2188 1572 cmd.exe 85 PID 3812 wrote to memory of 2376 3812 keygen-pr.exe 86 PID 3812 wrote to memory of 2376 3812 keygen-pr.exe 86 PID 3812 wrote to memory of 2376 3812 keygen-pr.exe 86 PID 2188 wrote to memory of 2936 2188 keygen-step-4.exe 87 PID 2188 wrote to memory of 2936 2188 keygen-step-4.exe 87 PID 2188 wrote to memory of 2936 2188 keygen-step-4.exe 87 PID 2376 wrote to memory of 3084 2376 key.exe 88 PID 2376 wrote to memory of 3084 2376 key.exe 88 PID 2376 wrote to memory of 3084 2376 key.exe 88 PID 2188 wrote to memory of 568 2188 keygen-step-4.exe 89 PID 2188 wrote to memory of 568 2188 keygen-step-4.exe 89 PID 2188 wrote to memory of 568 2188 keygen-step-4.exe 89 PID 568 wrote to memory of 1360 568 Setup.exe 90 PID 568 wrote to memory of 1360 568 Setup.exe 90 PID 568 wrote to memory of 1360 568 Setup.exe 90 PID 1360 wrote to memory of 1740 1360 setup.exe 91 PID 1360 wrote to memory of 1740 1360 setup.exe 91 PID 1360 wrote to memory of 1740 1360 setup.exe 91 PID 2188 wrote to memory of 1956 2188 keygen-step-4.exe 92 PID 2188 wrote to memory of 1956 2188 keygen-step-4.exe 92 PID 2188 wrote to memory of 1956 2188 keygen-step-4.exe 92 PID 2188 wrote to memory of 156 2188 keygen-step-4.exe 93 PID 2188 wrote to memory of 156 2188 keygen-step-4.exe 93 PID 2188 wrote to memory of 156 2188 keygen-step-4.exe 93 PID 1740 wrote to memory of 596 1740 aliens.exe 94 PID 1740 wrote to memory of 596 1740 aliens.exe 94 PID 1740 wrote to memory of 596 1740 aliens.exe 94 PID 156 wrote to memory of 1808 156 hjjgaa.exe 95 PID 156 wrote to memory of 1808 156 hjjgaa.exe 95 PID 156 wrote to memory of 1808 156 hjjgaa.exe 95 PID 1952 wrote to memory of 3736 1952 msiexec.exe 97 PID 1952 wrote to memory of 3736 1952 msiexec.exe 97 PID 1952 wrote to memory of 3736 1952 msiexec.exe 97 PID 1740 wrote to memory of 196 1740 aliens.exe 98 PID 1740 wrote to memory of 196 1740 aliens.exe 98 PID 1740 wrote to memory of 196 1740 aliens.exe 98 PID 1740 wrote to memory of 3484 1740 aliens.exe 99 PID 1740 wrote to memory of 3484 1740 aliens.exe 99 PID 1740 wrote to memory of 3484 1740 aliens.exe 99 PID 1740 wrote to memory of 1492 1740 aliens.exe 100 PID 1740 wrote to memory of 1492 1740 aliens.exe 100 PID 1740 wrote to memory of 1492 1740 aliens.exe 100 PID 1492 wrote to memory of 3820 1492 cmd.exe 102 PID 1492 wrote to memory of 3820 1492 cmd.exe 102 PID 1492 wrote to memory of 3820 1492 cmd.exe 102 PID 156 wrote to memory of 3908 156 hjjgaa.exe 103 PID 156 wrote to memory of 3908 156 hjjgaa.exe 103 PID 156 wrote to memory of 3908 156 hjjgaa.exe 103 PID 3484 wrote to memory of 3196 3484 97535F5358BB4449.exe 104
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:724
-
C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe"C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exeintro.exe 1O5ZF3⤵
- Executes dropped EXE
PID:3492
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:3084
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:4068
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Local\Temp\sibC5AB.tmp\0\setup.exe"C:\Users\Admin\AppData\Local\Temp\sibC5AB.tmp\0\setup.exe" -s5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"7⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:596
-
-
C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exeC:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 0011 installp17⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:196 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
C:\Users\Admin\AppData\Roaming\1605712613892.exe"C:\Users\Admin\AppData\Roaming\1605712613892.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712613892.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:648
-
-
C:\Users\Admin\AppData\Roaming\1605712618157.exe"C:\Users\Admin\AppData\Roaming\1605712618157.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712618157.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Users\Admin\AppData\Roaming\1605712623267.exe"C:\Users\Admin\AppData\Roaming\1605712623267.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712623267.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:3612
-
-
C:\Users\Admin\AppData\Roaming\1605712627142.exe"C:\Users\Admin\AppData\Roaming\1605712627142.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712627142.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"8⤵PID:3128
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
PID:836
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exeC:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 200 installp17⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe8⤵PID:3196
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe9⤵
- Kills process with taskkill
PID:3356
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"8⤵PID:3044
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
PID:484
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"7⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 38⤵
- Runs ping.exe
PID:3820
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:156 -
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt5⤵
- Executes dropped EXE
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3908
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 27AD2F3A7B2FF1081911C15976B15B2A C2⤵
- Loads dropped DLL
PID:3736
-