azorult | 545cb9eb4514c9a131dafed7c0c0bb2ba91f89114770e4f583915c414572ec95

Analysis

max time kernel
59s
max time network
62s
platform
windows10_x64
resource
win10v20201028
submitted
05-03-2021 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Video.nVidia.GeForce.8600.GTS.crack.exe
Size

8.6MB
MD5

4c5d5630a17759bff9cb25a75a6de902
SHA1

7e30a081298ef34a5f7db00607f10c72464e4c96
SHA256

45411d2b5bf4e2d0e75af577252aba0a84ccc51e7b05e9b67a54390bb7aab8d8
SHA512

09d2a7fa28f88dd5c622b99318a7d68b1c3f9f6fa3edbe589cb067478dba73e790346b967599dde0745e8afeded0096c99d796206f691c34c903c97a01db80f3

Score

10^/10

azorult pony bootkit discovery evasion infostealer macro persistence rat spyware stealer trojan xlm

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Nirsoft 4 IoCs

resource	yara_rule
behavioral1/files/0x000200000001ab7c-125.dat	Nirsoft
behavioral1/files/0x000200000001ab7c-126.dat	Nirsoft
behavioral1/files/0x000200000001abb8-138.dat	Nirsoft
behavioral1/files/0x000200000001abb8-137.dat	Nirsoft

Executes dropped EXE 20 IoCs

pid	Process
3084	keygen-pr.exe
3316	keygen-step-1.exe
2272	keygen-step-3.exe
2104	keygen-step-4.exe
636	file.exe
2116	key.exe
3852	key.exe
3372	F264.tmp.exe
4004	F264.tmp.exe
3172	Setup.exe
744	C0CA61A12E4C8B38.exe
4072	C0CA61A12E4C8B38.exe
1724	Install.exe
1772	multitimer.exe
4032	askinstall20.exe
4220	1614924631923.exe
4404	md2_2efs.exe
4764	1614924636798.exe
4908	BTRSetp.exe
4976	multitimer.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral1/files/0x000200000001a0e3-65.dat	office_xlm_macros

Loads dropped DLL 1 IoCs

pid	Process
2572	MsiExec.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3172	Setup.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 3852	2116	key.exe	91
PID 3372 set thread context of 4004	3372	F264.tmp.exe	96
PID 744 set thread context of 3816	744	C0CA61A12E4C8B38.exe	113
PID 744 set thread context of 4752	744	C0CA61A12E4C8B38.exe	125

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	F264.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	F264.tmp.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3568	taskkill.exe
4144	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3856	PING.EXE
3580	PING.EXE
3464	PING.EXE
4376	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2116	key.exe
2116	key.exe
636	file.exe
636	file.exe
4004	F264.tmp.exe
4004	F264.tmp.exe
636	file.exe
636	file.exe
636	file.exe
636	file.exe
636	file.exe
636	file.exe
4220	1614924631923.exe
4220	1614924631923.exe
4764	1614924636798.exe
4764	1614924636798.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2116	key.exe
Token: SeTcbPrivilege	2116	key.exe
Token: SeChangeNotifyPrivilege	2116	key.exe
Token: SeCreateTokenPrivilege	2116	key.exe
Token: SeBackupPrivilege	2116	key.exe
Token: SeRestorePrivilege	2116	key.exe
Token: SeIncreaseQuotaPrivilege	2116	key.exe
Token: SeAssignPrimaryTokenPrivilege	2116	key.exe
Token: SeImpersonatePrivilege	2116	key.exe
Token: SeTcbPrivilege	2116	key.exe
Token: SeChangeNotifyPrivilege	2116	key.exe
Token: SeCreateTokenPrivilege	2116	key.exe
Token: SeBackupPrivilege	2116	key.exe
Token: SeRestorePrivilege	2116	key.exe
Token: SeIncreaseQuotaPrivilege	2116	key.exe
Token: SeAssignPrimaryTokenPrivilege	2116	key.exe
Token: SeImpersonatePrivilege	2116	key.exe
Token: SeTcbPrivilege	2116	key.exe
Token: SeChangeNotifyPrivilege	2116	key.exe
Token: SeCreateTokenPrivilege	2116	key.exe
Token: SeBackupPrivilege	2116	key.exe
Token: SeRestorePrivilege	2116	key.exe
Token: SeIncreaseQuotaPrivilege	2116	key.exe
Token: SeAssignPrimaryTokenPrivilege	2116	key.exe
Token: SeImpersonatePrivilege	2116	key.exe
Token: SeTcbPrivilege	2116	key.exe
Token: SeChangeNotifyPrivilege	2116	key.exe
Token: SeCreateTokenPrivilege	2116	key.exe
Token: SeBackupPrivilege	2116	key.exe
Token: SeRestorePrivilege	2116	key.exe
Token: SeIncreaseQuotaPrivilege	2116	key.exe
Token: SeAssignPrimaryTokenPrivilege	2116	key.exe
Token: SeImpersonatePrivilege	2116	key.exe
Token: SeTcbPrivilege	2116	key.exe
Token: SeChangeNotifyPrivilege	2116	key.exe
Token: SeCreateTokenPrivilege	2116	key.exe
Token: SeBackupPrivilege	2116	key.exe
Token: SeRestorePrivilege	2116	key.exe
Token: SeIncreaseQuotaPrivilege	2116	key.exe
Token: SeAssignPrimaryTokenPrivilege	2116	key.exe
Token: SeDebugPrivilege	636	file.exe
Token: SeShutdownPrivilege	2328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2328	msiexec.exe
Token: SeSecurityPrivilege	3828	msiexec.exe
Token: SeCreateTokenPrivilege	2328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2328	msiexec.exe
Token: SeLockMemoryPrivilege	2328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2328	msiexec.exe
Token: SeMachineAccountPrivilege	2328	msiexec.exe
Token: SeTcbPrivilege	2328	msiexec.exe
Token: SeSecurityPrivilege	2328	msiexec.exe
Token: SeTakeOwnershipPrivilege	2328	msiexec.exe
Token: SeLoadDriverPrivilege	2328	msiexec.exe
Token: SeSystemProfilePrivilege	2328	msiexec.exe
Token: SeSystemtimePrivilege	2328	msiexec.exe
Token: SeProfSingleProcessPrivilege	2328	msiexec.exe
Token: SeIncBasePriorityPrivilege	2328	msiexec.exe
Token: SeCreatePagefilePrivilege	2328	msiexec.exe
Token: SeCreatePermanentPrivilege	2328	msiexec.exe
Token: SeBackupPrivilege	2328	msiexec.exe
Token: SeRestorePrivilege	2328	msiexec.exe
Token: SeShutdownPrivilege	2328	msiexec.exe
Token: SeDebugPrivilege	2328	msiexec.exe
Token: SeAuditPrivilege	2328	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2328	msiexec.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3172	Setup.exe
744	C0CA61A12E4C8B38.exe
4072	C0CA61A12E4C8B38.exe
3816	firefox.exe
4220	1614924631923.exe
4752	firefox.exe
4764	1614924636798.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3520	880	Video.nVidia.GeForce.8600.GTS.crack.exe	79
PID 880 wrote to memory of 3520	880	Video.nVidia.GeForce.8600.GTS.crack.exe	79
PID 880 wrote to memory of 3520	880	Video.nVidia.GeForce.8600.GTS.crack.exe	79
PID 3520 wrote to memory of 3084	3520	cmd.exe	82
PID 3520 wrote to memory of 3084	3520	cmd.exe	82
PID 3520 wrote to memory of 3084	3520	cmd.exe	82
PID 3520 wrote to memory of 3316	3520	cmd.exe	83
PID 3520 wrote to memory of 3316	3520	cmd.exe	83
PID 3520 wrote to memory of 3316	3520	cmd.exe	83
PID 3520 wrote to memory of 2272	3520	cmd.exe	84
PID 3520 wrote to memory of 2272	3520	cmd.exe	84
PID 3520 wrote to memory of 2272	3520	cmd.exe	84
PID 3520 wrote to memory of 2104	3520	cmd.exe	85
PID 3520 wrote to memory of 2104	3520	cmd.exe	85
PID 3520 wrote to memory of 2104	3520	cmd.exe	85
PID 2104 wrote to memory of 636	2104	keygen-step-4.exe	86
PID 2104 wrote to memory of 636	2104	keygen-step-4.exe	86
PID 2104 wrote to memory of 636	2104	keygen-step-4.exe	86
PID 3084 wrote to memory of 2116	3084	keygen-pr.exe	87
PID 3084 wrote to memory of 2116	3084	keygen-pr.exe	87
PID 3084 wrote to memory of 2116	3084	keygen-pr.exe	87
PID 2272 wrote to memory of 420	2272	keygen-step-3.exe	88
PID 2272 wrote to memory of 420	2272	keygen-step-3.exe	88
PID 2272 wrote to memory of 420	2272	keygen-step-3.exe	88
PID 420 wrote to memory of 3856	420	cmd.exe	90
PID 420 wrote to memory of 3856	420	cmd.exe	90
PID 420 wrote to memory of 3856	420	cmd.exe	90
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 2116 wrote to memory of 3852	2116	key.exe	91
PID 636 wrote to memory of 3372	636	file.exe	94
PID 636 wrote to memory of 3372	636	file.exe	94
PID 636 wrote to memory of 3372	636	file.exe	94
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 3372 wrote to memory of 4004	3372	F264.tmp.exe	96
PID 636 wrote to memory of 856	636	file.exe	97
PID 636 wrote to memory of 856	636	file.exe	97
PID 636 wrote to memory of 856	636	file.exe	97
PID 856 wrote to memory of 3580	856	cmd.exe	100
PID 856 wrote to memory of 3580	856	cmd.exe	100
PID 856 wrote to memory of 3580	856	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\Video.nVidia.GeForce.8600.GTS.crack.exe
"C:\Users\Admin\AppData\Local\Temp\Video.nVidia.GeForce.8600.GTS.crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:3852
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3316
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:420
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3856
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Users\Admin\AppData\Roaming\F264.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F264.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3372
      - C:\Users\Admin\AppData\Roaming\F264.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\F264.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      PID:3172
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:744
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3816
      - C:\Users\Admin\AppData\Roaming\1614924631923.exe
        
        "C:\Users\Admin\AppData\Roaming\1614924631923.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614924631923.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4220
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4752
      - C:\Users\Admin\AppData\Roaming\1614924636798.exe
        
        "C:\Users\Admin\AppData\Roaming\1614924636798.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614924636798.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4764
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4072
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3568
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
        6⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:4376
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
        5⤵
        
        PID:1856
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"
      4⤵
      Executes dropped EXE
      PID:1724
    - - C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1772
      - C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe" 1 3.1614921253.6041be254aaae 101
        6⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe" 2 3.1614921253.6041be254aaae
        7⤵
        
        PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      PID:4032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:2300
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      Executes dropped EXE
      PID:4908
    - - C:\ProgramData\3933505.43
        
        "C:\ProgramData\3933505.43"
        5⤵
        
        PID:2796
    - - C:\ProgramData\1176841.12
        
        "C:\ProgramData\1176841.12"
        5⤵
        
        PID:4168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3828
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63A366DA7638C1295CF9F9F4F330009D C
  2⤵
  - Loads dropped DLL
  PID:2572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-31-0x00000000007D0000-0x00000000007DD000-memory.dmp

Filesize
52KB

Download
memory/636-48-0x0000000003680000-0x0000000003752000-memory.dmp

Filesize
840KB

Download
memory/744-85-0x00000000725A0000-0x0000000072633000-memory.dmp

Filesize
588KB

Download
memory/744-100-0x0000000002D60000-0x000000000320F000-memory.dmp

Filesize
4.7MB

Download
memory/1724-95-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1724-97-0x000000001B550000-0x000000001B552000-memory.dmp

Filesize
8KB

Download
memory/1724-92-0x00007FF943990000-0x00007FF94437C000-memory.dmp

Filesize
9.9MB

Download
memory/1772-108-0x00007FF9439E0000-0x00007FF944380000-memory.dmp

Filesize
9.6MB

Download
memory/1772-119-0x0000000002DA0000-0x0000000002DA2000-memory.dmp

Filesize
8KB

Download
memory/2116-53-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2116-54-0x0000000000550000-0x000000000056B000-memory.dmp

Filesize
108KB

Download
memory/2116-52-0x0000000002EC0000-0x0000000002FAF000-memory.dmp

Filesize
956KB

Download
memory/2116-26-0x0000000002540000-0x00000000026DC000-memory.dmp

Filesize
1.6MB

Download
memory/3172-62-0x00000000725A0000-0x0000000072633000-memory.dmp

Filesize
588KB

Download
memory/3172-63-0x0000000010000000-0x000000001033E000-memory.dmp

Filesize
3.2MB

Download
memory/3372-44-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3372-49-0x0000000002E20000-0x0000000002E65000-memory.dmp

Filesize
276KB

Download
memory/3816-111-0x00007FF95ABF0000-0x00007FF95AC6E000-memory.dmp

Filesize
504KB

Download
memory/3816-121-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/3816-122-0x00000287B8680000-0x00000287B8681000-memory.dmp

Filesize
4KB

Download
memory/3852-28-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3852-40-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/4004-45-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4004-50-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4072-87-0x00000000725A0000-0x0000000072633000-memory.dmp

Filesize
588KB

Download
memory/4072-99-0x0000000002D30000-0x00000000031DF000-memory.dmp

Filesize
4.7MB

Download
memory/4220-127-0x00000000725A0000-0x0000000072633000-memory.dmp

Filesize
588KB

Download
memory/4752-145-0x000001E9EBC40000-0x000001E9EBC41000-memory.dmp

Filesize
4KB

Download
memory/4752-135-0x00007FF95ABF0000-0x00007FF95AC6E000-memory.dmp

Filesize
504KB

Download
memory/4764-139-0x00000000725A0000-0x0000000072633000-memory.dmp

Filesize
588KB

Download
memory/4908-165-0x000000001C5E0000-0x000000001C5E2000-memory.dmp

Filesize
8KB

Download
memory/4908-151-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4908-144-0x00007FF9416D0000-0x00007FF9420BC000-memory.dmp

Filesize
9.9MB

Download
memory/4908-149-0x0000000000B80000-0x0000000000BB3000-memory.dmp

Filesize
204KB

Download
memory/4908-148-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4908-146-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/4976-153-0x00007FF9439E0000-0x00007FF944380000-memory.dmp

Filesize
9.6MB

Download
memory/4976-161-0x0000000001430000-0x0000000001432000-memory.dmp

Filesize
8KB

Download
memory/5084-159-0x00007FF9439E0000-0x00007FF944380000-memory.dmp

Filesize
9.6MB

Download
memory/5084-166-0x0000000003130000-0x0000000003132000-memory.dmp

Filesize
8KB

Download