Overview

overview

10

Static

static

ฺฺฺB...��ฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

ฺฺฺK...��ฺ7

windows7_x64

10

Analysis

  • max time kernel
    58s
  • max time network
    63s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-03-2021 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe

  • Size

    8.6MB

  • MD5

    4c5d5630a17759bff9cb25a75a6de902

  • SHA1

    7e30a081298ef34a5f7db00607f10c72464e4c96

  • SHA256

    45411d2b5bf4e2d0e75af577252aba0a84ccc51e7b05e9b67a54390bb7aab8d8

  • SHA512

    09d2a7fa28f88dd5c622b99318a7d68b1c3f9f6fa3edbe589cb067478dba73e790346b967599dde0745e8afeded0096c99d796206f691c34c903c97a01db80f3

Score
10/10
azorultbootkitdiscoveryinfostealermacropersistencespywaretrojanxlm

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Nirsoft 2 IoCs
  • Executes dropped EXE 15 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe
    "C:\Users\Admin\AppData\Local\Temp\Webcam_Broadcaster_v1_serial_keygen_by_Inferno.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
              PID:2148
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:1188
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2128
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2260
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              5⤵
              • Runs ping.exe
              PID:2832
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
            4⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1500
            • C:\Users\Admin\AppData\Roaming\FE3C.tmp.exe
              "C:\Users\Admin\AppData\Roaming\FE3C.tmp.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4048
              • C:\Users\Admin\AppData\Roaming\FE3C.tmp.exe
                "C:\Users\Admin\AppData\Roaming\FE3C.tmp.exe"
                6⤵
                • Executes dropped EXE
                • Checks processor information in registry
                • Suspicious behavior: EnumeratesProcesses
                PID:4004
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2916
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1
                6⤵
                • Runs ping.exe
                PID:2868
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            4⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Modifies system certificate store
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\msiexec.exe
              msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
              5⤵
              • Enumerates connected drives
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              PID:3704
            • C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
              C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
              5⤵
              • Executes dropped EXE
              • Writes to the Master Boot Record (MBR)
              • Suspicious use of SetThreadContext
              • Checks SCSI registry key(s)
              • Suspicious use of SetWindowsHookEx
              PID:3668
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:2100
              • C:\Users\Admin\AppData\Roaming\1614924641057.exe
                "C:\Users\Admin\AppData\Roaming\1614924641057.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614924641057.txt"
                6⤵
                • Executes dropped EXE
                PID:1968
            • C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
              C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
              5⤵
              • Executes dropped EXE
              • Writes to the Master Boot Record (MBR)
              • Checks SCSI registry key(s)
              • Suspicious use of SetWindowsHookEx
              PID:3464
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im chrome.exe
                6⤵
                  PID:4060
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im chrome.exe
                    7⤵
                    • Kills process with taskkill
                    PID:4076
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
                5⤵
                  PID:2616
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 3
                    6⤵
                    • Runs ping.exe
                    PID:3444
              • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
                4⤵
                • Executes dropped EXE
                PID:2192
                • C:\Users\Admin\AppData\Local\Temp\7T2SOAG4OR\multitimer.exe
                  "C:\Users\Admin\AppData\Local\Temp\7T2SOAG4OR\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
                  5⤵
                  • Executes dropped EXE
                  PID:1528
              • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
                4⤵
                • Executes dropped EXE
                PID:3472
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c taskkill /f /im chrome.exe
                  5⤵
                    PID:3768
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im chrome.exe
                      6⤵
                      • Kills process with taskkill
                      PID:2116
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Enumerates connected drives
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:356
            • C:\Windows\syswow64\MsiExec.exe
              C:\Windows\syswow64\MsiExec.exe -Embedding 034D37F2168E56A1E6521B1000BB1BD3 C
              2⤵
              • Loads dropped DLL
              PID:3856

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1500-44-0x0000000000400000-0x00000000004D2000-memory.dmp

            Filesize

            840KB

            Download

          • memory/1500-25-0x00000000013F0000-0x00000000013FD000-memory.dmp

            Filesize

            52KB

            Download

          • memory/1528-88-0x0000000000E80000-0x0000000000E82000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1528-87-0x00000000026B0000-0x0000000003050000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1968-105-0x00000000730C0000-0x0000000073153000-memory.dmp

            Filesize

            588KB

            Download

          • memory/2100-106-0x000002AA19470000-0x000002AA19471000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2100-90-0x00007FF9357A0000-0x00007FF93581E000-memory.dmp

            Filesize

            504KB

            Download

          • memory/2100-97-0x0000000010000000-0x0000000010057000-memory.dmp

            Filesize

            348KB

            Download

          • memory/2192-71-0x00007FF91E4E0000-0x00007FF91EECC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2192-73-0x0000000000430000-0x0000000000431000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2192-76-0x000000001B2A0000-0x000000001B2A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2620-54-0x0000000010000000-0x000000001033E000-memory.dmp

            Filesize

            3.2MB

            Download

          • memory/2620-53-0x00000000730C0000-0x0000000073153000-memory.dmp

            Filesize

            588KB

            Download

          • memory/2728-24-0x0000000003260000-0x00000000033FC000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/3464-66-0x00000000730C0000-0x0000000073153000-memory.dmp

            Filesize

            588KB

            Download

          • memory/3464-78-0x0000000002E11000-0x00000000032BA000-memory.dmp

            Filesize

            4.7MB

            Download

          • memory/3668-79-0x0000000002DF0000-0x000000000329F000-memory.dmp

            Filesize

            4.7MB

            Download

          • memory/3668-64-0x00000000730C0000-0x0000000073153000-memory.dmp

            Filesize

            588KB

            Download

          • memory/3668-72-0x0000000010000000-0x000000001033E000-memory.dmp

            Filesize

            3.2MB

            Download

          • memory/4004-46-0x0000000000400000-0x0000000000449000-memory.dmp

            Filesize

            292KB

            Download

          • memory/4004-41-0x0000000000400000-0x0000000000449000-memory.dmp

            Filesize

            292KB

            Download

          • memory/4048-40-0x0000000003100000-0x0000000003101000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4048-45-0x0000000003010000-0x0000000003055000-memory.dmp

            Filesize

            276KB

            Download