azorult | c50e6955c602373c79f2c16fd5c34794a222c9f91e05a9da27b730cc875f72b5

Analysis

max time kernel
486s
max time network
380s
platform
windows10_x64
resource
win10v20201028
submitted
26-03-2021 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows_10_pro_100_original_keygen_by_KeygenNinja.exe
Size

10.8MB
MD5

5763266004cd5549b61466c8b10c6535
SHA1

4d7fe3d2a06cd11797f66a67efaae78a1585bcee
SHA256

f2ed9574498ab5a4d15fa0f49ba9d64491fc22037a33b5076b2509083a408176
SHA512

c48c1d9741cec9a38f9797e22e56ac264ae675d957c5f44340b1fab6107d1e63de0515b011add4e843a0bd470bf3749a582e44f70542be0d01ded2a20b499e39

Score

10^/10

azorult plugx pony bootkit discovery evasion infostealer macro persistence rat spyware stealer trojan upx xlm

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Nirsoft 6 IoCs

resource	yara_rule
behavioral3/files/0x000600000001ab53-103.dat	Nirsoft
behavioral3/files/0x000600000001ab53-104.dat	Nirsoft
behavioral3/files/0x000600000001ab6e-120.dat	Nirsoft
behavioral3/files/0x000600000001ab6e-119.dat	Nirsoft
behavioral3/files/0x000700000001ab6e-129.dat	Nirsoft
behavioral3/files/0x000700000001ab6e-128.dat	Nirsoft

Executes dropped EXE 25 IoCs

pid	Process
2588	intro.exe
3748	keygen-pr.exe
2896	keygen-step-1.exe
1132	keygen-step-3.exe
2376	key.exe
2448	keygen-step-4.exe
2200	002.exe
3512	key.exe
2132	Setup.exe
1356	Rar.exe
4092	setup.exe
3828	aliens.exe
3128	jg2_2qua.exe
2612	85F91A36E275562F.exe
2100	85F91A36E275562F.exe
3600	file1.exe
4268	BTRSetp.exe
4324	1616801538460.exe
4548	1616801539960.exe
4636	1616801542164.exe
4788	askinstall21.exe
5012	hjjgaa.exe
5056	jfiag3g_gg.exe
5092	jfiag3g_gg.exe
5116	ThunderFW.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral3/files/0x0004000000015660-70.dat	office_xlm_macros

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000800000001ab6e-149.dat	upx
behavioral3/files/0x000800000001ab6e-150.dat	upx
behavioral3/files/0x000800000001ab6e-153.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
2132	Setup.exe
2132	Setup.exe
2132	Setup.exe
1628	MsiExec.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	85F91A36E275562F.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3828	aliens.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2376 set thread context of 3512	2376	key.exe	90
PID 2612 set thread context of 1428	2612	85F91A36E275562F.exe	111
PID 2612 set thread context of 4528	2612	85F91A36E275562F.exe	124
PID 2612 set thread context of 4624	2612	85F91A36E275562F.exe	126

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\__tmp_rar_sfx_access_check_259287671	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f770047.msi	msiexec.exe
File created	C:\Windows\Installer\f770045.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770045.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CC.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4140	taskkill.exe
4976	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1604	PING.EXE
3992	PING.EXE
4368	PING.EXE
4488	PING.EXE
2364	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2376	key.exe
2376	key.exe
4324	1616801538460.exe
4324	1616801538460.exe
4548	1616801539960.exe
4548	1616801539960.exe
4636	1616801542164.exe
4636	1616801542164.exe
5092	jfiag3g_gg.exe
5092	jfiag3g_gg.exe
3004	msiexec.exe
3004	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	2376	key.exe
Token: SeTcbPrivilege	2376	key.exe
Token: SeChangeNotifyPrivilege	2376	key.exe
Token: SeCreateTokenPrivilege	2376	key.exe
Token: SeBackupPrivilege	2376	key.exe
Token: SeRestorePrivilege	2376	key.exe
Token: SeIncreaseQuotaPrivilege	2376	key.exe
Token: SeAssignPrimaryTokenPrivilege	2376	key.exe
Token: SeImpersonatePrivilege	2376	key.exe
Token: SeTcbPrivilege	2376	key.exe
Token: SeChangeNotifyPrivilege	2376	key.exe
Token: SeCreateTokenPrivilege	2376	key.exe
Token: SeBackupPrivilege	2376	key.exe
Token: SeRestorePrivilege	2376	key.exe
Token: SeIncreaseQuotaPrivilege	2376	key.exe
Token: SeAssignPrimaryTokenPrivilege	2376	key.exe
Token: SeImpersonatePrivilege	2376	key.exe
Token: SeTcbPrivilege	2376	key.exe
Token: SeChangeNotifyPrivilege	2376	key.exe
Token: SeCreateTokenPrivilege	2376	key.exe
Token: SeBackupPrivilege	2376	key.exe
Token: SeRestorePrivilege	2376	key.exe
Token: SeIncreaseQuotaPrivilege	2376	key.exe
Token: SeAssignPrimaryTokenPrivilege	2376	key.exe
Token: SeImpersonatePrivilege	2376	key.exe
Token: SeTcbPrivilege	2376	key.exe
Token: SeChangeNotifyPrivilege	2376	key.exe
Token: SeCreateTokenPrivilege	2376	key.exe
Token: SeBackupPrivilege	2376	key.exe
Token: SeRestorePrivilege	2376	key.exe
Token: SeIncreaseQuotaPrivilege	2376	key.exe
Token: SeAssignPrimaryTokenPrivilege	2376	key.exe
Token: SeImpersonatePrivilege	2376	key.exe
Token: SeTcbPrivilege	2376	key.exe
Token: SeChangeNotifyPrivilege	2376	key.exe
Token: SeCreateTokenPrivilege	2376	key.exe
Token: SeBackupPrivilege	2376	key.exe
Token: SeRestorePrivilege	2376	key.exe
Token: SeIncreaseQuotaPrivilege	2376	key.exe
Token: SeAssignPrimaryTokenPrivilege	2376	key.exe
Token: SeManageVolumePrivilege	3128	jg2_2qua.exe
Token: SeShutdownPrivilege	2168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2168	msiexec.exe
Token: SeSecurityPrivilege	3004	msiexec.exe
Token: SeManageVolumePrivilege	3128	jg2_2qua.exe
Token: SeCreateTokenPrivilege	2168	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2168	msiexec.exe
Token: SeLockMemoryPrivilege	2168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2168	msiexec.exe
Token: SeMachineAccountPrivilege	2168	msiexec.exe
Token: SeTcbPrivilege	2168	msiexec.exe
Token: SeSecurityPrivilege	2168	msiexec.exe
Token: SeTakeOwnershipPrivilege	2168	msiexec.exe
Token: SeLoadDriverPrivilege	2168	msiexec.exe
Token: SeSystemProfilePrivilege	2168	msiexec.exe
Token: SeSystemtimePrivilege	2168	msiexec.exe
Token: SeProfSingleProcessPrivilege	2168	msiexec.exe
Token: SeIncBasePriorityPrivilege	2168	msiexec.exe
Token: SeCreatePagefilePrivilege	2168	msiexec.exe
Token: SeCreatePermanentPrivilege	2168	msiexec.exe
Token: SeBackupPrivilege	2168	msiexec.exe
Token: SeRestorePrivilege	2168	msiexec.exe
Token: SeShutdownPrivilege	2168	msiexec.exe
Token: SeDebugPrivilege	2168	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2168	msiexec.exe
2168	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2132	Setup.exe
4092	setup.exe
3828	aliens.exe
2612	85F91A36E275562F.exe
2100	85F91A36E275562F.exe
1428	firefox.exe
4324	1616801538460.exe
4528	firefox.exe
4548	1616801539960.exe
4624	firefox.exe
4636	1616801542164.exe
5116	ThunderFW.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1136	3920	Windows_10_pro_100_original_keygen_by_KeygenNinja.exe	78
PID 3920 wrote to memory of 1136	3920	Windows_10_pro_100_original_keygen_by_KeygenNinja.exe	78
PID 3920 wrote to memory of 1136	3920	Windows_10_pro_100_original_keygen_by_KeygenNinja.exe	78
PID 1136 wrote to memory of 2588	1136	cmd.exe	81
PID 1136 wrote to memory of 2588	1136	cmd.exe	81
PID 1136 wrote to memory of 2588	1136	cmd.exe	81
PID 1136 wrote to memory of 3748	1136	cmd.exe	82
PID 1136 wrote to memory of 3748	1136	cmd.exe	82
PID 1136 wrote to memory of 3748	1136	cmd.exe	82
PID 1136 wrote to memory of 2896	1136	cmd.exe	83
PID 1136 wrote to memory of 2896	1136	cmd.exe	83
PID 1136 wrote to memory of 2896	1136	cmd.exe	83
PID 1136 wrote to memory of 1132	1136	cmd.exe	84
PID 1136 wrote to memory of 1132	1136	cmd.exe	84
PID 1136 wrote to memory of 1132	1136	cmd.exe	84
PID 1132 wrote to memory of 1252	1132	keygen-step-3.exe	85
PID 1132 wrote to memory of 1252	1132	keygen-step-3.exe	85
PID 1132 wrote to memory of 1252	1132	keygen-step-3.exe	85
PID 3748 wrote to memory of 2376	3748	keygen-pr.exe	87
PID 3748 wrote to memory of 2376	3748	keygen-pr.exe	87
PID 3748 wrote to memory of 2376	3748	keygen-pr.exe	87
PID 1136 wrote to memory of 2448	1136	cmd.exe	88
PID 1136 wrote to memory of 2448	1136	cmd.exe	88
PID 1136 wrote to memory of 2448	1136	cmd.exe	88
PID 2448 wrote to memory of 2200	2448	keygen-step-4.exe	89
PID 2448 wrote to memory of 2200	2448	keygen-step-4.exe	89
PID 2448 wrote to memory of 2200	2448	keygen-step-4.exe	89
PID 1252 wrote to memory of 1604	1252	cmd.exe	91
PID 1252 wrote to memory of 1604	1252	cmd.exe	91
PID 1252 wrote to memory of 1604	1252	cmd.exe	91
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2376 wrote to memory of 3512	2376	key.exe	90
PID 2200 wrote to memory of 2900	2200	002.exe	93
PID 2200 wrote to memory of 2900	2200	002.exe	93
PID 2200 wrote to memory of 2900	2200	002.exe	93
PID 2448 wrote to memory of 2132	2448	keygen-step-4.exe	95
PID 2448 wrote to memory of 2132	2448	keygen-step-4.exe	95
PID 2448 wrote to memory of 2132	2448	keygen-step-4.exe	95
PID 2900 wrote to memory of 1356	2900	cmd.exe	96
PID 2900 wrote to memory of 1356	2900	cmd.exe	96
PID 2132 wrote to memory of 4092	2132	Setup.exe	98
PID 2132 wrote to memory of 4092	2132	Setup.exe	98
PID 2132 wrote to memory of 4092	2132	Setup.exe	98
PID 4092 wrote to memory of 3828	4092	setup.exe	100
PID 4092 wrote to memory of 3828	4092	setup.exe	100
PID 4092 wrote to memory of 3828	4092	setup.exe	100
PID 2448 wrote to memory of 3128	2448	keygen-step-4.exe	101
PID 2448 wrote to memory of 3128	2448	keygen-step-4.exe	101
PID 2448 wrote to memory of 3128	2448	keygen-step-4.exe	101
PID 3828 wrote to memory of 2168	3828	aliens.exe	102
PID 3828 wrote to memory of 2168	3828	aliens.exe	102

C:\Users\Admin\AppData\Local\Temp\Windows_10_pro_100_original_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Windows_10_pro_100_original_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
    intro.exe 1O5ZF
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:3512
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:1604
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cd %cd% && rar.exe -y x -p123 *.rar && C:\Users\Admin\AppData\Local\Temp\\002.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Rar.exe
        
        rar.exe -y x -p123 *.rar
        6⤵
        Executes dropped EXE
        
        PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\sib5E35.tmp\0\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sib5E35.tmp\0\setup.exe" -s
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4092
      - C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe
        
        "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        7⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 0011 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\1616801538460.exe
        
        "C:\Users\Admin\AppData\Roaming\1616801538460.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616801538460.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\1616801539960.exe
        
        "C:\Users\Admin\AppData\Roaming\1616801539960.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616801539960.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4548
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4624
        
        C:\Users\Admin\AppData\Roaming\1616801542164.exe
        
        "C:\Users\Admin\AppData\Roaming\1616801542164.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616801542164.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        8⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
        7⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 200 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        8⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file1.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:3600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file1.exe" >> NUL
        5⤵
        
        PID:4212
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      Executes dropped EXE
      PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
      4⤵
      Executes dropped EXE
      PID:4788
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5012
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 74230164AC05C749210014AAD41C58D6 C
  2⤵
  - Loads dropped DLL
  PID:1628
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4704

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1428-93-0x00007FF9220D0000-0x00007FF92214E000-memory.dmp

Filesize
504KB

Download
memory/1428-94-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1428-101-0x000001B3C08F0000-0x000001B3C08F1000-memory.dmp

Filesize
4KB

Download
memory/2100-78-0x0000000072440000-0x00000000724D3000-memory.dmp

Filesize
588KB

Download
memory/2100-89-0x00000000041D0000-0x0000000004681000-memory.dmp

Filesize
4.7MB

Download
memory/2132-47-0x0000000010B30000-0x0000000010B31000-memory.dmp

Filesize
4KB

Download
memory/2132-48-0x0000000010C20000-0x0000000010C21000-memory.dmp

Filesize
4KB

Download
memory/2132-56-0x0000000010C26000-0x0000000010C27000-memory.dmp

Filesize
4KB

Download
memory/2132-51-0x0000000010C23000-0x0000000010C24000-memory.dmp

Filesize
4KB

Download
memory/2132-49-0x0000000010C21000-0x0000000010C22000-memory.dmp

Filesize
4KB

Download
memory/2132-45-0x0000000010B10000-0x0000000010B11000-memory.dmp

Filesize
4KB

Download
memory/2132-42-0x0000000070D50000-0x000000007143E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-55-0x0000000010C24000-0x0000000010C26000-memory.dmp

Filesize
8KB

Download
memory/2132-36-0x0000000072440000-0x00000000724D3000-memory.dmp

Filesize
588KB

Download
memory/2376-26-0x0000000002F70000-0x000000000310C000-memory.dmp

Filesize
1.6MB

Download
memory/2376-60-0x0000000000FD0000-0x0000000000FEB000-memory.dmp

Filesize
108KB

Download
memory/2376-59-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/2376-58-0x0000000003110000-0x00000000031FF000-memory.dmp

Filesize
956KB

Download
memory/2612-76-0x0000000072440000-0x00000000724D3000-memory.dmp

Filesize
588KB

Download
memory/2612-90-0x0000000004240000-0x00000000046F1000-memory.dmp

Filesize
4.7MB

Download
memory/3512-37-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3512-29-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3600-88-0x0000000001070000-0x000000000107D000-memory.dmp

Filesize
52KB

Download
memory/3828-68-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/3828-64-0x0000000072440000-0x00000000724D3000-memory.dmp

Filesize
588KB

Download
memory/4092-54-0x0000000072440000-0x00000000724D3000-memory.dmp

Filesize
588KB

Download
memory/4268-113-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/4268-100-0x0000000070450000-0x0000000070B3E000-memory.dmp

Filesize
6.9MB

Download
memory/4268-110-0x00000000022B0000-0x00000000022CD000-memory.dmp

Filesize
116KB

Download
memory/4268-105-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/4268-111-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4268-109-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4324-106-0x0000000072440000-0x00000000724D3000-memory.dmp

Filesize
588KB

Download
memory/4528-123-0x0000017F380C0000-0x0000017F380C1000-memory.dmp

Filesize
4KB

Download
memory/4528-117-0x00007FF9220D0000-0x00007FF92214E000-memory.dmp

Filesize
504KB

Download
memory/4548-121-0x0000000072440000-0x00000000724D3000-memory.dmp

Filesize
588KB

Download
memory/4624-127-0x00007FF9220D0000-0x00007FF92214E000-memory.dmp

Filesize
504KB

Download
memory/4624-132-0x0000028B89670000-0x0000028B89671000-memory.dmp

Filesize
4KB

Download
memory/4636-130-0x0000000072440000-0x00000000724D3000-memory.dmp

Filesize
588KB

Download
memory/5116-155-0x0000000072440000-0x00000000724D3000-memory.dmp

Filesize
588KB

Download