Overview

overview

10

Static

static

ฺฺฺB...��ฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

ฺฺฺ�...

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...��ฺ7

windows7_x64

10

Analysis

  • max time kernel
    553s
  • max time network
    553s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-03-2021 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Microsoft_Windows_10_keygen_by_KeygenNinja.exe

  • Size

    10.6MB

  • MD5

    f986b0da579828fa492041a33862a74d

  • SHA1

    79ce5993da004a0a96609b9f025befb7bf391009

  • SHA256

    df7a1a5d4e81f076198ed56b9bae34bf8f907e300d22cd8681f910472609422e

  • SHA512

    6148127921cbe28135e002f6d0f72f717ffcf980cfd8faaea1d73a813123884a996526925cf05fefb288810b8cfd9065ed618ac98ab2b5d63bd637ce55fbf519

Score
10/10
azorultplugxbootkitevasioninfostealermacropersistencespywarestealertrojanupxxlm

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Nirsoft 6 IoCs
  • Executes dropped EXE 23 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 10 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_keygen_by_KeygenNinja.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_keygen_by_KeygenNinja.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
        intro.exe 1O5ZF
        3⤵
        • Executes dropped EXE
        PID:2756
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3432
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2052
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
              PID:3104
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:2840
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3524
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              5⤵
              • Runs ping.exe
              PID:3912
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1584
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1128
            • C:\Users\Admin\AppData\Local\Temp\sibE816.tmp\0\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\sibE816.tmp\0\setup.exe" -s
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2232
              • C:\Program Files (x86)\k42a4i0zb2uk\aliens.exe
                "C:\Program Files (x86)\k42a4i0zb2uk\aliens.exe"
                6⤵
                • Executes dropped EXE
                • Writes to the Master Boot Record (MBR)
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Modifies system certificate store
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1444
                • C:\Windows\SysWOW64\msiexec.exe
                  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                  7⤵
                  • Enumerates connected drives
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:2748
                • C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe
                  C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe 0011 installp1
                  7⤵
                  • Executes dropped EXE
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of SetThreadContext
                  • Checks SCSI registry key(s)
                  • Suspicious use of SetWindowsHookEx
                  PID:188
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:2168
                  • C:\Users\Admin\AppData\Roaming\1616099008291.exe
                    "C:\Users\Admin\AppData\Roaming\1616099008291.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616099008291.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:4040
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:820
                  • C:\Users\Admin\AppData\Roaming\1616099011900.exe
                    "C:\Users\Admin\AppData\Roaming\1616099011900.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616099011900.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:2332
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:1060
                  • C:\Users\Admin\AppData\Roaming\1616099018760.exe
                    "C:\Users\Admin\AppData\Roaming\1616099018760.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616099018760.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:652
                  • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
                    C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:2140
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe"
                    8⤵
                      PID:2220
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1 -n 3
                        9⤵
                        • Runs ping.exe
                        PID:2648
                  • C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe
                    C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe 200 installp1
                    7⤵
                    • Executes dropped EXE
                    • Writes to the Master Boot Record (MBR)
                    • Checks SCSI registry key(s)
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:3916
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      8⤵
                        PID:756
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im chrome.exe
                          9⤵
                          • Kills process with taskkill
                          PID:3276
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\08B935EBAFB9032A.exe"
                        8⤵
                          PID:2204
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            9⤵
                            • Runs ping.exe
                            PID:2132
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\k42a4i0zb2uk\aliens.exe"
                        7⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4084
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 127.0.0.1 -n 3
                          8⤵
                          • Runs ping.exe
                          PID:3832
                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
                  4⤵
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3920
                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\file1.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file1.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:2192
                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:2660
                • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:1132
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c taskkill /f /im chrome.exe
                    5⤵
                      PID:1320
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im chrome.exe
                        6⤵
                        • Kills process with taskkill
                        PID:3676
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
                    4⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    PID:2240
                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      5⤵
                      • Executes dropped EXE
                      PID:3512
                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1744
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Enumerates connected drives
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3684
              • C:\Windows\syswow64\MsiExec.exe
                C:\Windows\syswow64\MsiExec.exe -Embedding 5DAFBF72A36221E89BEEEA6E2D8DAD5D C
                2⤵
                • Loads dropped DLL
                PID:3612
              • C:\Windows\system32\srtasks.exe
                C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                2⤵
                  PID:1740
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                  PID:3824
                • \??\c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
                  1⤵
                  • Checks SCSI registry key(s)
                  • Modifies data under HKEY_USERS
                  PID:752

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/188-65-0x00000000730C0000-0x0000000073153000-memory.dmp

                  Filesize

                  588KB

                  Download

                • memory/188-77-0x0000000004DC0000-0x0000000005271000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/652-116-0x00000000730C0000-0x0000000073153000-memory.dmp

                  Filesize

                  588KB

                  Download

                • memory/820-109-0x0000016EDCE40000-0x0000016EDCE41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/820-101-0x00007FFA17BA0000-0x00007FFA17C1E000-memory.dmp

                  Filesize

                  504KB

                  Download

                • memory/1060-118-0x000001AC0BEC0000-0x000001AC0BEC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1060-113-0x00007FFA17BA0000-0x00007FFA17C1E000-memory.dmp

                  Filesize

                  504KB

                  Download

                • memory/1128-37-0x0000000071F10000-0x00000000725FE000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/1128-40-0x0000000010B20000-0x0000000010B21000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1128-42-0x0000000010B40000-0x0000000010B41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1128-46-0x0000000010AD0000-0x0000000010AD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1128-51-0x0000000010AD6000-0x0000000010AD7000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1128-35-0x00000000730C0000-0x0000000073153000-memory.dmp

                  Filesize

                  588KB

                  Download

                • memory/1128-48-0x0000000010AD1000-0x0000000010AD2000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1128-50-0x0000000010AD4000-0x0000000010AD6000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1128-49-0x0000000010AD3000-0x0000000010AD4000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1444-55-0x00000000730C0000-0x0000000073153000-memory.dmp

                  Filesize

                  588KB

                  Download

                • memory/1444-59-0x0000000010000000-0x000000001033D000-memory.dmp

                  Filesize

                  3.2MB

                  Download

                • memory/1584-31-0x0000000010000000-0x00000000100E4000-memory.dmp

                  Filesize

                  912KB

                  Download

                • memory/2052-30-0x0000000002C70000-0x0000000002E0C000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/2140-123-0x00000000730C0000-0x0000000073153000-memory.dmp

                  Filesize

                  588KB

                  Download

                • memory/2168-80-0x00007FFA17BA0000-0x00007FFA17C1E000-memory.dmp

                  Filesize

                  504KB

                  Download

                • memory/2168-83-0x0000022D88BD0000-0x0000022D88BD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2168-81-0x0000000010000000-0x0000000010057000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/2232-47-0x00000000730C0000-0x0000000073153000-memory.dmp

                  Filesize

                  588KB

                  Download

                • memory/2332-107-0x00000000730C0000-0x0000000073153000-memory.dmp

                  Filesize

                  588KB

                  Download

                • memory/2660-97-0x0000000071F30000-0x000000007261E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2660-98-0x00000000003C0000-0x00000000003C1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2660-104-0x00000000009B0000-0x00000000009B2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2660-108-0x0000000004C10000-0x0000000004C11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3916-68-0x00000000730C0000-0x0000000073153000-memory.dmp

                  Filesize

                  588KB

                  Download

                • memory/3916-76-0x0000000004D80000-0x0000000005231000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/4040-87-0x00000000730C0000-0x0000000073153000-memory.dmp

                  Filesize

                  588KB

                  Download