Analysis
-
max time kernel
61s -
max time network
64s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 20:37
Static task
static1
Behavioral task
behavioral1
Sample
Restoro_2_0_1_keygen_by_KeygenNinja.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Restoro_2_0_1_keygen_by_KeygenNinja.exe
Resource
win10v20201028
azorultelysiumstealergluptebametasploitredlinevidarxmrigbackdoorbootkitdiscoverydropperevasioninfostealerloadermacrominerpersistencespywarestealertrojanxlm
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
Restoro_2_0_1_keygen_by_KeygenNinja.exe
Resource
win10v20201028
azorultelysiumstealergluptebametasploitplugxredlinesmokeloadervidarxmrigbackdoorbootkitdiscoverydropperevasioninfostealerloadermacrominerpersistencespywarestealertrojanupxxlm
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Restoro_2_0_1_keygen_by_KeygenNinja.exe
Resource
win10v20201028
azorultelysiumstealergluptebametasploitplugxponyraccoonredlinesmokeloadervidarxmrigafefd33a49c7cbd55d417545269920f24c85aa37backdoorbootkitdiscoverydropperevasioninfostealerloadermacrominerpersistenceratspywarestealertrojanupxxlm
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
Restoro_2_0_1_keygen_by_KeygenNinja.exe
Resource
win7v20201028
azorultdjvuelysiumstealergluptebametasploitplugxponyraccoonsmokeloadertaurus_stealertofseevidarxmrigafefd33a49c7cbd55d417545269920f24c85aa37backdoorbootkitdiscoverydropperevasioninfostealerloadermacrominerpersistenceransomwareratspywarestealertrojanupxxlm
windows7_x64
0 signatures
0 seconds
General
-
Target
Restoro_2_0_1_keygen_by_KeygenNinja.exe
-
Size
8.6MB
-
MD5
26fb5cbb439c37c7437c43951b56a9e8
-
SHA1
ffe7d540afd6410bd69e502d47252930a1411f73
-
SHA256
ced746e74fedf490bf79b1c68c9e15290c33f42df5fd2281a13708fae54c8ea7
-
SHA512
f0a24019707d4ec9e8477037d2d2f83c511a0e4dc9aa0a0c7a4f97b4a8ab1ac1a5618145fc628068c326856cc0cf9e3c697489cdd4b0d92a369ebd54b5391a78
Malware Config
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Nirsoft 4 IoCs
resource yara_rule behavioral1/files/0x0007000000015612-95.dat Nirsoft behavioral1/files/0x0007000000015612-96.dat Nirsoft behavioral1/files/0x000100000001aba7-117.dat Nirsoft behavioral1/files/0x000100000001aba7-115.dat Nirsoft -
Executes dropped EXE 20 IoCs
pid Process 740 keygen-pr.exe 1488 keygen-step-1.exe 3104 keygen-step-3.exe 2960 keygen-step-4.exe 2260 key.exe 1124 file.exe 4036 key.exe 1500 96F6.tmp.exe 2180 96F6.tmp.exe 2680 Setup.exe 4028 C0CA61A12E4C8B38.exe 2256 C0CA61A12E4C8B38.exe 196 Install.exe 2740 multitimer.exe 1156 askinstall20.exe 3892 1614893694311.exe 4344 md2_2efs.exe 4968 1614893699124.exe 5108 multitimer.exe 2800 multitimer.exe -
resource yara_rule behavioral1/files/0x000200000001ab68-55.dat office_xlm_macros -
Loads dropped DLL 1 IoCs
pid Process 4040 MsiExec.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zyr5tnqorqk = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GRNN3OWU4B\\multitimer.exe\" 1 3.1614890315.6041454b7da2b" multitimer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum multitimer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 multitimer.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Setup.exe File opened for modification \??\PhysicalDrive0 C0CA61A12E4C8B38.exe File opened for modification \??\PhysicalDrive0 C0CA61A12E4C8B38.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2680 Setup.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2260 set thread context of 4036 2260 key.exe 87 PID 1500 set thread context of 2180 1500 96F6.tmp.exe 94 PID 4028 set thread context of 2032 4028 C0CA61A12E4C8B38.exe 111 PID 4028 set thread context of 4956 4028 C0CA61A12E4C8B38.exe 124 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C0CA61A12E4C8B38.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 96F6.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 96F6.tmp.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS multitimer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer multitimer.exe -
Kills process with taskkill 2 IoCs
pid Process 2272 taskkill.exe 4192 taskkill.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e file.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 1948 PING.EXE 2580 PING.EXE 4316 PING.EXE 204 PING.EXE -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1124 file.exe 1124 file.exe 2180 96F6.tmp.exe 2180 96F6.tmp.exe 1124 file.exe 1124 file.exe 1124 file.exe 1124 file.exe 1124 file.exe 1124 file.exe 2260 key.exe 2260 key.exe 3892 1614893694311.exe 3892 1614893694311.exe 4968 1614893699124.exe 4968 1614893699124.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe 2800 multitimer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1124 file.exe Token: SeImpersonatePrivilege 2260 key.exe Token: SeTcbPrivilege 2260 key.exe Token: SeChangeNotifyPrivilege 2260 key.exe Token: SeCreateTokenPrivilege 2260 key.exe Token: SeBackupPrivilege 2260 key.exe Token: SeRestorePrivilege 2260 key.exe Token: SeIncreaseQuotaPrivilege 2260 key.exe Token: SeAssignPrimaryTokenPrivilege 2260 key.exe Token: SeImpersonatePrivilege 2260 key.exe Token: SeTcbPrivilege 2260 key.exe Token: SeChangeNotifyPrivilege 2260 key.exe Token: SeCreateTokenPrivilege 2260 key.exe Token: SeBackupPrivilege 2260 key.exe Token: SeRestorePrivilege 2260 key.exe Token: SeIncreaseQuotaPrivilege 2260 key.exe Token: SeAssignPrimaryTokenPrivilege 2260 key.exe Token: SeImpersonatePrivilege 2260 key.exe Token: SeTcbPrivilege 2260 key.exe Token: SeChangeNotifyPrivilege 2260 key.exe Token: SeCreateTokenPrivilege 2260 key.exe Token: SeBackupPrivilege 2260 key.exe Token: SeRestorePrivilege 2260 key.exe Token: SeIncreaseQuotaPrivilege 2260 key.exe Token: SeAssignPrimaryTokenPrivilege 2260 key.exe Token: SeImpersonatePrivilege 2260 key.exe Token: SeTcbPrivilege 2260 key.exe Token: SeChangeNotifyPrivilege 2260 key.exe Token: SeCreateTokenPrivilege 2260 key.exe Token: SeBackupPrivilege 2260 key.exe Token: SeRestorePrivilege 2260 key.exe Token: SeIncreaseQuotaPrivilege 2260 key.exe Token: SeAssignPrimaryTokenPrivilege 2260 key.exe Token: SeImpersonatePrivilege 2260 key.exe Token: SeTcbPrivilege 2260 key.exe Token: SeChangeNotifyPrivilege 2260 key.exe Token: SeCreateTokenPrivilege 2260 key.exe Token: SeBackupPrivilege 2260 key.exe Token: SeRestorePrivilege 2260 key.exe Token: SeIncreaseQuotaPrivilege 2260 key.exe Token: SeAssignPrimaryTokenPrivilege 2260 key.exe Token: SeShutdownPrivilege 1128 msiexec.exe Token: SeIncreaseQuotaPrivilege 1128 msiexec.exe Token: SeSecurityPrivilege 3928 msiexec.exe Token: SeCreateTokenPrivilege 1128 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1128 msiexec.exe Token: SeLockMemoryPrivilege 1128 msiexec.exe Token: SeIncreaseQuotaPrivilege 1128 msiexec.exe Token: SeMachineAccountPrivilege 1128 msiexec.exe Token: SeTcbPrivilege 1128 msiexec.exe Token: SeSecurityPrivilege 1128 msiexec.exe Token: SeTakeOwnershipPrivilege 1128 msiexec.exe Token: SeLoadDriverPrivilege 1128 msiexec.exe Token: SeSystemProfilePrivilege 1128 msiexec.exe Token: SeSystemtimePrivilege 1128 msiexec.exe Token: SeProfSingleProcessPrivilege 1128 msiexec.exe Token: SeIncBasePriorityPrivilege 1128 msiexec.exe Token: SeCreatePagefilePrivilege 1128 msiexec.exe Token: SeCreatePermanentPrivilege 1128 msiexec.exe Token: SeBackupPrivilege 1128 msiexec.exe Token: SeRestorePrivilege 1128 msiexec.exe Token: SeShutdownPrivilege 1128 msiexec.exe Token: SeDebugPrivilege 1128 msiexec.exe Token: SeAuditPrivilege 1128 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1128 msiexec.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2680 Setup.exe 4028 C0CA61A12E4C8B38.exe 2256 C0CA61A12E4C8B38.exe 2032 firefox.exe 3892 1614893694311.exe 4956 firefox.exe 4968 1614893699124.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3084 wrote to memory of 940 3084 Restoro_2_0_1_keygen_by_KeygenNinja.exe 78 PID 3084 wrote to memory of 940 3084 Restoro_2_0_1_keygen_by_KeygenNinja.exe 78 PID 3084 wrote to memory of 940 3084 Restoro_2_0_1_keygen_by_KeygenNinja.exe 78 PID 940 wrote to memory of 740 940 cmd.exe 81 PID 940 wrote to memory of 740 940 cmd.exe 81 PID 940 wrote to memory of 740 940 cmd.exe 81 PID 940 wrote to memory of 1488 940 cmd.exe 82 PID 940 wrote to memory of 1488 940 cmd.exe 82 PID 940 wrote to memory of 1488 940 cmd.exe 82 PID 940 wrote to memory of 3104 940 cmd.exe 83 PID 940 wrote to memory of 3104 940 cmd.exe 83 PID 940 wrote to memory of 3104 940 cmd.exe 83 PID 940 wrote to memory of 2960 940 cmd.exe 84 PID 940 wrote to memory of 2960 940 cmd.exe 84 PID 940 wrote to memory of 2960 940 cmd.exe 84 PID 740 wrote to memory of 2260 740 keygen-pr.exe 85 PID 740 wrote to memory of 2260 740 keygen-pr.exe 85 PID 740 wrote to memory of 2260 740 keygen-pr.exe 85 PID 2960 wrote to memory of 1124 2960 keygen-step-4.exe 86 PID 2960 wrote to memory of 1124 2960 keygen-step-4.exe 86 PID 2960 wrote to memory of 1124 2960 keygen-step-4.exe 86 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 2260 wrote to memory of 4036 2260 key.exe 87 PID 3104 wrote to memory of 2568 3104 keygen-step-3.exe 88 PID 3104 wrote to memory of 2568 3104 keygen-step-3.exe 88 PID 3104 wrote to memory of 2568 3104 keygen-step-3.exe 88 PID 2568 wrote to memory of 204 2568 cmd.exe 91 PID 2568 wrote to memory of 204 2568 cmd.exe 91 PID 2568 wrote to memory of 204 2568 cmd.exe 91 PID 1124 wrote to memory of 1500 1124 file.exe 93 PID 1124 wrote to memory of 1500 1124 file.exe 93 PID 1124 wrote to memory of 1500 1124 file.exe 93 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1500 wrote to memory of 2180 1500 96F6.tmp.exe 94 PID 1124 wrote to memory of 3864 1124 file.exe 96 PID 1124 wrote to memory of 3864 1124 file.exe 96 PID 1124 wrote to memory of 3864 1124 file.exe 96 PID 3864 wrote to memory of 1948 3864 cmd.exe 99 PID 3864 wrote to memory of 1948 3864 cmd.exe 99 PID 3864 wrote to memory of 1948 3864 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Restoro_2_0_1_keygen_by_KeygenNinja.exe"C:\Users\Admin\AppData\Local\Temp\Restoro_2_0_1_keygen_by_KeygenNinja.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
PID:4036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:204
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Roaming\96F6.tmp.exe"C:\Users\Admin\AppData\Roaming\96F6.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Roaming\96F6.tmp.exe"C:\Users\Admin\AppData\Roaming\96F6.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:1948
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2680 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4028 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Users\Admin\AppData\Roaming\1614893694311.exe"C:\Users\Admin\AppData\Roaming\1614893694311.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614893694311.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4956
-
-
C:\Users\Admin\AppData\Roaming\1614893699124.exe"C:\Users\Admin\AppData\Roaming\1614893699124.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614893699124.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4968
-
-
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2256 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2160
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"6⤵PID:4268
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:4316
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"5⤵PID:2420
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
PID:2580
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"4⤵
- Executes dropped EXE
PID:196 -
C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe" 1 3.1614890315.6041454b7da2b 1016⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe" 2 3.1614890315.6041454b7da2b7⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2800
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:4144
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:4192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4344
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3928 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B0FED57D3F9ADDF5CEEB5C047EDF2579 C2⤵
- Loads dropped DLL
PID:4040
-