azorult | 0f3428e44e8f663465ea5f379e7d4229d2e7d551c314ec094cebee7054472aac

Analysis

max time kernel
1704s
max time network
1704s
platform
windows10_x64
resource
win10v20201028
submitted
18-02-2021 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[CRACKNET.NET]PW12345Microsoft_Virtual_PC_7_0_Mac_keygen.exe
Size

4.7MB
MD5

cef534adb64221db2dcc8617e7d3d7b6
SHA1

aee7e078930917b4c143310be1b4b7fb4714106d
SHA256

0f3428e44e8f663465ea5f379e7d4229d2e7d551c314ec094cebee7054472aac
SHA512

e3a8e5cc0fcd44d3df3736faca83868d0cf926478286a29b5daa5a002290995fd2861b7c3c97dbbc76a1bbcf5d871bd37b42d484c176fff66089d566bb4ccb59

Score

10^/10

azorult pony raccoon 0db229d1b033c01c78fe39a4919289ac1a283c72 discovery evasion infostealer rat spyware stealer trojan upx

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

0db229d1b033c01c78fe39a4919289ac1a283c72

Attributes

url4cnc
https://telete.in/j90maninblack

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Executes dropped EXE 11 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exefile.exekey.exekey.exeC44F.tmp.exeC44F.tmp.exeC53B.tmp.exemd2_2efs.exe

pid	process
3560	keygen-pr.exe
1300	keygen-step-1.exe
360	keygen-step-3.exe
2068	keygen-step-4.exe
1200	file.exe
3532	key.exe
476	key.exe
744	C44F.tmp.exe
1172	C44F.tmp.exe
720	C53B.tmp.exe
4208	md2_2efs.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe	upx
behavioral1/memory/2168-67-0x0000000004190000-0x0000000004191000-memory.dmp	upx

Loads dropped DLL 8 IoCs

Processes:

C53B.tmp.exe

pid process

720 C53B.tmp.exe
720 C53B.tmp.exe
720 C53B.tmp.exe
720 C53B.tmp.exe
720 C53B.tmp.exe
720 C53B.tmp.exe
720 C53B.tmp.exe
720 C53B.tmp.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md2_2efs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.ipify.org
Suspicious use of SetThreadContext 2 IoCs

Processes:

key.exeC44F.tmp.exe

description pid process target process

PID 3532 set thread context of 476 3532 key.exe key.exe
PID 744 set thread context of 1172 744 C44F.tmp.exe C44F.tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2168 4208 WerFault.exe md2_2efs.exe

pid	process
720	C53B.tmp.exe
720	C53B.tmp.exe
720	C53B.tmp.exe
720	C53B.tmp.exe
720	C53B.tmp.exe
720	C53B.tmp.exe
720	C53B.tmp.exe
720	C53B.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

flow	ioc
26	api.ipify.org

description	pid	process	target process
PID 3532 set thread context of 476	3532	key.exe	key.exe
PID 744 set thread context of 1172	744	C44F.tmp.exe	C44F.tmp.exe

pid	pid_target	process	target process
2168	4208	WerFault.exe	md2_2efs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C44F.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	C44F.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	C44F.tmp.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

420 timeout.exe

pid	process
420	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

640 PING.EXE
4248 PING.EXE

pid	process
640	PING.EXE
4248	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

C44F.tmp.exekey.exeWerFault.exe

pid	process
1172	C44F.tmp.exe
1172	C44F.tmp.exe
3532	key.exe
3532	key.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe
2168	WerFault.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

key.exemd2_2efs.exeWerFault.exe

description	pid	process
Token: SeImpersonatePrivilege	3532	key.exe
Token: SeTcbPrivilege	3532	key.exe
Token: SeChangeNotifyPrivilege	3532	key.exe
Token: SeCreateTokenPrivilege	3532	key.exe
Token: SeBackupPrivilege	3532	key.exe
Token: SeRestorePrivilege	3532	key.exe
Token: SeIncreaseQuotaPrivilege	3532	key.exe
Token: SeAssignPrimaryTokenPrivilege	3532	key.exe
Token: SeImpersonatePrivilege	3532	key.exe
Token: SeTcbPrivilege	3532	key.exe
Token: SeChangeNotifyPrivilege	3532	key.exe
Token: SeCreateTokenPrivilege	3532	key.exe
Token: SeBackupPrivilege	3532	key.exe
Token: SeRestorePrivilege	3532	key.exe
Token: SeIncreaseQuotaPrivilege	3532	key.exe
Token: SeAssignPrimaryTokenPrivilege	3532	key.exe
Token: SeImpersonatePrivilege	3532	key.exe
Token: SeTcbPrivilege	3532	key.exe
Token: SeChangeNotifyPrivilege	3532	key.exe
Token: SeCreateTokenPrivilege	3532	key.exe
Token: SeBackupPrivilege	3532	key.exe
Token: SeRestorePrivilege	3532	key.exe
Token: SeIncreaseQuotaPrivilege	3532	key.exe
Token: SeAssignPrimaryTokenPrivilege	3532	key.exe
Token: SeImpersonatePrivilege	3532	key.exe
Token: SeTcbPrivilege	3532	key.exe
Token: SeChangeNotifyPrivilege	3532	key.exe
Token: SeCreateTokenPrivilege	3532	key.exe
Token: SeBackupPrivilege	3532	key.exe
Token: SeRestorePrivilege	3532	key.exe
Token: SeIncreaseQuotaPrivilege	3532	key.exe
Token: SeAssignPrimaryTokenPrivilege	3532	key.exe
Token: SeImpersonatePrivilege	3532	key.exe
Token: SeTcbPrivilege	3532	key.exe
Token: SeChangeNotifyPrivilege	3532	key.exe
Token: SeCreateTokenPrivilege	3532	key.exe
Token: SeBackupPrivilege	3532	key.exe
Token: SeRestorePrivilege	3532	key.exe
Token: SeIncreaseQuotaPrivilege	3532	key.exe
Token: SeAssignPrimaryTokenPrivilege	3532	key.exe
Token: SeManageVolumePrivilege	4208	md2_2efs.exe
Token: SeRestorePrivilege	2168	WerFault.exe
Token: SeBackupPrivilege	2168	WerFault.exe
Token: SeDebugPrivilege	2168	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

[CRACKNET.NET]PW12345Microsoft_Virtual_PC_7_0_Mac_keygen.execmd.exekeygen-step-4.exekeygen-pr.exekeygen-step-3.exekey.execmd.exefile.exeC44F.tmp.exe

description	pid	process	target process
PID 1456 wrote to memory of 808	1456	[CRACKNET.NET]PW12345Microsoft_Virtual_PC_7_0_Mac_keygen.exe	cmd.exe
PID 1456 wrote to memory of 808	1456	[CRACKNET.NET]PW12345Microsoft_Virtual_PC_7_0_Mac_keygen.exe	cmd.exe
PID 1456 wrote to memory of 808	1456	[CRACKNET.NET]PW12345Microsoft_Virtual_PC_7_0_Mac_keygen.exe	cmd.exe
PID 808 wrote to memory of 3560	808	cmd.exe	keygen-pr.exe
PID 808 wrote to memory of 3560	808	cmd.exe	keygen-pr.exe
PID 808 wrote to memory of 3560	808	cmd.exe	keygen-pr.exe
PID 808 wrote to memory of 1300	808	cmd.exe	keygen-step-1.exe
PID 808 wrote to memory of 1300	808	cmd.exe	keygen-step-1.exe
PID 808 wrote to memory of 1300	808	cmd.exe	keygen-step-1.exe
PID 808 wrote to memory of 360	808	cmd.exe	keygen-step-3.exe
PID 808 wrote to memory of 360	808	cmd.exe	keygen-step-3.exe
PID 808 wrote to memory of 360	808	cmd.exe	keygen-step-3.exe
PID 808 wrote to memory of 2068	808	cmd.exe	keygen-step-4.exe
PID 808 wrote to memory of 2068	808	cmd.exe	keygen-step-4.exe
PID 808 wrote to memory of 2068	808	cmd.exe	keygen-step-4.exe
PID 2068 wrote to memory of 1200	2068	keygen-step-4.exe	file.exe
PID 2068 wrote to memory of 1200	2068	keygen-step-4.exe	file.exe
PID 2068 wrote to memory of 1200	2068	keygen-step-4.exe	file.exe
PID 3560 wrote to memory of 3532	3560	keygen-pr.exe	key.exe
PID 3560 wrote to memory of 3532	3560	keygen-pr.exe	key.exe
PID 3560 wrote to memory of 3532	3560	keygen-pr.exe	key.exe
PID 360 wrote to memory of 2272	360	keygen-step-3.exe	cmd.exe
PID 360 wrote to memory of 2272	360	keygen-step-3.exe	cmd.exe
PID 360 wrote to memory of 2272	360	keygen-step-3.exe	cmd.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 3532 wrote to memory of 476	3532	key.exe	key.exe
PID 2272 wrote to memory of 640	2272	cmd.exe	PING.EXE
PID 2272 wrote to memory of 640	2272	cmd.exe	PING.EXE
PID 2272 wrote to memory of 640	2272	cmd.exe	PING.EXE
PID 1200 wrote to memory of 744	1200	file.exe	C44F.tmp.exe
PID 1200 wrote to memory of 744	1200	file.exe	C44F.tmp.exe
PID 1200 wrote to memory of 744	1200	file.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 744 wrote to memory of 1172	744	C44F.tmp.exe	C44F.tmp.exe
PID 1200 wrote to memory of 720	1200	file.exe	C53B.tmp.exe
PID 1200 wrote to memory of 720	1200	file.exe	C53B.tmp.exe
PID 1200 wrote to memory of 720	1200	file.exe	C53B.tmp.exe
PID 1200 wrote to memory of 4172	1200	file.exe	cmd.exe
PID 1200 wrote to memory of 4172	1200	file.exe	cmd.exe
PID 1200 wrote to memory of 4172	1200	file.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\[CRACKNET.NET]PW12345Microsoft_Virtual_PC_7_0_Mac_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\[CRACKNET.NET]PW12345Microsoft_Virtual_PC_7_0_Mac_keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:476

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:1300

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:640

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Roaming\C44F.tmp.exe
"C:\Users\Admin\AppData\Roaming\C44F.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Roaming\C44F.tmp.exe
"C:\Users\Admin\AppData\Roaming\C44F.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Users\Admin\AppData\Roaming\C53B.tmp.exe
"C:\Users\Admin\AppData\Roaming\C53B.tmp.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\C53B.tmp.exe"
6⤵
PID:3384

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:4172

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4248

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 3776
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
62d2a07135884c5c8ff742c904fddf56

SHA1
46ce1f7fdf8b4cb2abe479efd5f352db9728a40b

SHA256
a12fee020eb54a0f012545074c689893113d130498d9ad411d5852c786770b81

SHA512
19c4dc3558308052bb13f71ca633ab05d55d57b68fc240fcc6d06e583fa61c5ccea87ef0f8196acc19b37d87deb42e5c204a2a05fce63f1accaf9e39c219f519

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
62d2a07135884c5c8ff742c904fddf56

SHA1
46ce1f7fdf8b4cb2abe479efd5f352db9728a40b

SHA256
a12fee020eb54a0f012545074c689893113d130498d9ad411d5852c786770b81

SHA512
19c4dc3558308052bb13f71ca633ab05d55d57b68fc240fcc6d06e583fa61c5ccea87ef0f8196acc19b37d87deb42e5c204a2a05fce63f1accaf9e39c219f519

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
b77a272d00bd799740d5c4b0d05ecd71

SHA1
2fb84a5c47df4d72cd77104d4713a8a50a28daa6

SHA256
927cb3ba838799c235c6f197e2992107916361a1c9646136688dd796d8f7af4e

SHA512
76d2f737a2d53d1281e5f19ea290b022d0bd219b6b059b657afabcaf858de04fca4b34f76c6273636ba770aaad2e40f322edad8cb223650856486199ef7a7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
b77a272d00bd799740d5c4b0d05ecd71

SHA1
2fb84a5c47df4d72cd77104d4713a8a50a28daa6

SHA256
927cb3ba838799c235c6f197e2992107916361a1c9646136688dd796d8f7af4e

SHA512
76d2f737a2d53d1281e5f19ea290b022d0bd219b6b059b657afabcaf858de04fca4b34f76c6273636ba770aaad2e40f322edad8cb223650856486199ef7a7546

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
MD5
f2632c204f883c59805093720dfe5a78

SHA1
c96e3aa03805a84fec3ea4208104a25a2a9d037e

SHA256
f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68

SHA512
5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
MD5
4127593be833d53d84be69a1073b46d6

SHA1
589338f5597ae7bc8e184dcf06b7bf0cb21ca104

SHA256
d0ba78c12f7fc6d3c7976b561c6e092bdefc4ee297b51c1f1bd2c13b775df5a4

SHA512
a239cf6ebd06f3d3955dd7fc885e3d0a8bc6d363c5861e4e2a2ed02f23fba6a852ba01a6e3b3582e5e763fc721867d38c1ee58af9f62e8f366a57d5863753ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
MD5
4127593be833d53d84be69a1073b46d6

SHA1
589338f5597ae7bc8e184dcf06b7bf0cb21ca104

SHA256
d0ba78c12f7fc6d3c7976b561c6e092bdefc4ee297b51c1f1bd2c13b775df5a4

SHA512
a239cf6ebd06f3d3955dd7fc885e3d0a8bc6d363c5861e4e2a2ed02f23fba6a852ba01a6e3b3582e5e763fc721867d38c1ee58af9f62e8f366a57d5863753ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
MD5
cc9720fe2882a3f7cc54f0f9afb1f335

SHA1
aea59caec4ed3bfbbee2b8cd94c516ae45848a69

SHA256
7e0afbcc7487f74ef4d2dc400812b48542b95dfecad63fe356231065fa10a3db

SHA512
c310106ae8e37c7b85e9355b0852fe87ee73f03cbd23d68c7ac236a2548bb46b7b4a20dfcc973ee836ac415f1dedef5c53a4ade365e90be0dc7e11ef7641e1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
MD5
cc9720fe2882a3f7cc54f0f9afb1f335

SHA1
aea59caec4ed3bfbbee2b8cd94c516ae45848a69

SHA256
7e0afbcc7487f74ef4d2dc400812b48542b95dfecad63fe356231065fa10a3db

SHA512
c310106ae8e37c7b85e9355b0852fe87ee73f03cbd23d68c7ac236a2548bb46b7b4a20dfcc973ee836ac415f1dedef5c53a4ade365e90be0dc7e11ef7641e1fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\JOzWR.dat
MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\potato.dat
MD5
e6982420e4711e16f70a4b96d27932b4

SHA1
2e37dc1257ddac7a31ce3da59e4f0cb97c9dc291

SHA256
d8118c26935eb5dfc32213502547843e33c742a88d8bb11ae340d32f83a39dfd

SHA512
0bc50e97b3ca9692188859ffb00c45ac2747b5eee09e927f48dbcd897e4cd06b57ce2432633601202f255017c5da8bca85aa0b26af8e118b7cc13a9ff7a098c2

Download Submit
C:\Users\Admin\AppData\Roaming\C44F.tmp.exe
MD5
0d273547caef32bb393a399f2c954a4c

SHA1
d293255ea0337eedf1b30c275de336cf8ea1fdd7

SHA256
9d2c0a2cf827d68c04c1992b1489d4534e0a4412f81f376ec3652c7de19fd5a2

SHA512
927743cf01b88cb1d685443bf3560ef407f1893f74f0030583e20f7e3ced79124c4f6af0aaef610b8ccf5d4c806de0ec87eeaa16f590a69e4469e2e3335ff839

Download Submit
C:\Users\Admin\AppData\Roaming\C44F.tmp.exe
MD5
0d273547caef32bb393a399f2c954a4c

SHA1
d293255ea0337eedf1b30c275de336cf8ea1fdd7

SHA256
9d2c0a2cf827d68c04c1992b1489d4534e0a4412f81f376ec3652c7de19fd5a2

SHA512
927743cf01b88cb1d685443bf3560ef407f1893f74f0030583e20f7e3ced79124c4f6af0aaef610b8ccf5d4c806de0ec87eeaa16f590a69e4469e2e3335ff839

Download Submit
C:\Users\Admin\AppData\Roaming\C44F.tmp.exe
MD5
0d273547caef32bb393a399f2c954a4c

SHA1
d293255ea0337eedf1b30c275de336cf8ea1fdd7

SHA256
9d2c0a2cf827d68c04c1992b1489d4534e0a4412f81f376ec3652c7de19fd5a2

SHA512
927743cf01b88cb1d685443bf3560ef407f1893f74f0030583e20f7e3ced79124c4f6af0aaef610b8ccf5d4c806de0ec87eeaa16f590a69e4469e2e3335ff839

Download Submit
C:\Users\Admin\AppData\Roaming\C53B.tmp.exe
MD5
fa1b1ed2ad15c87f3802b89c019539e0

SHA1
188aa9c8547950ce62fabfee125073ebc458dcb6

SHA256
da1766df13ba534431e5b6dd5f5d471325b0ad54615660cb84f8608dbb62628b

SHA512
660efb2533be967e91f90f396fff7c581b9be41b66a73b66bb81fc2c6e3d61c46e0218950628615149f94be8811459beee7c65ee0cc9bfb9f19dde0cab348809

Download Submit
C:\Users\Admin\AppData\Roaming\C53B.tmp.exe
MD5
fa1b1ed2ad15c87f3802b89c019539e0

SHA1
188aa9c8547950ce62fabfee125073ebc458dcb6

SHA256
da1766df13ba534431e5b6dd5f5d471325b0ad54615660cb84f8608dbb62628b

SHA512
660efb2533be967e91f90f396fff7c581b9be41b66a73b66bb81fc2c6e3d61c46e0218950628615149f94be8811459beee7c65ee0cc9bfb9f19dde0cab348809

Download Submit
\Users\Admin\AppData\LocalLow\eE8sF0yG2eQ6fT7\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\eE8sF0yG2eQ6fT7\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\eE8sF0yG2eQ6fT7\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\eE8sF0yG2eQ6fT7\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\eE8sF0yG2eQ6fT7\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\eE8sF0yG2eQ6fT7\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\eE8sF0yG2eQ6fT7\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
memory/360-10-0x0000000000000000-mapping.dmp

Download
memory/420-65-0x0000000000000000-mapping.dmp

Download
memory/476-30-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/476-25-0x000000000066C0BC-mapping.dmp

Download
memory/476-24-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/640-27-0x0000000000000000-mapping.dmp

Download
memory/720-45-0x0000000000A10000-0x0000000000AA2000-memory.dmp

Filesize
584KB

Download
memory/720-37-0x0000000000000000-mapping.dmp

Download
memory/720-46-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/720-41-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/744-31-0x0000000000000000-mapping.dmp

Download
memory/744-42-0x00000000008B0000-0x00000000008F5000-memory.dmp

Filesize
276KB

Download
memory/744-34-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/808-2-0x0000000000000000-mapping.dmp

Download
memory/1172-43-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1172-36-0x0000000000401480-mapping.dmp

Download
memory/1172-35-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1200-29-0x00000000004E0000-0x00000000004ED000-memory.dmp

Filesize
52KB

Download
memory/1200-44-0x00000000037B0000-0x00000000037FA000-memory.dmp

Filesize
296KB

Download
memory/1200-16-0x0000000000000000-mapping.dmp

Download
memory/1300-7-0x0000000000000000-mapping.dmp

Download
memory/2068-13-0x0000000000000000-mapping.dmp

Download
memory/2168-67-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/2168-66-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/2272-23-0x0000000000000000-mapping.dmp

Download
memory/3384-64-0x0000000000000000-mapping.dmp

Download
memory/3532-28-0x0000000002670000-0x000000000280C000-memory.dmp

Filesize
1.6MB

Download
memory/3532-54-0x0000000002810000-0x00000000028FF000-memory.dmp

Filesize
956KB

Download
memory/3532-19-0x0000000000000000-mapping.dmp

Download
memory/3532-55-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/3532-56-0x0000000000B30000-0x0000000000B4B000-memory.dmp

Filesize
108KB

Download
memory/3560-4-0x0000000000000000-mapping.dmp

Download
memory/4172-48-0x0000000000000000-mapping.dmp

Download
memory/4208-49-0x0000000000000000-mapping.dmp

Download
memory/4248-52-0x0000000000000000-mapping.dmp

Download