azorult | a2d3d6430f6775951cf988d960cfae4093d7a1e4d0f684ddfffaf4599ace9a71

Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

Analysis

max time kernel
1800s
max time network
1803s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe

Score

10^/10

azorult bootkit evasion infostealer macro persistence spyware stealer trojan upx xlm

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Nirsoft 8 IoCs

resource	yara_rule
behavioral13/files/0x000b00000001abbe-94.dat	Nirsoft
behavioral13/files/0x000b00000001abbe-95.dat	Nirsoft
behavioral13/files/0x000200000001abeb-107.dat	Nirsoft
behavioral13/files/0x000200000001abeb-108.dat	Nirsoft
behavioral13/files/0x000400000001abeb-116.dat	Nirsoft
behavioral13/files/0x000400000001abeb-115.dat	Nirsoft
behavioral13/files/0x000600000001abeb-123.dat	Nirsoft
behavioral13/files/0x000600000001abeb-124.dat	Nirsoft

Executes dropped EXE 20 IoCs

pid	Process
3760	intro.exe
3620	keygen-pr.exe
3104	keygen-step-1.exe
668	keygen-step-3.exe
2616	keygen-step-4.exe
584	key.exe
2356	002.exe
3168	Setup.exe
3012	setup.exe
3240	aliens.exe
1788	jg2_2qua.exe
1784	0B44010BDDEFEFD3.exe
1284	0B44010BDDEFEFD3.exe
608	askinstall21.exe
1708	hjjgaa.exe
336	1605715794918.exe
1516	jfiag3g_gg.exe
4072	1605715811606.exe
3200	1605715820496.exe
912	1605715824981.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral13/files/0x000100000001abc9-58.dat	office_xlm_macros

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral13/files/0x000c00000001abbe-100.dat	upx
behavioral13/files/0x000c00000001abbe-101.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
3168	Setup.exe
3168	Setup.exe
3168	Setup.exe
2104	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0B44010BDDEFEFD3.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0B44010BDDEFEFD3.exe
File opened for modification	\??\PhysicalDrive0	0B44010BDDEFEFD3.exe
File opened for modification	\??\PhysicalDrive0	aliens.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3240	aliens.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1784 set thread context of 1180	1784	0B44010BDDEFEFD3.exe	112
PID 1784 set thread context of 3256	1784	0B44010BDDEFEFD3.exe	119
PID 1784 set thread context of 2336	1784	0B44010BDDEFEFD3.exe	121
PID 1784 set thread context of 1896	1784	0B44010BDDEFEFD3.exe	123

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\fjkw1lb5cxpb	setup.exe
File created	C:\Program Files (x86)\fjkw1lb5cxpb\__tmp_rar_sfx_access_check_261028328	setup.exe
File created	C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	0B44010BDDEFEFD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	0B44010BDDEFEFD3.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	0B44010BDDEFEFD3.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
496	taskkill.exe
3156	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3056	PING.EXE
2952	PING.EXE
3804	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
336	1605715794918.exe
336	1605715794918.exe
4072	1605715811606.exe
4072	1605715811606.exe
3200	1605715820496.exe
3200	1605715820496.exe
912	1605715824981.exe
912	1605715824981.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1788	jg2_2qua.exe
Token: SeManageVolumePrivilege	1788	jg2_2qua.exe
Token: SeShutdownPrivilege	1932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1932	msiexec.exe
Token: SeSecurityPrivilege	300	msiexec.exe
Token: SeCreateTokenPrivilege	1932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1932	msiexec.exe
Token: SeLockMemoryPrivilege	1932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1932	msiexec.exe
Token: SeMachineAccountPrivilege	1932	msiexec.exe
Token: SeTcbPrivilege	1932	msiexec.exe
Token: SeSecurityPrivilege	1932	msiexec.exe
Token: SeTakeOwnershipPrivilege	1932	msiexec.exe
Token: SeLoadDriverPrivilege	1932	msiexec.exe
Token: SeSystemProfilePrivilege	1932	msiexec.exe
Token: SeSystemtimePrivilege	1932	msiexec.exe
Token: SeProfSingleProcessPrivilege	1932	msiexec.exe
Token: SeIncBasePriorityPrivilege	1932	msiexec.exe
Token: SeCreatePagefilePrivilege	1932	msiexec.exe
Token: SeCreatePermanentPrivilege	1932	msiexec.exe
Token: SeBackupPrivilege	1932	msiexec.exe
Token: SeRestorePrivilege	1932	msiexec.exe
Token: SeShutdownPrivilege	1932	msiexec.exe
Token: SeDebugPrivilege	1932	msiexec.exe
Token: SeAuditPrivilege	1932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1932	msiexec.exe
Token: SeChangeNotifyPrivilege	1932	msiexec.exe
Token: SeRemoteShutdownPrivilege	1932	msiexec.exe
Token: SeUndockPrivilege	1932	msiexec.exe
Token: SeSyncAgentPrivilege	1932	msiexec.exe
Token: SeEnableDelegationPrivilege	1932	msiexec.exe
Token: SeManageVolumePrivilege	1932	msiexec.exe
Token: SeImpersonatePrivilege	1932	msiexec.exe
Token: SeCreateGlobalPrivilege	1932	msiexec.exe
Token: SeCreateTokenPrivilege	1932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1932	msiexec.exe
Token: SeLockMemoryPrivilege	1932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1932	msiexec.exe
Token: SeMachineAccountPrivilege	1932	msiexec.exe
Token: SeTcbPrivilege	1932	msiexec.exe
Token: SeSecurityPrivilege	1932	msiexec.exe
Token: SeTakeOwnershipPrivilege	1932	msiexec.exe
Token: SeLoadDriverPrivilege	1932	msiexec.exe
Token: SeSystemProfilePrivilege	1932	msiexec.exe
Token: SeSystemtimePrivilege	1932	msiexec.exe
Token: SeProfSingleProcessPrivilege	1932	msiexec.exe
Token: SeIncBasePriorityPrivilege	1932	msiexec.exe
Token: SeCreatePagefilePrivilege	1932	msiexec.exe
Token: SeCreatePermanentPrivilege	1932	msiexec.exe
Token: SeBackupPrivilege	1932	msiexec.exe
Token: SeRestorePrivilege	1932	msiexec.exe
Token: SeShutdownPrivilege	1932	msiexec.exe
Token: SeDebugPrivilege	1932	msiexec.exe
Token: SeAuditPrivilege	1932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1932	msiexec.exe
Token: SeChangeNotifyPrivilege	1932	msiexec.exe
Token: SeRemoteShutdownPrivilege	1932	msiexec.exe
Token: SeUndockPrivilege	1932	msiexec.exe
Token: SeSyncAgentPrivilege	1932	msiexec.exe
Token: SeEnableDelegationPrivilege	1932	msiexec.exe
Token: SeManageVolumePrivilege	1932	msiexec.exe
Token: SeImpersonatePrivilege	1932	msiexec.exe
Token: SeCreateGlobalPrivilege	1932	msiexec.exe
Token: SeCreateTokenPrivilege	1932	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1932	msiexec.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2356	002.exe
2356	002.exe
3168	Setup.exe
3012	setup.exe
3240	aliens.exe
1784	0B44010BDDEFEFD3.exe
1284	0B44010BDDEFEFD3.exe
1180	firefox.exe
336	1605715794918.exe
3256	firefox.exe
4072	1605715811606.exe
2336	firefox.exe
3200	1605715820496.exe
1896	firefox.exe
912	1605715824981.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 812	576	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe	78
PID 576 wrote to memory of 812	576	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe	78
PID 576 wrote to memory of 812	576	Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe	78
PID 812 wrote to memory of 3760	812	cmd.exe	81
PID 812 wrote to memory of 3760	812	cmd.exe	81
PID 812 wrote to memory of 3760	812	cmd.exe	81
PID 812 wrote to memory of 3620	812	cmd.exe	82
PID 812 wrote to memory of 3620	812	cmd.exe	82
PID 812 wrote to memory of 3620	812	cmd.exe	82
PID 812 wrote to memory of 3104	812	cmd.exe	83
PID 812 wrote to memory of 3104	812	cmd.exe	83
PID 812 wrote to memory of 3104	812	cmd.exe	83
PID 812 wrote to memory of 668	812	cmd.exe	84
PID 812 wrote to memory of 668	812	cmd.exe	84
PID 812 wrote to memory of 668	812	cmd.exe	84
PID 668 wrote to memory of 3704	668	keygen-step-3.exe	85
PID 668 wrote to memory of 3704	668	keygen-step-3.exe	85
PID 668 wrote to memory of 3704	668	keygen-step-3.exe	85
PID 812 wrote to memory of 2616	812	cmd.exe	87
PID 812 wrote to memory of 2616	812	cmd.exe	87
PID 812 wrote to memory of 2616	812	cmd.exe	87
PID 3704 wrote to memory of 3056	3704	cmd.exe	88
PID 3704 wrote to memory of 3056	3704	cmd.exe	88
PID 3704 wrote to memory of 3056	3704	cmd.exe	88
PID 3620 wrote to memory of 584	3620	keygen-pr.exe	89
PID 3620 wrote to memory of 584	3620	keygen-pr.exe	89
PID 3620 wrote to memory of 584	3620	keygen-pr.exe	89
PID 2616 wrote to memory of 2356	2616	keygen-step-4.exe	90
PID 2616 wrote to memory of 2356	2616	keygen-step-4.exe	90
PID 2616 wrote to memory of 2356	2616	keygen-step-4.exe	90
PID 584 wrote to memory of 1512	584	key.exe	91
PID 584 wrote to memory of 1512	584	key.exe	91
PID 584 wrote to memory of 1512	584	key.exe	91
PID 2616 wrote to memory of 3168	2616	keygen-step-4.exe	92
PID 2616 wrote to memory of 3168	2616	keygen-step-4.exe	92
PID 2616 wrote to memory of 3168	2616	keygen-step-4.exe	92
PID 3168 wrote to memory of 3012	3168	Setup.exe	93
PID 3168 wrote to memory of 3012	3168	Setup.exe	93
PID 3168 wrote to memory of 3012	3168	Setup.exe	93
PID 3012 wrote to memory of 3240	3012	setup.exe	94
PID 3012 wrote to memory of 3240	3012	setup.exe	94
PID 3012 wrote to memory of 3240	3012	setup.exe	94
PID 2616 wrote to memory of 1788	2616	keygen-step-4.exe	95
PID 2616 wrote to memory of 1788	2616	keygen-step-4.exe	95
PID 2616 wrote to memory of 1788	2616	keygen-step-4.exe	95
PID 3240 wrote to memory of 1932	3240	aliens.exe	96
PID 3240 wrote to memory of 1932	3240	aliens.exe	96
PID 3240 wrote to memory of 1932	3240	aliens.exe	96
PID 3240 wrote to memory of 1784	3240	aliens.exe	98
PID 3240 wrote to memory of 1784	3240	aliens.exe	98
PID 3240 wrote to memory of 1784	3240	aliens.exe	98
PID 3240 wrote to memory of 1284	3240	aliens.exe	99
PID 3240 wrote to memory of 1284	3240	aliens.exe	99
PID 3240 wrote to memory of 1284	3240	aliens.exe	99
PID 300 wrote to memory of 2104	300	msiexec.exe	100
PID 300 wrote to memory of 2104	300	msiexec.exe	100
PID 300 wrote to memory of 2104	300	msiexec.exe	100
PID 3240 wrote to memory of 1412	3240	aliens.exe	101
PID 3240 wrote to memory of 1412	3240	aliens.exe	101
PID 3240 wrote to memory of 1412	3240	aliens.exe	101
PID 2616 wrote to memory of 608	2616	keygen-step-4.exe	102
PID 2616 wrote to memory of 608	2616	keygen-step-4.exe	102
PID 2616 wrote to memory of 608	2616	keygen-step-4.exe	102
PID 608 wrote to memory of 2148	608	askinstall21.exe	104

C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
    intro.exe 1O5ZF
    3⤵
    - Executes dropped EXE
    PID:3760
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:1512
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3104
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3056
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\sibF055.tmp\0\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sibF055.tmp\0\setup.exe" -s
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe
        
        "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        7⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 0011 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\1605715794918.exe
        
        "C:\Users\Admin\AppData\Roaming\1605715794918.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715794918.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3256
        
        C:\Users\Admin\AppData\Roaming\1605715811606.exe
        
        "C:\Users\Admin\AppData\Roaming\1605715811606.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715811606.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4072
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\1605715820496.exe
        
        "C:\Users\Admin\AppData\Roaming\1605715820496.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715820496.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3200
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\1605715824981.exe
        
        "C:\Users\Admin\AppData\Roaming\1605715824981.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715824981.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
        
        C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 200 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
        8⤵
        
        PID:960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
        7⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall21.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall21.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:2148
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:496
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1708
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:1516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:300
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6755AB99041DF176930A5C8D35764B68 C
  2⤵
  - Loads dropped DLL
  PID:2104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-96-0x00000000722D0000-0x0000000072363000-memory.dmp

Filesize
588KB

Download
memory/912-125-0x00000000722D0000-0x0000000072363000-memory.dmp

Filesize
588KB

Download
memory/1180-89-0x00007FFC4BBD0000-0x00007FFC4BC4E000-memory.dmp

Filesize
504KB

Download
memory/1180-91-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1284-82-0x00000000042A0000-0x0000000004751000-memory.dmp

Filesize
4.7MB

Download
memory/1284-65-0x00000000722D0000-0x0000000072363000-memory.dmp

Filesize
588KB

Download
memory/1284-78-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/1784-63-0x00000000722D0000-0x0000000072363000-memory.dmp

Filesize
588KB

Download
memory/1784-83-0x00000000041C0000-0x0000000004671000-memory.dmp

Filesize
4.7MB

Download
memory/1896-120-0x00007FFC4BBD0000-0x00007FFC4BC4E000-memory.dmp

Filesize
504KB

Download
memory/2336-112-0x00007FFC4BBD0000-0x00007FFC4BC4E000-memory.dmp

Filesize
504KB

Download
memory/2356-32-0x0000000010000000-0x00000000100E4000-memory.dmp

Filesize
912KB

Download
memory/3012-48-0x00000000722D0000-0x0000000072363000-memory.dmp

Filesize
588KB

Download
memory/3168-42-0x0000000010C50000-0x0000000010C51000-memory.dmp

Filesize
4KB

Download
memory/3168-44-0x0000000010C70000-0x0000000010C71000-memory.dmp

Filesize
4KB

Download
memory/3168-39-0x0000000070ED0000-0x00000000715BE000-memory.dmp

Filesize
6.9MB

Download
memory/3168-37-0x00000000722D0000-0x0000000072363000-memory.dmp

Filesize
588KB

Download
memory/3200-117-0x00000000722D0000-0x0000000072363000-memory.dmp

Filesize
588KB

Download
memory/3240-52-0x00000000722D0000-0x0000000072363000-memory.dmp

Filesize
588KB

Download
memory/3240-56-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/3256-104-0x00007FFC4BBD0000-0x00007FFC4BC4E000-memory.dmp

Filesize
504KB

Download
memory/4072-109-0x00000000722D0000-0x0000000072363000-memory.dmp

Filesize
588KB

Download