azorult | c50e6955c602373c79f2c16fd5c34794a222c9f91e05a9da27b730cc875f72b5

Analysis

max time kernel
1437s
max time network
1487s
platform
windows10_x64
resource
win10v20201028
submitted
26-03-2021 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows_10_pro_100_original_keygen_by_KeygenNinja.exe
Size

10.8MB
MD5

5763266004cd5549b61466c8b10c6535
SHA1

4d7fe3d2a06cd11797f66a67efaae78a1585bcee
SHA256

f2ed9574498ab5a4d15fa0f49ba9d64491fc22037a33b5076b2509083a408176
SHA512

c48c1d9741cec9a38f9797e22e56ac264ae675d957c5f44340b1fab6107d1e63de0515b011add4e843a0bd470bf3749a582e44f70542be0d01ded2a20b499e39

Score

10^/10

azorult plugx bootkit evasion infostealer macro persistence spyware stealer trojan upx xlm

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Nirsoft 6 IoCs

resource	yara_rule
behavioral4/files/0x000100000001ab99-89.dat	Nirsoft
behavioral4/files/0x000100000001ab99-88.dat	Nirsoft
behavioral4/files/0x000300000001ab97-102.dat	Nirsoft
behavioral4/files/0x000300000001ab97-101.dat	Nirsoft
behavioral4/files/0x000400000001ab97-117.dat	Nirsoft
behavioral4/files/0x000400000001ab97-116.dat	Nirsoft

Executes dropped EXE 26 IoCs

pid	Process
928	intro.exe
3548	keygen-pr.exe
3892	keygen-step-1.exe
1340	keygen-step-3.exe
1032	keygen-step-4.exe
2052	key.exe
640	002.exe
504	Setup.exe
3640	Rar.exe
196	setup.exe
2892	aliens.exe
3484	jg2_2qua.exe
2272	85F91A36E275562F.exe
4020	85F91A36E275562F.exe
3872	1616805573561.exe
3956	file1.exe
2312	1616805594691.exe
3900	BTRSetp.exe
2224	1616805601426.exe
856	ThunderFW.exe
476	askinstall21.exe
204	hjjgaa.exe
3824	jfiag3g_gg.exe
1796	jfiag3g_gg.exe
2156	jfiag3g_gg.exe
2284	jfiag3g_gg.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

resource	yara_rule
behavioral4/files/0x000200000001ab93-64.dat	office_xlm_macros

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000100000001abc8-147.dat	upx
behavioral4/files/0x000100000001abc8-148.dat	upx
behavioral4/files/0x000100000001abc8-153.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
504	Setup.exe
504	Setup.exe
504	Setup.exe
968	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2892	aliens.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 3888	2272	85F91A36E275562F.exe	108
PID 2272 set thread context of 856	2272	85F91A36E275562F.exe	117
PID 2272 set thread context of 1236	2272	85F91A36E275562F.exe	124

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\__tmp_rar_sfx_access_check_259309765	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF60F.tmp	msiexec.exe
File created	C:\Windows\Installer\f77f3bf.msi	msiexec.exe
File created	C:\Windows\Installer\f77f3bd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77f3bd.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3976	taskkill.exe
2288	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
2784	PING.EXE
1976	PING.EXE
2676	PING.EXE
420	PING.EXE
3796	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3872	1616805573561.exe
3872	1616805573561.exe
2312	1616805594691.exe
2312	1616805594691.exe
2224	1616805601426.exe
2224	1616805601426.exe
1796	jfiag3g_gg.exe
1796	jfiag3g_gg.exe
4052	msiexec.exe
4052	msiexec.exe
2156	jfiag3g_gg.exe
2156	jfiag3g_gg.exe
2284	jfiag3g_gg.exe
2284	jfiag3g_gg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3484	jg2_2qua.exe
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeSecurityPrivilege	4052	msiexec.exe
Token: SeCreateTokenPrivilege	2544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2544	msiexec.exe
Token: SeLockMemoryPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeMachineAccountPrivilege	2544	msiexec.exe
Token: SeTcbPrivilege	2544	msiexec.exe
Token: SeSecurityPrivilege	2544	msiexec.exe
Token: SeTakeOwnershipPrivilege	2544	msiexec.exe
Token: SeLoadDriverPrivilege	2544	msiexec.exe
Token: SeSystemProfilePrivilege	2544	msiexec.exe
Token: SeSystemtimePrivilege	2544	msiexec.exe
Token: SeProfSingleProcessPrivilege	2544	msiexec.exe
Token: SeIncBasePriorityPrivilege	2544	msiexec.exe
Token: SeCreatePagefilePrivilege	2544	msiexec.exe
Token: SeCreatePermanentPrivilege	2544	msiexec.exe
Token: SeBackupPrivilege	2544	msiexec.exe
Token: SeRestorePrivilege	2544	msiexec.exe
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeDebugPrivilege	2544	msiexec.exe
Token: SeAuditPrivilege	2544	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2544	msiexec.exe
Token: SeChangeNotifyPrivilege	2544	msiexec.exe
Token: SeRemoteShutdownPrivilege	2544	msiexec.exe
Token: SeUndockPrivilege	2544	msiexec.exe
Token: SeSyncAgentPrivilege	2544	msiexec.exe
Token: SeEnableDelegationPrivilege	2544	msiexec.exe
Token: SeManageVolumePrivilege	2544	msiexec.exe
Token: SeImpersonatePrivilege	2544	msiexec.exe
Token: SeCreateGlobalPrivilege	2544	msiexec.exe
Token: SeCreateTokenPrivilege	2544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2544	msiexec.exe
Token: SeLockMemoryPrivilege	2544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2544	msiexec.exe
Token: SeMachineAccountPrivilege	2544	msiexec.exe
Token: SeTcbPrivilege	2544	msiexec.exe
Token: SeSecurityPrivilege	2544	msiexec.exe
Token: SeTakeOwnershipPrivilege	2544	msiexec.exe
Token: SeLoadDriverPrivilege	2544	msiexec.exe
Token: SeSystemProfilePrivilege	2544	msiexec.exe
Token: SeSystemtimePrivilege	2544	msiexec.exe
Token: SeProfSingleProcessPrivilege	2544	msiexec.exe
Token: SeIncBasePriorityPrivilege	2544	msiexec.exe
Token: SeCreatePagefilePrivilege	2544	msiexec.exe
Token: SeCreatePermanentPrivilege	2544	msiexec.exe
Token: SeBackupPrivilege	2544	msiexec.exe
Token: SeRestorePrivilege	2544	msiexec.exe
Token: SeShutdownPrivilege	2544	msiexec.exe
Token: SeDebugPrivilege	2544	msiexec.exe
Token: SeAuditPrivilege	2544	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2544	msiexec.exe
Token: SeChangeNotifyPrivilege	2544	msiexec.exe
Token: SeRemoteShutdownPrivilege	2544	msiexec.exe
Token: SeUndockPrivilege	2544	msiexec.exe
Token: SeSyncAgentPrivilege	2544	msiexec.exe
Token: SeEnableDelegationPrivilege	2544	msiexec.exe
Token: SeManageVolumePrivilege	2544	msiexec.exe
Token: SeImpersonatePrivilege	2544	msiexec.exe
Token: SeCreateGlobalPrivilege	2544	msiexec.exe
Token: SeCreateTokenPrivilege	2544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2544	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2544	msiexec.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
504	Setup.exe
196	setup.exe
2892	aliens.exe
4020	85F91A36E275562F.exe
2272	85F91A36E275562F.exe
3888	firefox.exe
3872	1616805573561.exe
856	firefox.exe
2312	1616805594691.exe
1236	firefox.exe
2224	1616805601426.exe
856	ThunderFW.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 3656	3116	Windows_10_pro_100_original_keygen_by_KeygenNinja.exe	78
PID 3116 wrote to memory of 3656	3116	Windows_10_pro_100_original_keygen_by_KeygenNinja.exe	78
PID 3116 wrote to memory of 3656	3116	Windows_10_pro_100_original_keygen_by_KeygenNinja.exe	78
PID 3656 wrote to memory of 928	3656	cmd.exe	81
PID 3656 wrote to memory of 928	3656	cmd.exe	81
PID 3656 wrote to memory of 928	3656	cmd.exe	81
PID 3656 wrote to memory of 3548	3656	cmd.exe	82
PID 3656 wrote to memory of 3548	3656	cmd.exe	82
PID 3656 wrote to memory of 3548	3656	cmd.exe	82
PID 3656 wrote to memory of 3892	3656	cmd.exe	83
PID 3656 wrote to memory of 3892	3656	cmd.exe	83
PID 3656 wrote to memory of 3892	3656	cmd.exe	83
PID 3656 wrote to memory of 1340	3656	cmd.exe	84
PID 3656 wrote to memory of 1340	3656	cmd.exe	84
PID 3656 wrote to memory of 1340	3656	cmd.exe	84
PID 1340 wrote to memory of 780	1340	keygen-step-3.exe	85
PID 1340 wrote to memory of 780	1340	keygen-step-3.exe	85
PID 1340 wrote to memory of 780	1340	keygen-step-3.exe	85
PID 3548 wrote to memory of 2052	3548	keygen-pr.exe	88
PID 3548 wrote to memory of 2052	3548	keygen-pr.exe	88
PID 3548 wrote to memory of 2052	3548	keygen-pr.exe	88
PID 3656 wrote to memory of 1032	3656	cmd.exe	87
PID 3656 wrote to memory of 1032	3656	cmd.exe	87
PID 3656 wrote to memory of 1032	3656	cmd.exe	87
PID 780 wrote to memory of 2784	780	cmd.exe	89
PID 780 wrote to memory of 2784	780	cmd.exe	89
PID 780 wrote to memory of 2784	780	cmd.exe	89
PID 1032 wrote to memory of 640	1032	keygen-step-4.exe	90
PID 1032 wrote to memory of 640	1032	keygen-step-4.exe	90
PID 1032 wrote to memory of 640	1032	keygen-step-4.exe	90
PID 2052 wrote to memory of 2200	2052	key.exe	91
PID 2052 wrote to memory of 2200	2052	key.exe	91
PID 2052 wrote to memory of 2200	2052	key.exe	91
PID 640 wrote to memory of 2176	640	002.exe	92
PID 640 wrote to memory of 2176	640	002.exe	92
PID 640 wrote to memory of 2176	640	002.exe	92
PID 1032 wrote to memory of 504	1032	keygen-step-4.exe	94
PID 1032 wrote to memory of 504	1032	keygen-step-4.exe	94
PID 1032 wrote to memory of 504	1032	keygen-step-4.exe	94
PID 2176 wrote to memory of 3640	2176	cmd.exe	95
PID 2176 wrote to memory of 3640	2176	cmd.exe	95
PID 504 wrote to memory of 196	504	Setup.exe	96
PID 504 wrote to memory of 196	504	Setup.exe	96
PID 504 wrote to memory of 196	504	Setup.exe	96
PID 196 wrote to memory of 2892	196	setup.exe	97
PID 196 wrote to memory of 2892	196	setup.exe	97
PID 196 wrote to memory of 2892	196	setup.exe	97
PID 1032 wrote to memory of 3484	1032	keygen-step-4.exe	98
PID 1032 wrote to memory of 3484	1032	keygen-step-4.exe	98
PID 1032 wrote to memory of 3484	1032	keygen-step-4.exe	98
PID 2892 wrote to memory of 2544	2892	aliens.exe	99
PID 2892 wrote to memory of 2544	2892	aliens.exe	99
PID 2892 wrote to memory of 2544	2892	aliens.exe	99
PID 2892 wrote to memory of 2272	2892	aliens.exe	100
PID 2892 wrote to memory of 2272	2892	aliens.exe	100
PID 2892 wrote to memory of 2272	2892	aliens.exe	100
PID 2892 wrote to memory of 4020	2892	aliens.exe	102
PID 2892 wrote to memory of 4020	2892	aliens.exe	102
PID 2892 wrote to memory of 4020	2892	aliens.exe	102
PID 4052 wrote to memory of 968	4052	msiexec.exe	103
PID 4052 wrote to memory of 968	4052	msiexec.exe	103
PID 4052 wrote to memory of 968	4052	msiexec.exe	103
PID 2892 wrote to memory of 964	2892	aliens.exe	104
PID 2892 wrote to memory of 964	2892	aliens.exe	104

C:\Users\Admin\AppData\Local\Temp\Windows_10_pro_100_original_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Windows_10_pro_100_original_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
    intro.exe 1O5ZF
    3⤵
    - Executes dropped EXE
    PID:928
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:2200
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3892
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2784
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cd %cd% && rar.exe -y x -p123 *.rar && C:\Users\Admin\AppData\Local\Temp\\002.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Rar.exe
        
        rar.exe -y x -p123 *.rar
        6⤵
        Executes dropped EXE
        
        PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:504
    - - C:\Users\Admin\AppData\Local\Temp\sibBA6E.tmp\0\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sibBA6E.tmp\0\setup.exe" -s
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:196
      - C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe
        
        "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        7⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 0011 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\1616805573561.exe
        
        "C:\Users\Admin\AppData\Roaming\1616805573561.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616805573561.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3872
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\1616805594691.exe
        
        "C:\Users\Admin\AppData\Roaming\1616805594691.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616805594691.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\1616805601426.exe
        
        "C:\Users\Admin\AppData\Roaming\1616805601426.exe" /sjson "C:\Users\Admin\AppData\Roaming\1616805601426.txt"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 200 installp1
        7⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        8⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
        7⤵
        
        PID:964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:1976
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file1.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file1.exe"
      4⤵
      Executes dropped EXE
      PID:3956
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file1.exe" >> NUL
        5⤵
        
        PID:2124
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:420
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
      4⤵
      Executes dropped EXE
      PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
      4⤵
      Executes dropped EXE
      PID:476
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:1404
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:204
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:3824
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2284

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 76A2C013197F1CC38EE869E660F9D769 C
  2⤵
  - Loads dropped DLL
  PID:968
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2560

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-50-0x0000000072980000-0x0000000072A13000-memory.dmp

Filesize
588KB

Download
memory/504-40-0x00000000717D0000-0x0000000071EBE000-memory.dmp

Filesize
6.9MB

Download
memory/504-54-0x0000000010B56000-0x0000000010B57000-memory.dmp

Filesize
4KB

Download
memory/504-53-0x0000000010B54000-0x0000000010B56000-memory.dmp

Filesize
8KB

Download
memory/504-52-0x0000000010B53000-0x0000000010B54000-memory.dmp

Filesize
4KB

Download
memory/504-51-0x0000000010B51000-0x0000000010B52000-memory.dmp

Filesize
4KB

Download
memory/504-46-0x0000000010B60000-0x0000000010B61000-memory.dmp

Filesize
4KB

Download
memory/504-44-0x0000000010B10000-0x0000000010B11000-memory.dmp

Filesize
4KB

Download
memory/504-41-0x0000000010B50000-0x0000000010B51000-memory.dmp

Filesize
4KB

Download
memory/504-37-0x0000000072980000-0x0000000072A13000-memory.dmp

Filesize
588KB

Download
memory/856-100-0x00007FF837180000-0x00007FF8371FE000-memory.dmp

Filesize
504KB

Download
memory/856-131-0x0000000072980000-0x0000000072A13000-memory.dmp

Filesize
588KB

Download
memory/856-105-0x000002DC0A240000-0x000002DC0A241000-memory.dmp

Filesize
4KB

Download
memory/1236-125-0x0000022E6C020000-0x0000022E6C021000-memory.dmp

Filesize
4KB

Download
memory/1236-114-0x00007FF837180000-0x00007FF8371FE000-memory.dmp

Filesize
504KB

Download
memory/2052-27-0x0000000002530000-0x00000000026CC000-memory.dmp

Filesize
1.6MB

Download
memory/2224-118-0x0000000072980000-0x0000000072A13000-memory.dmp

Filesize
588KB

Download
memory/2272-69-0x0000000072980000-0x0000000072A13000-memory.dmp

Filesize
588KB

Download
memory/2272-80-0x0000000004240000-0x00000000046F1000-memory.dmp

Filesize
4.7MB

Download
memory/2312-103-0x0000000072980000-0x0000000072A13000-memory.dmp

Filesize
588KB

Download
memory/2892-62-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/2892-58-0x0000000072980000-0x0000000072A13000-memory.dmp

Filesize
588KB

Download
memory/3116-2-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/3872-90-0x0000000072980000-0x0000000072A13000-memory.dmp

Filesize
588KB

Download
memory/3888-86-0x0000015A517F0000-0x0000015A517F1000-memory.dmp

Filesize
4KB

Download
memory/3888-83-0x00007FF837180000-0x00007FF8371FE000-memory.dmp

Filesize
504KB

Download
memory/3888-84-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/3900-122-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3900-119-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3900-123-0x0000000000FE0000-0x0000000000FFD000-memory.dmp

Filesize
116KB

Download
memory/3900-124-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3900-126-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/3900-113-0x0000000071AE0000-0x00000000721CE000-memory.dmp

Filesize
6.9MB

Download
memory/3956-97-0x0000000000600000-0x000000000060D000-memory.dmp

Filesize
52KB

Download
memory/4020-79-0x0000000003940000-0x0000000003DF1000-memory.dmp

Filesize
4.7MB

Download
memory/4020-71-0x0000000072980000-0x0000000072A13000-memory.dmp

Filesize
588KB

Download