azorult | 5a3bf2cab02285829b13f562de4bcf05c2a2b28bcf0c6c8d65886459631bcd9b

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.ipify.org

flow	ioc
39	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

2680 Setup.exe

pid	process
2680	Setup.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

key.exe96F6.tmp.exeC0CA61A12E4C8B38.exe

description	pid	process	target process
PID 2260 set thread context of 4036	2260	key.exe	key.exe
PID 1500 set thread context of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 4028 set thread context of 2032	4028	C0CA61A12E4C8B38.exe	firefox.exe
PID 4028 set thread context of 4956	4028	C0CA61A12E4C8B38.exe	firefox.exe

Drops file in Windows directory 2 IoCs

Processes:

multitimer.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

96F6.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	96F6.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	96F6.tmp.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2272 taskkill.exe
4192 taskkill.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

file.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe

pid	process
2272	taskkill.exe
4192	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exeSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1948 PING.EXE
2580 PING.EXE
4316 PING.EXE
204 PING.EXE

pid	process
1948	PING.EXE
2580	PING.EXE
4316	PING.EXE
204	PING.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

file.exe96F6.tmp.exekey.exe1614893694311.exe1614893699124.exemultitimer.exe

pid	process
1124	file.exe
1124	file.exe
2180	96F6.tmp.exe
2180	96F6.tmp.exe
1124	file.exe
1124	file.exe
1124	file.exe
1124	file.exe
1124	file.exe
1124	file.exe
2260	key.exe
2260	key.exe
3892	1614893694311.exe
3892	1614893694311.exe
4968	1614893699124.exe
4968	1614893699124.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe
2800	multitimer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

file.exekey.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1124	file.exe
Token: SeImpersonatePrivilege	2260	key.exe
Token: SeTcbPrivilege	2260	key.exe
Token: SeChangeNotifyPrivilege	2260	key.exe
Token: SeCreateTokenPrivilege	2260	key.exe
Token: SeBackupPrivilege	2260	key.exe
Token: SeRestorePrivilege	2260	key.exe
Token: SeIncreaseQuotaPrivilege	2260	key.exe
Token: SeAssignPrimaryTokenPrivilege	2260	key.exe
Token: SeImpersonatePrivilege	2260	key.exe
Token: SeTcbPrivilege	2260	key.exe
Token: SeChangeNotifyPrivilege	2260	key.exe
Token: SeCreateTokenPrivilege	2260	key.exe
Token: SeBackupPrivilege	2260	key.exe
Token: SeRestorePrivilege	2260	key.exe
Token: SeIncreaseQuotaPrivilege	2260	key.exe
Token: SeAssignPrimaryTokenPrivilege	2260	key.exe
Token: SeImpersonatePrivilege	2260	key.exe
Token: SeTcbPrivilege	2260	key.exe
Token: SeChangeNotifyPrivilege	2260	key.exe
Token: SeCreateTokenPrivilege	2260	key.exe
Token: SeBackupPrivilege	2260	key.exe
Token: SeRestorePrivilege	2260	key.exe
Token: SeIncreaseQuotaPrivilege	2260	key.exe
Token: SeAssignPrimaryTokenPrivilege	2260	key.exe
Token: SeImpersonatePrivilege	2260	key.exe
Token: SeTcbPrivilege	2260	key.exe
Token: SeChangeNotifyPrivilege	2260	key.exe
Token: SeCreateTokenPrivilege	2260	key.exe
Token: SeBackupPrivilege	2260	key.exe
Token: SeRestorePrivilege	2260	key.exe
Token: SeIncreaseQuotaPrivilege	2260	key.exe
Token: SeAssignPrimaryTokenPrivilege	2260	key.exe
Token: SeImpersonatePrivilege	2260	key.exe
Token: SeTcbPrivilege	2260	key.exe
Token: SeChangeNotifyPrivilege	2260	key.exe
Token: SeCreateTokenPrivilege	2260	key.exe
Token: SeBackupPrivilege	2260	key.exe
Token: SeRestorePrivilege	2260	key.exe
Token: SeIncreaseQuotaPrivilege	2260	key.exe
Token: SeAssignPrimaryTokenPrivilege	2260	key.exe
Token: SeShutdownPrivilege	1128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1128	msiexec.exe
Token: SeSecurityPrivilege	3928	msiexec.exe
Token: SeCreateTokenPrivilege	1128	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1128	msiexec.exe
Token: SeLockMemoryPrivilege	1128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1128	msiexec.exe
Token: SeMachineAccountPrivilege	1128	msiexec.exe
Token: SeTcbPrivilege	1128	msiexec.exe
Token: SeSecurityPrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeLoadDriverPrivilege	1128	msiexec.exe
Token: SeSystemProfilePrivilege	1128	msiexec.exe
Token: SeSystemtimePrivilege	1128	msiexec.exe
Token: SeProfSingleProcessPrivilege	1128	msiexec.exe
Token: SeIncBasePriorityPrivilege	1128	msiexec.exe
Token: SeCreatePagefilePrivilege	1128	msiexec.exe
Token: SeCreatePermanentPrivilege	1128	msiexec.exe
Token: SeBackupPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeShutdownPrivilege	1128	msiexec.exe
Token: SeDebugPrivilege	1128	msiexec.exe
Token: SeAuditPrivilege	1128	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1128 msiexec.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exefirefox.exe1614893694311.exefirefox.exe1614893699124.exe

pid process

2680 Setup.exe
4028 C0CA61A12E4C8B38.exe
2256 C0CA61A12E4C8B38.exe
2032 firefox.exe
3892 1614893694311.exe
4956 firefox.exe
4968 1614893699124.exe

pid	process
1128	msiexec.exe

pid	process
2680	Setup.exe
4028	C0CA61A12E4C8B38.exe
2256	C0CA61A12E4C8B38.exe
2032	firefox.exe
3892	1614893694311.exe
4956	firefox.exe
4968	1614893699124.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Restoro_2_0_1_keygen_by_KeygenNinja.execmd.exekeygen-pr.exekeygen-step-4.exekey.exekeygen-step-3.execmd.exefile.exe96F6.tmp.execmd.exe

description	pid	process	target process
PID 3084 wrote to memory of 940	3084	Restoro_2_0_1_keygen_by_KeygenNinja.exe	cmd.exe
PID 3084 wrote to memory of 940	3084	Restoro_2_0_1_keygen_by_KeygenNinja.exe	cmd.exe
PID 3084 wrote to memory of 940	3084	Restoro_2_0_1_keygen_by_KeygenNinja.exe	cmd.exe
PID 940 wrote to memory of 740	940	cmd.exe	keygen-pr.exe
PID 940 wrote to memory of 740	940	cmd.exe	keygen-pr.exe
PID 940 wrote to memory of 740	940	cmd.exe	keygen-pr.exe
PID 940 wrote to memory of 1488	940	cmd.exe	keygen-step-1.exe
PID 940 wrote to memory of 1488	940	cmd.exe	keygen-step-1.exe
PID 940 wrote to memory of 1488	940	cmd.exe	keygen-step-1.exe
PID 940 wrote to memory of 3104	940	cmd.exe	keygen-step-3.exe
PID 940 wrote to memory of 3104	940	cmd.exe	keygen-step-3.exe
PID 940 wrote to memory of 3104	940	cmd.exe	keygen-step-3.exe
PID 940 wrote to memory of 2960	940	cmd.exe	keygen-step-4.exe
PID 940 wrote to memory of 2960	940	cmd.exe	keygen-step-4.exe
PID 940 wrote to memory of 2960	940	cmd.exe	keygen-step-4.exe
PID 740 wrote to memory of 2260	740	keygen-pr.exe	key.exe
PID 740 wrote to memory of 2260	740	keygen-pr.exe	key.exe
PID 740 wrote to memory of 2260	740	keygen-pr.exe	key.exe
PID 2960 wrote to memory of 1124	2960	keygen-step-4.exe	file.exe
PID 2960 wrote to memory of 1124	2960	keygen-step-4.exe	file.exe
PID 2960 wrote to memory of 1124	2960	keygen-step-4.exe	file.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 2260 wrote to memory of 4036	2260	key.exe	key.exe
PID 3104 wrote to memory of 2568	3104	keygen-step-3.exe	cmd.exe
PID 3104 wrote to memory of 2568	3104	keygen-step-3.exe	cmd.exe
PID 3104 wrote to memory of 2568	3104	keygen-step-3.exe	cmd.exe
PID 2568 wrote to memory of 204	2568	cmd.exe	PING.EXE
PID 2568 wrote to memory of 204	2568	cmd.exe	PING.EXE
PID 2568 wrote to memory of 204	2568	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1500	1124	file.exe	96F6.tmp.exe
PID 1124 wrote to memory of 1500	1124	file.exe	96F6.tmp.exe
PID 1124 wrote to memory of 1500	1124	file.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1500 wrote to memory of 2180	1500	96F6.tmp.exe	96F6.tmp.exe
PID 1124 wrote to memory of 3864	1124	file.exe	cmd.exe
PID 1124 wrote to memory of 3864	1124	file.exe	cmd.exe
PID 1124 wrote to memory of 3864	1124	file.exe	cmd.exe
PID 3864 wrote to memory of 1948	3864	cmd.exe	PING.EXE
PID 3864 wrote to memory of 1948	3864	cmd.exe	PING.EXE
PID 3864 wrote to memory of 1948	3864	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Restoro_2_0_1_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Restoro_2_0_1_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:204

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Roaming\96F6.tmp.exe
"C:\Users\Admin\AppData\Roaming\96F6.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Roaming\96F6.tmp.exe
"C:\Users\Admin\AppData\Roaming\96F6.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1948

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1128

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Users\Admin\AppData\Roaming\1614893694311.exe
"C:\Users\Admin\AppData\Roaming\1614893694311.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614893694311.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Users\Admin\AppData\Roaming\1614893699124.exe
"C:\Users\Admin\AppData\Roaming\1614893699124.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614893699124.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
6⤵
PID:4268

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4316

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
5⤵
PID:2420

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:2580

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
4⤵
- Executes dropped EXE
PID:196

C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2740

C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe" 1 3.1614890315.6041454b7da2b 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5108

C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\GRNN3OWU4B\multitimer.exe" 2 3.1614890315.6041454b7da2b
7⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
4⤵
- Executes dropped EXE
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4144

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4192

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B0FED57D3F9ADDF5CEEB5C047EDF2579 C
2⤵
- Loads dropped DLL
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

System Information Discovery

Peripheral Device Discovery