Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
17s -
max time network
50s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04/04/2021, 05:12
General
-
Target
Lynda_Com_Word_crack.exe
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner Payload 4 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 7 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lynda_Com_Word_crack.exe"C:\Users\Admin\AppData\Local\Temp\Lynda_Com_Word_crack.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\28GWWF2LON\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\28GWWF2LON\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\28GWWF2LON\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\28GWWF2LON\multitimer.exe" 1 1016⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\PTUH9MCLNQ\setups.exe"C:\Users\Admin\AppData\Local\Temp\PTUH9MCLNQ\setups.exe" ll5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-BQ46D.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-BQ46D.tmp\setups.tmp" /SL5="$301D2,635399,250368,C:\Users\Admin\AppData\Local\Temp\PTUH9MCLNQ\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\9AEE.tmp.exe"C:\Users\Admin\AppData\Roaming\9AEE.tmp.exe"5⤵
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999996⤵
-
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 99996⤵
-
-
-
C:\Users\Admin\AppData\Roaming\9CC3.tmp.exe"C:\Users\Admin\AppData\Roaming\9CC3.tmp.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
272KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
8KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
44KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
412KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
7.0MB
-
Filesize
80KB
-
Filesize
128KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
28KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
52KB
-
Filesize
288KB
-
Filesize
344KB
-
Filesize
232KB
-
Filesize
84.5MB
-
Filesize
412KB
-
Filesize
1.0MB
-
Filesize
3.5MB
-
Filesize
3.5MB