Overview
overview
10Static
static
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
4ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
9ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
1Analysis
-
max time kernel
235s -
max time network
286s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 15:58
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.bin.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3qakbot86920224spx1291590734339agilenetbankerbotnetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3qakbot86920224spx1291590734339agilenetbankerbotnetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
azorultplugxredlinesmokeloadertofseevidarxmrignew_year_btcbackdoorbootkitdiscoveryevasioninfostealermacrominerpersistencespywarestealertrojanupxvmprotectxlm
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
HYDRA.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
Keygen.exe
Resource
win10v20201028
asyncratazorultmodiloaderoskiraccoonremcos5e4db353b88c002ba6466c06437973619aad03b3discoveryevasioninfostealerpersistenceratspywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
OnlineInstaller.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
azorultplugxredlinesmokeloadervidarnew_year_btcbackdoorbootkitdiscoveryevasioninfostealermacropersistencespywarestealertrojanupxxlm
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
VyprVPN.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
WSHSetup[1].exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
api.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
good.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral22
Sample
infected dot net installer.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral23
Sample
update.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
vir1.xls
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral25
Sample
xNet.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
Malware Config
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Nirsoft 8 IoCs
resource yara_rule behavioral15/files/0x000300000001abe6-77.dat Nirsoft behavioral15/files/0x000300000001abe6-78.dat Nirsoft behavioral15/files/0x000200000001ac07-95.dat Nirsoft behavioral15/files/0x000200000001ac07-94.dat Nirsoft behavioral15/files/0x000400000001ac07-102.dat Nirsoft behavioral15/files/0x000400000001ac07-103.dat Nirsoft behavioral15/files/0x000600000001ac07-111.dat Nirsoft behavioral15/files/0x000600000001ac07-110.dat Nirsoft -
Executes dropped EXE 21 IoCs
pid Process 1532 intro.exe 1176 keygen-pr.exe 3376 keygen-step-1.exe 2260 keygen-step-4.exe 3660 key.exe 1612 002.exe 392 Setup.exe 1344 setup.exe 3732 aliens.exe 3828 jg2_2qua.exe 2152 97535F5358BB4449.exe 2796 97535F5358BB4449.exe 1404 1605719246877.exe 3928 hjjgaa.exe 3388 jfiag_gg.exe 1328 1605719251924.exe 2192 1605719258783.exe 3904 1605719261580.exe 4076 jfiag_gg.exe 3212 CBBEDF528F97C51A.exe 2292 CBBEDF528F97C51A.tmp -
resource yara_rule behavioral15/files/0x000100000001abe1-54.dat office_xlm_macros -
resource yara_rule behavioral15/files/0x000600000001abe0-87.dat upx behavioral15/files/0x000600000001abe0-86.dat upx behavioral15/files/0x000600000001abe0-132.dat upx behavioral15/files/0x000600000001abe0-131.dat upx -
Loads dropped DLL 4 IoCs
pid Process 392 Setup.exe 392 Setup.exe 392 Setup.exe 184 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe" hjjgaa.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aliens.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg2_2qua.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 97535F5358BB4449.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 97535F5358BB4449.exe File opened for modification \??\PhysicalDrive0 aliens.exe File opened for modification \??\PhysicalDrive0 97535F5358BB4449.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3732 aliens.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2152 set thread context of 744 2152 97535F5358BB4449.exe 100 PID 2152 set thread context of 3832 2152 97535F5358BB4449.exe 111 PID 2152 set thread context of 1396 2152 97535F5358BB4449.exe 113 PID 2152 set thread context of 3364 2152 97535F5358BB4449.exe 115 -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dz7d9shn0mvi setup.exe File created C:\Program Files (x86)\dz7d9shn0mvi\__tmp_rar_sfx_access_check_259424125 setup.exe File created C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe setup.exe File opened for modification C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 97535F5358BB4449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 97535F5358BB4449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 97535F5358BB4449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 97535F5358BB4449.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 97535F5358BB4449.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 97535F5358BB4449.exe -
Kills process with taskkill 1 IoCs
pid Process 2256 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD aliens.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 aliens.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2760 PING.EXE 3244 PING.EXE 2984 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1404 1605719246877.exe 1404 1605719246877.exe 1328 1605719251924.exe 1328 1605719251924.exe 2192 1605719258783.exe 2192 1605719258783.exe 3904 1605719261580.exe 3904 1605719261580.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 4076 jfiag_gg.exe 4076 jfiag_gg.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe 2152 97535F5358BB4449.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeManageVolumePrivilege 3828 jg2_2qua.exe Token: SeShutdownPrivilege 2828 msiexec.exe Token: SeIncreaseQuotaPrivilege 2828 msiexec.exe Token: SeSecurityPrivilege 2784 msiexec.exe Token: SeCreateTokenPrivilege 2828 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2828 msiexec.exe Token: SeLockMemoryPrivilege 2828 msiexec.exe Token: SeIncreaseQuotaPrivilege 2828 msiexec.exe Token: SeMachineAccountPrivilege 2828 msiexec.exe Token: SeTcbPrivilege 2828 msiexec.exe Token: SeSecurityPrivilege 2828 msiexec.exe Token: SeTakeOwnershipPrivilege 2828 msiexec.exe Token: SeLoadDriverPrivilege 2828 msiexec.exe Token: SeSystemProfilePrivilege 2828 msiexec.exe Token: SeSystemtimePrivilege 2828 msiexec.exe Token: SeProfSingleProcessPrivilege 2828 msiexec.exe Token: SeIncBasePriorityPrivilege 2828 msiexec.exe Token: SeCreatePagefilePrivilege 2828 msiexec.exe Token: SeCreatePermanentPrivilege 2828 msiexec.exe Token: SeBackupPrivilege 2828 msiexec.exe Token: SeRestorePrivilege 2828 msiexec.exe Token: SeShutdownPrivilege 2828 msiexec.exe Token: SeDebugPrivilege 2828 msiexec.exe Token: SeAuditPrivilege 2828 msiexec.exe Token: SeSystemEnvironmentPrivilege 2828 msiexec.exe Token: SeChangeNotifyPrivilege 2828 msiexec.exe Token: SeRemoteShutdownPrivilege 2828 msiexec.exe Token: SeUndockPrivilege 2828 msiexec.exe Token: SeSyncAgentPrivilege 2828 msiexec.exe Token: SeEnableDelegationPrivilege 2828 msiexec.exe Token: SeManageVolumePrivilege 2828 msiexec.exe Token: SeImpersonatePrivilege 2828 msiexec.exe Token: SeCreateGlobalPrivilege 2828 msiexec.exe Token: SeCreateTokenPrivilege 2828 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2828 msiexec.exe Token: SeLockMemoryPrivilege 2828 msiexec.exe Token: SeIncreaseQuotaPrivilege 2828 msiexec.exe Token: SeMachineAccountPrivilege 2828 msiexec.exe Token: SeTcbPrivilege 2828 msiexec.exe Token: SeSecurityPrivilege 2828 msiexec.exe Token: SeTakeOwnershipPrivilege 2828 msiexec.exe Token: SeLoadDriverPrivilege 2828 msiexec.exe Token: SeSystemProfilePrivilege 2828 msiexec.exe Token: SeSystemtimePrivilege 2828 msiexec.exe Token: SeProfSingleProcessPrivilege 2828 msiexec.exe Token: SeIncBasePriorityPrivilege 2828 msiexec.exe Token: SeCreatePagefilePrivilege 2828 msiexec.exe Token: SeCreatePermanentPrivilege 2828 msiexec.exe Token: SeBackupPrivilege 2828 msiexec.exe Token: SeRestorePrivilege 2828 msiexec.exe Token: SeShutdownPrivilege 2828 msiexec.exe Token: SeDebugPrivilege 2828 msiexec.exe Token: SeAuditPrivilege 2828 msiexec.exe Token: SeSystemEnvironmentPrivilege 2828 msiexec.exe Token: SeChangeNotifyPrivilege 2828 msiexec.exe Token: SeRemoteShutdownPrivilege 2828 msiexec.exe Token: SeUndockPrivilege 2828 msiexec.exe Token: SeSyncAgentPrivilege 2828 msiexec.exe Token: SeEnableDelegationPrivilege 2828 msiexec.exe Token: SeManageVolumePrivilege 2828 msiexec.exe Token: SeImpersonatePrivilege 2828 msiexec.exe Token: SeCreateGlobalPrivilege 2828 msiexec.exe Token: SeCreateTokenPrivilege 2828 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2828 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2828 msiexec.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1612 002.exe 1612 002.exe 392 Setup.exe 1344 setup.exe 3732 aliens.exe 2152 97535F5358BB4449.exe 2796 97535F5358BB4449.exe 744 firefox.exe 1404 1605719246877.exe 3832 firefox.exe 1328 1605719251924.exe 1396 firefox.exe 2192 1605719258783.exe 3364 firefox.exe 3904 1605719261580.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 412 wrote to memory of 212 412 Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe 78 PID 412 wrote to memory of 212 412 Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe 78 PID 412 wrote to memory of 212 412 Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe 78 PID 212 wrote to memory of 1532 212 cmd.exe 81 PID 212 wrote to memory of 1532 212 cmd.exe 81 PID 212 wrote to memory of 1532 212 cmd.exe 81 PID 212 wrote to memory of 1176 212 cmd.exe 82 PID 212 wrote to memory of 1176 212 cmd.exe 82 PID 212 wrote to memory of 1176 212 cmd.exe 82 PID 212 wrote to memory of 3376 212 cmd.exe 83 PID 212 wrote to memory of 3376 212 cmd.exe 83 PID 212 wrote to memory of 3376 212 cmd.exe 83 PID 212 wrote to memory of 2260 212 cmd.exe 84 PID 212 wrote to memory of 2260 212 cmd.exe 84 PID 212 wrote to memory of 2260 212 cmd.exe 84 PID 1176 wrote to memory of 3660 1176 keygen-pr.exe 85 PID 1176 wrote to memory of 3660 1176 keygen-pr.exe 85 PID 1176 wrote to memory of 3660 1176 keygen-pr.exe 85 PID 2260 wrote to memory of 1612 2260 keygen-step-4.exe 86 PID 2260 wrote to memory of 1612 2260 keygen-step-4.exe 86 PID 2260 wrote to memory of 1612 2260 keygen-step-4.exe 86 PID 3660 wrote to memory of 3716 3660 key.exe 87 PID 3660 wrote to memory of 3716 3660 key.exe 87 PID 3660 wrote to memory of 3716 3660 key.exe 87 PID 2260 wrote to memory of 392 2260 keygen-step-4.exe 88 PID 2260 wrote to memory of 392 2260 keygen-step-4.exe 88 PID 2260 wrote to memory of 392 2260 keygen-step-4.exe 88 PID 392 wrote to memory of 1344 392 Setup.exe 89 PID 392 wrote to memory of 1344 392 Setup.exe 89 PID 392 wrote to memory of 1344 392 Setup.exe 89 PID 1344 wrote to memory of 3732 1344 setup.exe 90 PID 1344 wrote to memory of 3732 1344 setup.exe 90 PID 1344 wrote to memory of 3732 1344 setup.exe 90 PID 2260 wrote to memory of 3828 2260 keygen-step-4.exe 91 PID 2260 wrote to memory of 3828 2260 keygen-step-4.exe 91 PID 2260 wrote to memory of 3828 2260 keygen-step-4.exe 91 PID 3732 wrote to memory of 2828 3732 aliens.exe 92 PID 3732 wrote to memory of 2828 3732 aliens.exe 92 PID 3732 wrote to memory of 2828 3732 aliens.exe 92 PID 3732 wrote to memory of 2152 3732 aliens.exe 94 PID 3732 wrote to memory of 2152 3732 aliens.exe 94 PID 3732 wrote to memory of 2152 3732 aliens.exe 94 PID 3732 wrote to memory of 2796 3732 aliens.exe 95 PID 3732 wrote to memory of 2796 3732 aliens.exe 95 PID 3732 wrote to memory of 2796 3732 aliens.exe 95 PID 2784 wrote to memory of 184 2784 msiexec.exe 96 PID 2784 wrote to memory of 184 2784 msiexec.exe 96 PID 2784 wrote to memory of 184 2784 msiexec.exe 96 PID 3732 wrote to memory of 580 3732 aliens.exe 97 PID 3732 wrote to memory of 580 3732 aliens.exe 97 PID 3732 wrote to memory of 580 3732 aliens.exe 97 PID 580 wrote to memory of 2760 580 cmd.exe 99 PID 580 wrote to memory of 2760 580 cmd.exe 99 PID 580 wrote to memory of 2760 580 cmd.exe 99 PID 2152 wrote to memory of 744 2152 97535F5358BB4449.exe 100 PID 2152 wrote to memory of 744 2152 97535F5358BB4449.exe 100 PID 2152 wrote to memory of 744 2152 97535F5358BB4449.exe 100 PID 2152 wrote to memory of 744 2152 97535F5358BB4449.exe 100 PID 2152 wrote to memory of 744 2152 97535F5358BB4449.exe 100 PID 2152 wrote to memory of 744 2152 97535F5358BB4449.exe 100 PID 2796 wrote to memory of 1784 2796 97535F5358BB4449.exe 101 PID 2796 wrote to memory of 1784 2796 97535F5358BB4449.exe 101 PID 2796 wrote to memory of 1784 2796 97535F5358BB4449.exe 101 PID 1784 wrote to memory of 2256 1784 cmd.exe 103
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:708
-
C:\Windows\TEMP\CBBEDF528F97C51A.exeC:\Windows\TEMP\CBBEDF528F97C51A.exe2⤵
- Executes dropped EXE
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\is-AAAM3.tmp\CBBEDF528F97C51A.tmp"C:\Users\Admin\AppData\Local\Temp\is-AAAM3.tmp\CBBEDF528F97C51A.tmp" /SL5="$B005A,761193,121344,C:\Windows\TEMP\CBBEDF528F97C51A.exe"3⤵
- Executes dropped EXE
PID:2292
-
-
-
C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"C:\Users\Admin\AppData\Local\Temp\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exeintro.exe 1O5ZF3⤵
- Executes dropped EXE
PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:3716
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:3376
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\sib7609.tmp\0\setup.exe"C:\Users\Admin\AppData\Local\Temp\sib7609.tmp\0\setup.exe" -s5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"7⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exeC:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 0011 installp17⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:744
-
-
C:\Users\Admin\AppData\Roaming\1605719246877.exe"C:\Users\Admin\AppData\Roaming\1605719246877.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605719246877.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:3832
-
-
C:\Users\Admin\AppData\Roaming\1605719251924.exe"C:\Users\Admin\AppData\Roaming\1605719251924.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605719251924.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1328
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:1396
-
-
C:\Users\Admin\AppData\Roaming\1605719258783.exe"C:\Users\Admin\AppData\Roaming\1605719258783.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605719258783.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
- Suspicious use of SetWindowsHookEx
PID:3364
-
-
C:\Users\Admin\AppData\Roaming\1605719261580.exe"C:\Users\Admin\AppData\Roaming\1605719261580.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605719261580.txt"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3904
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"8⤵PID:4056
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
PID:2984
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exeC:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe 200 installp17⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe8⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe9⤵
- Kills process with taskkill
PID:2256
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\97535F5358BB4449.exe"8⤵PID:2140
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 39⤵
- Runs ping.exe
PID:3244
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"7⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 38⤵
- Runs ping.exe
PID:2760
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt5⤵
- Executes dropped EXE
PID:3388
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4076
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7426A0D026358E411E95742ACF6B6044 C2⤵
- Loads dropped DLL
PID:184
-