Analysis
-
max time kernel
38s -
max time network
62s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-02-2021 09:59
Static task
static1
Behavioral task
behavioral1
Sample
pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe
Resource
win10v20201028
General
-
Target
pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe
-
Size
9.0MB
-
MD5
10a7ec6eec9d29e7cf84477015651b65
-
SHA1
c6b132ff8919f5da4959d68b5a9cf86919ccebee
-
SHA256
a252756f1326333e8587740cfecad63d80ffd26dd49d6b9699d685fb5096b730
-
SHA512
34c53db9f782e6899004673c3c531b58aacc2153554fd2ca06b47d80d21f8d536912f4ec7f7336738e24b034f5a567b32cf99015ee8c01259902b63a86722aaa
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Nirsoft 4 IoCs
resource yara_rule behavioral4/files/0x000100000001ab4b-64.dat Nirsoft behavioral4/files/0x000100000001ab4b-65.dat Nirsoft behavioral4/files/0x000100000001ab74-78.dat Nirsoft behavioral4/files/0x000100000001ab74-77.dat Nirsoft -
Executes dropped EXE 16 IoCs
pid Process 4060 keygen-pr.exe 4044 keygen-step-1.exe 2076 keygen-step-3.exe 4572 keygen-step-4.exe 1572 key.exe 1912 Setup.exe 4540 6489A2274AE24900.exe 372 6489A2274AE24900.exe 2668 md2_2efs.exe 232 1613383421906.exe 5016 file.exe 3480 1613383424219.exe 5104 A994.tmp.exe 4784 AB1B.tmp.exe 4800 AC55.tmp.exe 4472 A994.tmp.exe -
resource yara_rule behavioral4/files/0x000100000001ab41-30.dat office_xlm_macros -
resource yara_rule behavioral4/files/0x000100000001ab95-197.dat upx behavioral4/files/0x000100000001ab95-198.dat upx behavioral4/files/0x000100000001abaa-209.dat upx behavioral4/files/0x000100000001abaa-210.dat upx -
Loads dropped DLL 1 IoCs
pid Process 208 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral4/files/0x000100000001ab8b-145.dat themida behavioral4/files/0x000100000001ab8c-154.dat themida behavioral4/memory/4680-159-0x0000000000820000-0x0000000000821000-memory.dmp themida behavioral4/memory/2424-163-0x0000000001130000-0x0000000001131000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 63 api.ipify.org 73 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Setup.exe File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe File opened for modification \??\PhysicalDrive0 6489A2274AE24900.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1912 Setup.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4540 set thread context of 1164 4540 6489A2274AE24900.exe 100 PID 4540 set thread context of 744 4540 6489A2274AE24900.exe 113 PID 5104 set thread context of 4472 5104 A994.tmp.exe 118 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2452 2668 WerFault.exe 97 -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6489A2274AE24900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6489A2274AE24900.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6489A2274AE24900.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4304 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 1472 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e file.exe -
Runs ping.exe 1 TTPs 5 IoCs
pid Process 2392 PING.EXE 1080 PING.EXE 4724 PING.EXE 1164 PING.EXE 1012 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 2452 WerFault.exe 232 1613383421906.exe 232 1613383421906.exe 3480 1613383424219.exe 3480 1613383424219.exe 5016 file.exe 5016 file.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2456 msiexec.exe Token: SeIncreaseQuotaPrivilege 2456 msiexec.exe Token: SeSecurityPrivilege 4656 msiexec.exe Token: SeCreateTokenPrivilege 2456 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2456 msiexec.exe Token: SeLockMemoryPrivilege 2456 msiexec.exe Token: SeIncreaseQuotaPrivilege 2456 msiexec.exe Token: SeMachineAccountPrivilege 2456 msiexec.exe Token: SeTcbPrivilege 2456 msiexec.exe Token: SeSecurityPrivilege 2456 msiexec.exe Token: SeTakeOwnershipPrivilege 2456 msiexec.exe Token: SeLoadDriverPrivilege 2456 msiexec.exe Token: SeSystemProfilePrivilege 2456 msiexec.exe Token: SeSystemtimePrivilege 2456 msiexec.exe Token: SeProfSingleProcessPrivilege 2456 msiexec.exe Token: SeIncBasePriorityPrivilege 2456 msiexec.exe Token: SeCreatePagefilePrivilege 2456 msiexec.exe Token: SeCreatePermanentPrivilege 2456 msiexec.exe Token: SeBackupPrivilege 2456 msiexec.exe Token: SeRestorePrivilege 2456 msiexec.exe Token: SeShutdownPrivilege 2456 msiexec.exe Token: SeDebugPrivilege 2456 msiexec.exe Token: SeAuditPrivilege 2456 msiexec.exe Token: SeSystemEnvironmentPrivilege 2456 msiexec.exe Token: SeChangeNotifyPrivilege 2456 msiexec.exe Token: SeRemoteShutdownPrivilege 2456 msiexec.exe Token: SeUndockPrivilege 2456 msiexec.exe Token: SeSyncAgentPrivilege 2456 msiexec.exe Token: SeEnableDelegationPrivilege 2456 msiexec.exe Token: SeManageVolumePrivilege 2456 msiexec.exe Token: SeImpersonatePrivilege 2456 msiexec.exe Token: SeCreateGlobalPrivilege 2456 msiexec.exe Token: SeCreateTokenPrivilege 2456 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2456 msiexec.exe Token: SeLockMemoryPrivilege 2456 msiexec.exe Token: SeIncreaseQuotaPrivilege 2456 msiexec.exe Token: SeMachineAccountPrivilege 2456 msiexec.exe Token: SeTcbPrivilege 2456 msiexec.exe Token: SeSecurityPrivilege 2456 msiexec.exe Token: SeTakeOwnershipPrivilege 2456 msiexec.exe Token: SeLoadDriverPrivilege 2456 msiexec.exe Token: SeSystemProfilePrivilege 2456 msiexec.exe Token: SeSystemtimePrivilege 2456 msiexec.exe Token: SeProfSingleProcessPrivilege 2456 msiexec.exe Token: SeIncBasePriorityPrivilege 2456 msiexec.exe Token: SeCreatePagefilePrivilege 2456 msiexec.exe Token: SeCreatePermanentPrivilege 2456 msiexec.exe Token: SeBackupPrivilege 2456 msiexec.exe Token: SeRestorePrivilege 2456 msiexec.exe Token: SeShutdownPrivilege 2456 msiexec.exe Token: SeDebugPrivilege 2456 msiexec.exe Token: SeAuditPrivilege 2456 msiexec.exe Token: SeSystemEnvironmentPrivilege 2456 msiexec.exe Token: SeChangeNotifyPrivilege 2456 msiexec.exe Token: SeRemoteShutdownPrivilege 2456 msiexec.exe Token: SeUndockPrivilege 2456 msiexec.exe Token: SeSyncAgentPrivilege 2456 msiexec.exe Token: SeEnableDelegationPrivilege 2456 msiexec.exe Token: SeManageVolumePrivilege 2456 msiexec.exe Token: SeImpersonatePrivilege 2456 msiexec.exe Token: SeCreateGlobalPrivilege 2456 msiexec.exe Token: SeCreateTokenPrivilege 2456 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2456 msiexec.exe Token: SeLockMemoryPrivilege 2456 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2456 msiexec.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1912 Setup.exe 4540 6489A2274AE24900.exe 372 6489A2274AE24900.exe 1164 firefox.exe 232 1613383421906.exe 744 firefox.exe 3480 1613383424219.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4688 wrote to memory of 3884 4688 pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe 78 PID 4688 wrote to memory of 3884 4688 pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe 78 PID 4688 wrote to memory of 3884 4688 pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe 78 PID 3884 wrote to memory of 4060 3884 cmd.exe 81 PID 3884 wrote to memory of 4060 3884 cmd.exe 81 PID 3884 wrote to memory of 4060 3884 cmd.exe 81 PID 3884 wrote to memory of 4044 3884 cmd.exe 82 PID 3884 wrote to memory of 4044 3884 cmd.exe 82 PID 3884 wrote to memory of 4044 3884 cmd.exe 82 PID 3884 wrote to memory of 2076 3884 cmd.exe 83 PID 3884 wrote to memory of 2076 3884 cmd.exe 83 PID 3884 wrote to memory of 2076 3884 cmd.exe 83 PID 3884 wrote to memory of 4572 3884 cmd.exe 84 PID 3884 wrote to memory of 4572 3884 cmd.exe 84 PID 3884 wrote to memory of 4572 3884 cmd.exe 84 PID 4060 wrote to memory of 1572 4060 keygen-pr.exe 85 PID 4060 wrote to memory of 1572 4060 keygen-pr.exe 85 PID 4060 wrote to memory of 1572 4060 keygen-pr.exe 85 PID 2076 wrote to memory of 1896 2076 keygen-step-3.exe 87 PID 2076 wrote to memory of 1896 2076 keygen-step-3.exe 87 PID 2076 wrote to memory of 1896 2076 keygen-step-3.exe 87 PID 4572 wrote to memory of 1912 4572 keygen-step-4.exe 86 PID 4572 wrote to memory of 1912 4572 keygen-step-4.exe 86 PID 4572 wrote to memory of 1912 4572 keygen-step-4.exe 86 PID 1572 wrote to memory of 2308 1572 key.exe 89 PID 1572 wrote to memory of 2308 1572 key.exe 89 PID 1572 wrote to memory of 2308 1572 key.exe 89 PID 1896 wrote to memory of 2392 1896 cmd.exe 90 PID 1896 wrote to memory of 2392 1896 cmd.exe 90 PID 1896 wrote to memory of 2392 1896 cmd.exe 90 PID 1912 wrote to memory of 2456 1912 Setup.exe 91 PID 1912 wrote to memory of 2456 1912 Setup.exe 91 PID 1912 wrote to memory of 2456 1912 Setup.exe 91 PID 4656 wrote to memory of 208 4656 msiexec.exe 93 PID 4656 wrote to memory of 208 4656 msiexec.exe 93 PID 4656 wrote to memory of 208 4656 msiexec.exe 93 PID 1912 wrote to memory of 4540 1912 Setup.exe 94 PID 1912 wrote to memory of 4540 1912 Setup.exe 94 PID 1912 wrote to memory of 4540 1912 Setup.exe 94 PID 1912 wrote to memory of 372 1912 Setup.exe 95 PID 1912 wrote to memory of 372 1912 Setup.exe 95 PID 1912 wrote to memory of 372 1912 Setup.exe 95 PID 1912 wrote to memory of 3696 1912 Setup.exe 96 PID 1912 wrote to memory of 3696 1912 Setup.exe 96 PID 1912 wrote to memory of 3696 1912 Setup.exe 96 PID 4572 wrote to memory of 2668 4572 keygen-step-4.exe 97 PID 4572 wrote to memory of 2668 4572 keygen-step-4.exe 97 PID 4572 wrote to memory of 2668 4572 keygen-step-4.exe 97 PID 3696 wrote to memory of 1080 3696 cmd.exe 99 PID 3696 wrote to memory of 1080 3696 cmd.exe 99 PID 3696 wrote to memory of 1080 3696 cmd.exe 99 PID 372 wrote to memory of 1104 372 6489A2274AE24900.exe 101 PID 372 wrote to memory of 1104 372 6489A2274AE24900.exe 101 PID 372 wrote to memory of 1104 372 6489A2274AE24900.exe 101 PID 4540 wrote to memory of 1164 4540 6489A2274AE24900.exe 100 PID 4540 wrote to memory of 1164 4540 6489A2274AE24900.exe 100 PID 4540 wrote to memory of 1164 4540 6489A2274AE24900.exe 100 PID 4540 wrote to memory of 1164 4540 6489A2274AE24900.exe 100 PID 4540 wrote to memory of 1164 4540 6489A2274AE24900.exe 100 PID 4540 wrote to memory of 1164 4540 6489A2274AE24900.exe 100 PID 1104 wrote to memory of 1472 1104 cmd.exe 103 PID 1104 wrote to memory of 1472 1104 cmd.exe 103 PID 1104 wrote to memory of 1472 1104 cmd.exe 103 PID 4540 wrote to memory of 232 4540 6489A2274AE24900.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe"C:\Users\Admin\AppData\Local\Temp\pass 12345...Kepserverex_5_5_14_493_crack_by_CORE.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:2308
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:2392
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2456
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
C:\Users\Admin\AppData\Roaming\1613383421906.exe"C:\Users\Admin\AppData\Roaming\1613383421906.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613383421906.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:232
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:744
-
-
C:\Users\Admin\AppData\Roaming\1613383424219.exe"C:\Users\Admin\AppData\Roaming\1613383424219.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613383424219.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3480
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵PID:2128
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵PID:4984
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:1012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exeC:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"6⤵PID:4956
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:4724
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
PID:1080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 39005⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2452
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:5016 -
C:\Users\Admin\AppData\Roaming\A994.tmp.exe"C:\Users\Admin\AppData\Roaming\A994.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5104 -
C:\Users\Admin\AppData\Roaming\A994.tmp.exe"C:\Users\Admin\AppData\Roaming\A994.tmp.exe"6⤵
- Executes dropped EXE
PID:4472
-
-
-
C:\Users\Admin\AppData\Roaming\AB1B.tmp.exe"C:\Users\Admin\AppData\Roaming\AB1B.tmp.exe"5⤵
- Executes dropped EXE
PID:4784
-
-
C:\Users\Admin\AppData\Roaming\AC55.tmp.exe"C:\Users\Admin\AppData\Roaming\AC55.tmp.exe"5⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\AC55.tmp.exe6⤵PID:672
-
C:\Windows\SysWOW64\timeout.exetimeout /t 37⤵
- Delays execution with timeout.exe
PID:4304
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵PID:3384
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:1164
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\installer.exe"5⤵PID:1908
-
C:\ProgramData\4506405.49"C:\ProgramData\4506405.49"6⤵PID:200
-
-
C:\ProgramData\965330.10"C:\ProgramData\965330.10"6⤵PID:2588
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"7⤵PID:4872
-
-
-
C:\ProgramData\5321221.58"C:\ProgramData\5321221.58"6⤵PID:4680
-
-
C:\ProgramData\8989758.98"C:\ProgramData\8989758.98"6⤵PID:2424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gdrrr.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gdrrr.exe"4⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:844
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:3592
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7845B0D04F465DBD4EDB249417BA2D77 C2⤵
- Loads dropped DLL
PID:208
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:832
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2484
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵PID:1768