Overview

overview

10

Static

static

ฺฺฺB...��ฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...��ฺ7

windows7_x64

Analysis

  • max time kernel
    59s
  • max time network
    60s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-03-2021 20:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CorelDraw_keygen_by_KeygenNinja.exe

  • Size

    8.6MB

  • MD5

    26fb5cbb439c37c7437c43951b56a9e8

  • SHA1

    ffe7d540afd6410bd69e502d47252930a1411f73

  • SHA256

    ced746e74fedf490bf79b1c68c9e15290c33f42df5fd2281a13708fae54c8ea7

  • SHA512

    f0a24019707d4ec9e8477037d2d2f83c511a0e4dc9aa0a0c7a4f97b4a8ab1ac1a5618145fc628068c326856cc0cf9e3c697489cdd4b0d92a369ebd54b5391a78

Score
10/10
azorultbootkitdiscoveryinfostealermacropersistencespywaretrojanxlm

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 9 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CorelDraw_keygen_by_KeygenNinja.exe
    "C:\Users\Admin\AppData\Local\Temp\CorelDraw_keygen_by_KeygenNinja.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:496
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:188
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3700
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3548
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
              PID:3332
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:3452
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1324
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3400
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              5⤵
              • Runs ping.exe
              PID:2660
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3904
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
            4⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1364
            • C:\Users\Admin\AppData\Roaming\977.tmp.exe
              "C:\Users\Admin\AppData\Roaming\977.tmp.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2756
              • C:\Users\Admin\AppData\Roaming\977.tmp.exe
                "C:\Users\Admin\AppData\Roaming\977.tmp.exe"
                6⤵
                • Executes dropped EXE
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                PID:2620
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3060
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:3028
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            4⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3208
            • C:\Windows\SysWOW64\msiexec.exe
              msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
              5⤵
              • Enumerates connected drives
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              PID:3968
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 55DD5A60BD5E43EDAD550B711D03F65E C
        2⤵
        • Loads dropped DLL
        PID:1920

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1364-27-0x0000000000E20000-0x0000000000E2D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/1364-43-0x0000000000400000-0x00000000004D2000-memory.dmp

      Filesize

      840KB

      Download

    • memory/2620-45-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/2620-40-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/2756-44-0x0000000002F60000-0x0000000002FA5000-memory.dmp

      Filesize

      276KB

      Download

    • memory/2756-39-0x00000000031B0000-0x00000000031B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3208-53-0x0000000010000000-0x000000001033E000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3208-52-0x0000000072660000-0x00000000726F3000-memory.dmp

      Filesize

      588KB

      Download

    • memory/3548-25-0x0000000002FD0000-0x000000000316C000-memory.dmp

      Filesize

      1.6MB

      Download