Overview

overview

10

Static

static

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...��ฺ7

windows7_x64

10

Analysis

  • max time kernel
    1723s
  • max time network
    1725s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    28/02/2021, 20:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    [CRACKHEAP.NET]PW12345NewLive_All_Media_Fixer_Pro_v6_keygen_by_FUTURiTY.exe

  • Size

    9.2MB

  • MD5

    ad902aa32e3899e0800521f9a32f988c

  • SHA1

    4f1a7ac4ce37f8fcf31802f73193d3e9a706115a

  • SHA256

    cbdca73f35a74084333ad849b15742bed455e5bfd4ce24edb202e71586c4d77f

  • SHA512

    631c091108d386b35d50464846fbeae2eff44480d3903866d15ac1ac61ae27eecf2361ac60a7539ca034daec8a63e161ffd66488fdae653546baf0407e11ca43

Score
10/10
azorultponydiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345NewLive_All_Media_Fixer_Pro_v6_keygen_by_FUTURiTY.exe
    "C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345NewLive_All_Media_Fixer_Pro_v6_keygen_by_FUTURiTY.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:848
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
            • Executes dropped EXE
            PID:1128
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
        keygen-step-1.exe
        3⤵
        • Executes dropped EXE
        PID:336
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
        keygen-step-3.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:368
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:992
          • C:\Windows\SysWOW64\PING.EXE
            ping 1.1.1.1 -n 1 -w 3000
            5⤵
            • Runs ping.exe
            PID:112
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
        keygen-step-4.exe
        3⤵
        • Executes dropped EXE
        PID:1724

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/892-2-0x0000000074D91000-0x0000000074D93000-memory.dmp

          Filesize

          8KB

          Download

        • memory/892-3-0x00000000023D0000-0x00000000023D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1128-37-0x0000000000400000-0x0000000000983000-memory.dmp

          Filesize

          5.5MB

          Download

        • memory/1128-45-0x0000000000400000-0x0000000000983000-memory.dmp

          Filesize

          5.5MB

          Download

        • memory/1328-42-0x000007FEF7570000-0x000007FEF77EA000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/1644-39-0x0000000002340000-0x00000000024DC000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1644-48-0x0000000002C50000-0x0000000002D3F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/1644-49-0x0000000000210000-0x0000000000211000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1644-50-0x0000000000200000-0x000000000021B000-memory.dmp

          Filesize

          108KB

          Download