azorult | 6db1ea6f963b78c305e7b5f20afd00682eb440cf1c083325d5fe4190c6a3c2fb

Analysis

max time kernel
59s
max time network
60s
platform
windows10_x64
resource
win10v20201028
submitted
04-03-2021 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CorelDraw_keygen_by_KeygenNinja.exe
Size

8.6MB
MD5

26fb5cbb439c37c7437c43951b56a9e8
SHA1

ffe7d540afd6410bd69e502d47252930a1411f73
SHA256

ced746e74fedf490bf79b1c68c9e15290c33f42df5fd2281a13708fae54c8ea7
SHA512

f0a24019707d4ec9e8477037d2d2f83c511a0e4dc9aa0a0c7a4f97b4a8ab1ac1a5618145fc628068c326856cc0cf9e3c697489cdd4b0d92a369ebd54b5391a78

Score

10^/10

azorult bootkit discovery infostealer macro persistence spyware trojan xlm

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 9 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exefile.exe977.tmp.exe977.tmp.exeSetup.exe

pid	process
3700	keygen-pr.exe
3452	keygen-step-1.exe
1324	keygen-step-3.exe
3904	keygen-step-4.exe
3548	key.exe
1364	file.exe
2756	977.tmp.exe
2620	977.tmp.exe
3208	Setup.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1920 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1920	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 api.ipify.org
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Setup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Setup.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

977.tmp.exe

description pid process target process

PID 2756 set thread context of 2620 2756 977.tmp.exe 977.tmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
33	api.ipify.org

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe

description	pid	process	target process
PID 2756 set thread context of 2620	2756	977.tmp.exe	977.tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

977.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	977.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	977.tmp.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

file.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2660 PING.EXE
3028 PING.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

977.tmp.exefile.exe

pid process

2620 977.tmp.exe
2620 977.tmp.exe
1364 file.exe
1364 file.exe
1364 file.exe
1364 file.exe
1364 file.exe
1364 file.exe
1364 file.exe
1364 file.exe

pid	process
2660	PING.EXE
3028	PING.EXE

pid	process
2620	977.tmp.exe
2620	977.tmp.exe
1364	file.exe
1364	file.exe
1364	file.exe
1364	file.exe
1364	file.exe
1364	file.exe
1364	file.exe
1364	file.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

file.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1364	file.exe
Token: SeShutdownPrivilege	3968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3968	msiexec.exe
Token: SeSecurityPrivilege	1312	msiexec.exe
Token: SeCreateTokenPrivilege	3968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3968	msiexec.exe
Token: SeLockMemoryPrivilege	3968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3968	msiexec.exe
Token: SeMachineAccountPrivilege	3968	msiexec.exe
Token: SeTcbPrivilege	3968	msiexec.exe
Token: SeSecurityPrivilege	3968	msiexec.exe
Token: SeTakeOwnershipPrivilege	3968	msiexec.exe
Token: SeLoadDriverPrivilege	3968	msiexec.exe
Token: SeSystemProfilePrivilege	3968	msiexec.exe
Token: SeSystemtimePrivilege	3968	msiexec.exe
Token: SeProfSingleProcessPrivilege	3968	msiexec.exe
Token: SeIncBasePriorityPrivilege	3968	msiexec.exe
Token: SeCreatePagefilePrivilege	3968	msiexec.exe
Token: SeCreatePermanentPrivilege	3968	msiexec.exe
Token: SeBackupPrivilege	3968	msiexec.exe
Token: SeRestorePrivilege	3968	msiexec.exe
Token: SeShutdownPrivilege	3968	msiexec.exe
Token: SeDebugPrivilege	3968	msiexec.exe
Token: SeAuditPrivilege	3968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3968	msiexec.exe
Token: SeChangeNotifyPrivilege	3968	msiexec.exe
Token: SeRemoteShutdownPrivilege	3968	msiexec.exe
Token: SeUndockPrivilege	3968	msiexec.exe
Token: SeSyncAgentPrivilege	3968	msiexec.exe
Token: SeEnableDelegationPrivilege	3968	msiexec.exe
Token: SeManageVolumePrivilege	3968	msiexec.exe
Token: SeImpersonatePrivilege	3968	msiexec.exe
Token: SeCreateGlobalPrivilege	3968	msiexec.exe
Token: SeCreateTokenPrivilege	3968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3968	msiexec.exe
Token: SeLockMemoryPrivilege	3968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3968	msiexec.exe
Token: SeMachineAccountPrivilege	3968	msiexec.exe
Token: SeTcbPrivilege	3968	msiexec.exe
Token: SeSecurityPrivilege	3968	msiexec.exe
Token: SeTakeOwnershipPrivilege	3968	msiexec.exe
Token: SeLoadDriverPrivilege	3968	msiexec.exe
Token: SeSystemProfilePrivilege	3968	msiexec.exe
Token: SeSystemtimePrivilege	3968	msiexec.exe
Token: SeProfSingleProcessPrivilege	3968	msiexec.exe
Token: SeIncBasePriorityPrivilege	3968	msiexec.exe
Token: SeCreatePagefilePrivilege	3968	msiexec.exe
Token: SeCreatePermanentPrivilege	3968	msiexec.exe
Token: SeBackupPrivilege	3968	msiexec.exe
Token: SeRestorePrivilege	3968	msiexec.exe
Token: SeShutdownPrivilege	3968	msiexec.exe
Token: SeDebugPrivilege	3968	msiexec.exe
Token: SeAuditPrivilege	3968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3968	msiexec.exe
Token: SeChangeNotifyPrivilege	3968	msiexec.exe
Token: SeRemoteShutdownPrivilege	3968	msiexec.exe
Token: SeUndockPrivilege	3968	msiexec.exe
Token: SeSyncAgentPrivilege	3968	msiexec.exe
Token: SeEnableDelegationPrivilege	3968	msiexec.exe
Token: SeManageVolumePrivilege	3968	msiexec.exe
Token: SeImpersonatePrivilege	3968	msiexec.exe
Token: SeCreateGlobalPrivilege	3968	msiexec.exe
Token: SeCreateTokenPrivilege	3968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3968	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3968 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Setup.exe

pid process

3208 Setup.exe

pid	process
3968	msiexec.exe

pid	process
3208	Setup.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

CorelDraw_keygen_by_KeygenNinja.execmd.exekeygen-pr.exekeygen-step-4.exekeygen-step-3.exekey.execmd.exefile.exe977.tmp.execmd.exeSetup.exemsiexec.exe

description	pid	process	target process
PID 496 wrote to memory of 188	496	CorelDraw_keygen_by_KeygenNinja.exe	cmd.exe
PID 496 wrote to memory of 188	496	CorelDraw_keygen_by_KeygenNinja.exe	cmd.exe
PID 496 wrote to memory of 188	496	CorelDraw_keygen_by_KeygenNinja.exe	cmd.exe
PID 188 wrote to memory of 3700	188	cmd.exe	keygen-pr.exe
PID 188 wrote to memory of 3700	188	cmd.exe	keygen-pr.exe
PID 188 wrote to memory of 3700	188	cmd.exe	keygen-pr.exe
PID 188 wrote to memory of 3452	188	cmd.exe	keygen-step-1.exe
PID 188 wrote to memory of 3452	188	cmd.exe	keygen-step-1.exe
PID 188 wrote to memory of 3452	188	cmd.exe	keygen-step-1.exe
PID 188 wrote to memory of 1324	188	cmd.exe	keygen-step-3.exe
PID 188 wrote to memory of 1324	188	cmd.exe	keygen-step-3.exe
PID 188 wrote to memory of 1324	188	cmd.exe	keygen-step-3.exe
PID 188 wrote to memory of 3904	188	cmd.exe	keygen-step-4.exe
PID 188 wrote to memory of 3904	188	cmd.exe	keygen-step-4.exe
PID 188 wrote to memory of 3904	188	cmd.exe	keygen-step-4.exe
PID 3700 wrote to memory of 3548	3700	keygen-pr.exe	key.exe
PID 3700 wrote to memory of 3548	3700	keygen-pr.exe	key.exe
PID 3700 wrote to memory of 3548	3700	keygen-pr.exe	key.exe
PID 3904 wrote to memory of 1364	3904	keygen-step-4.exe	file.exe
PID 3904 wrote to memory of 1364	3904	keygen-step-4.exe	file.exe
PID 3904 wrote to memory of 1364	3904	keygen-step-4.exe	file.exe
PID 1324 wrote to memory of 3400	1324	keygen-step-3.exe	cmd.exe
PID 1324 wrote to memory of 3400	1324	keygen-step-3.exe	cmd.exe
PID 1324 wrote to memory of 3400	1324	keygen-step-3.exe	cmd.exe
PID 3548 wrote to memory of 3332	3548	key.exe	key.exe
PID 3548 wrote to memory of 3332	3548	key.exe	key.exe
PID 3548 wrote to memory of 3332	3548	key.exe	key.exe
PID 3400 wrote to memory of 2660	3400	cmd.exe	PING.EXE
PID 3400 wrote to memory of 2660	3400	cmd.exe	PING.EXE
PID 3400 wrote to memory of 2660	3400	cmd.exe	PING.EXE
PID 1364 wrote to memory of 2756	1364	file.exe	977.tmp.exe
PID 1364 wrote to memory of 2756	1364	file.exe	977.tmp.exe
PID 1364 wrote to memory of 2756	1364	file.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 2756 wrote to memory of 2620	2756	977.tmp.exe	977.tmp.exe
PID 1364 wrote to memory of 3060	1364	file.exe	cmd.exe
PID 1364 wrote to memory of 3060	1364	file.exe	cmd.exe
PID 1364 wrote to memory of 3060	1364	file.exe	cmd.exe
PID 3060 wrote to memory of 3028	3060	cmd.exe	PING.EXE
PID 3060 wrote to memory of 3028	3060	cmd.exe	PING.EXE
PID 3060 wrote to memory of 3028	3060	cmd.exe	PING.EXE
PID 3904 wrote to memory of 3208	3904	keygen-step-4.exe	Setup.exe
PID 3904 wrote to memory of 3208	3904	keygen-step-4.exe	Setup.exe
PID 3904 wrote to memory of 3208	3904	keygen-step-4.exe	Setup.exe
PID 3208 wrote to memory of 3968	3208	Setup.exe	msiexec.exe
PID 3208 wrote to memory of 3968	3208	Setup.exe	msiexec.exe
PID 3208 wrote to memory of 3968	3208	Setup.exe	msiexec.exe
PID 1312 wrote to memory of 1920	1312	msiexec.exe	MsiExec.exe
PID 1312 wrote to memory of 1920	1312	msiexec.exe	MsiExec.exe
PID 1312 wrote to memory of 1920	1312	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\CorelDraw_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\CorelDraw_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:188
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:3332
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3452
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2660
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Users\Admin\AppData\Roaming\977.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\977.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Users\Admin\AppData\Roaming\977.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\977.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:3968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 55DD5A60BD5E43EDAD550B711D03F65E C
  2⤵
  - Loads dropped DLL
  PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZRL2LFO1.cookie

MD5
c890c81db17e1c6e182f93977463bfa5

SHA1
ec1f27ce5e38d1204a2a2b422ee807b7b03bf1d3

SHA256
b858114a0a181c733781e3d1667a8849270a865468af121e6b00bc15f854ccb7

SHA512
273d62a540e80108085529cbe7fa1e4db1090b556edb717de24c13a0f8ee5fdb5c4cb102b9ba4633806e3350d8a76dd12d1e11e5ca318bb9a02b2f5682895c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI43C0.tmp

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

MD5
5f6a71ec27ed36a11d17e0989ffb0382

SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

MD5
5f6a71ec27ed36a11d17e0989ffb0382

SHA1
a66b0e4d8ba90fc97e4d5eb37d7fbc12ade9a556

SHA256
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65

SHA512
d67e0f1627e5416aef1185aea2125c8502aac02b6d3e8eec301e344f5074bfce8b2aded37b2730a65c04b95b1ba6151e79048642ef1d0c9b32702f919b42f7b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

MD5
f2632c204f883c59805093720dfe5a78

SHA1
c96e3aa03805a84fec3ea4208104a25a2a9d037e

SHA256
f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68

SHA512
5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

MD5
afd51e2ff7beac4d0c88d8f872d6d0d5

SHA1
185fd4793db912410de63ac7a5a3b1ac9c266b38

SHA256
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

SHA512
eed33fd55a82fceea21f522a6c59d3e318d7e73c86e9b1f039e37b3ccd6c0b58df24dabfcb71d8ccb818dd236cc329804d6a947240619ad26aed8713fe19a418

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe

MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe

MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi

MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Roaming\977.tmp.exe

MD5
f89ae0f23dd8653582b9e0b7cba017f3

SHA1
e880a24963067ecf818ab13b1e611aa4d36c34e2

SHA256
af31ae791e3f6ff84273384a6a4e34b1ce8cc60b71d7097249382267058ef8a1

SHA512
b8f56b0f7498cdc4efe593c49ab1dbf3716f101687e8005ca600e938c48f43a8a263fec7aa9cbcac234c8f46373b6a6a92b04809aced91414c1f75f25983cc91

Download Submit
C:\Users\Admin\AppData\Roaming\977.tmp.exe

MD5
f89ae0f23dd8653582b9e0b7cba017f3

SHA1
e880a24963067ecf818ab13b1e611aa4d36c34e2

SHA256
af31ae791e3f6ff84273384a6a4e34b1ce8cc60b71d7097249382267058ef8a1

SHA512
b8f56b0f7498cdc4efe593c49ab1dbf3716f101687e8005ca600e938c48f43a8a263fec7aa9cbcac234c8f46373b6a6a92b04809aced91414c1f75f25983cc91

Download Submit
C:\Users\Admin\AppData\Roaming\977.tmp.exe

MD5
f89ae0f23dd8653582b9e0b7cba017f3

SHA1
e880a24963067ecf818ab13b1e611aa4d36c34e2

SHA256
af31ae791e3f6ff84273384a6a4e34b1ce8cc60b71d7097249382267058ef8a1

SHA512
b8f56b0f7498cdc4efe593c49ab1dbf3716f101687e8005ca600e938c48f43a8a263fec7aa9cbcac234c8f46373b6a6a92b04809aced91414c1f75f25983cc91

Download Submit
\Users\Admin\AppData\Local\Temp\MSI43C0.tmp

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
memory/188-3-0x0000000000000000-mapping.dmp

Download
memory/1324-11-0x0000000000000000-mapping.dmp

Download
memory/1364-21-0x0000000000000000-mapping.dmp

Download
memory/1364-27-0x0000000000E20000-0x0000000000E2D000-memory.dmp

Filesize
52KB

Download
memory/1364-43-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1920-56-0x0000000000000000-mapping.dmp

Download
memory/2620-45-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2620-41-0x0000000000401480-mapping.dmp

Download
memory/2620-40-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2660-26-0x0000000000000000-mapping.dmp

Download
memory/2756-44-0x0000000002F60000-0x0000000002FA5000-memory.dmp

Filesize
276KB

Download
memory/2756-39-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2756-36-0x0000000000000000-mapping.dmp

Download
memory/3028-48-0x0000000000000000-mapping.dmp

Download
memory/3060-47-0x0000000000000000-mapping.dmp

Download
memory/3208-53-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/3208-52-0x0000000072660000-0x00000000726F3000-memory.dmp

Filesize
588KB

Download
memory/3208-49-0x0000000000000000-mapping.dmp

Download
memory/3400-24-0x0000000000000000-mapping.dmp

Download
memory/3452-7-0x0000000000000000-mapping.dmp

Download
memory/3548-25-0x0000000002FD0000-0x000000000316C000-memory.dmp

Filesize
1.6MB

Download
memory/3548-17-0x0000000000000000-mapping.dmp

Download
memory/3700-5-0x0000000000000000-mapping.dmp

Download
memory/3904-14-0x0000000000000000-mapping.dmp

Download
memory/3968-54-0x0000000000000000-mapping.dmp

Download