Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
Analysis
-
max time kernel
1797s -
max time network
1811s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-11-2020 14:34
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe.dll
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral16
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
KLwC6vii.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
Behavioral task
behavioral28
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Yard.dll
Resource
win10v20201028
General
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 188 ozchgftrq.exe 1512 ozchgftrq.exe 1304 ozchgftrq.exe -
Loads dropped DLL 3 IoCs
pid Process 1304 ozchgftrq.exe 1304 ozchgftrq.exe 1304 ozchgftrq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 424 set thread context of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 188 set thread context of 1304 188 ozchgftrq.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ozchgftrq.exe -
Kills process with taskkill 1 IoCs
pid Process 1324 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 188 ozchgftrq.exe 188 ozchgftrq.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe Token: SeDebugPrivilege 188 ozchgftrq.exe Token: SeDebugPrivilege 1324 taskkill.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 424 wrote to memory of 188 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 78 PID 424 wrote to memory of 188 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 78 PID 424 wrote to memory of 188 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 78 PID 424 wrote to memory of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 424 wrote to memory of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 424 wrote to memory of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 424 wrote to memory of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 424 wrote to memory of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 424 wrote to memory of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 424 wrote to memory of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 424 wrote to memory of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 424 wrote to memory of 2268 424 0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe 79 PID 188 wrote to memory of 1512 188 ozchgftrq.exe 80 PID 188 wrote to memory of 1512 188 ozchgftrq.exe 80 PID 188 wrote to memory of 1512 188 ozchgftrq.exe 80 PID 188 wrote to memory of 1304 188 ozchgftrq.exe 81 PID 188 wrote to memory of 1304 188 ozchgftrq.exe 81 PID 188 wrote to memory of 1304 188 ozchgftrq.exe 81 PID 188 wrote to memory of 1304 188 ozchgftrq.exe 81 PID 188 wrote to memory of 1304 188 ozchgftrq.exe 81 PID 188 wrote to memory of 1304 188 ozchgftrq.exe 81 PID 188 wrote to memory of 1304 188 ozchgftrq.exe 81 PID 188 wrote to memory of 1304 188 ozchgftrq.exe 81 PID 188 wrote to memory of 1304 188 ozchgftrq.exe 81 PID 1304 wrote to memory of 580 1304 ozchgftrq.exe 82 PID 1304 wrote to memory of 580 1304 ozchgftrq.exe 82 PID 1304 wrote to memory of 580 1304 ozchgftrq.exe 82 PID 580 wrote to memory of 1324 580 cmd.exe 84 PID 580 wrote to memory of 1324 580 cmd.exe 84 PID 580 wrote to memory of 1324 580 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"{path}"3⤵
- Executes dropped EXE
PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"{path}"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1304 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\566008868267324\\* & exit4⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 13045⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"{path}"2⤵PID:2268
-