Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ฺฺ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

Analysis

  • max time kernel
    1782s
  • max time network
    1688s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-04-2021 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Comprehensive_Meta_Analysis_keygen_by_KeygenNinja.exe

  • Size

    5.2MB

  • MD5

    ca3728b14865976c4f39d4b1dd058d4b

  • SHA1

    41f57c0b052b0ac3a276463f6c09085efb049153

  • SHA256

    829a3cefee8046496eb6bc03b2009891bec987a01ebe652bacc42292cf892418

  • SHA512

    eabceb4164f54c8332da402ec6f5b91776dedc1b2a4ea1491217a3fed1d4f54bde5863605cbec7910f04f4265a2a9ae8b6dd95aad0ba3dba1ec6a0a26ee217e9

Score
10/10
azorultdcratponytaurus_stealerxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus_stealer
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 4 IoCs
    miner
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 52 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • NTFS ADS 3 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:476
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:880
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2032
    • C:\Users\Admin\AppData\Local\Temp\Comprehensive_Meta_Analysis_keygen_by_KeygenNinja.exe
      "C:\Users\Admin\AppData\Local\Temp\Comprehensive_Meta_Analysis_keygen_by_KeygenNinja.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:384
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
              C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
              5⤵
              • Executes dropped EXE
              PID:824
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:472
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1176
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1792
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              5⤵
              • Runs ping.exe
              PID:1500
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of WriteProcessMemory
          PID:628
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1072
            • C:\Users\Admin\AppData\Local\Temp\AQ5D3JBDNB\multitimer.exe
              "C:\Users\Admin\AppData\Local\Temp\AQ5D3JBDNB\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
              5⤵
              • Executes dropped EXE
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:1660
              • C:\Users\Admin\AppData\Local\Temp\AQ5D3JBDNB\multitimer.exe
                "C:\Users\Admin\AppData\Local\Temp\AQ5D3JBDNB\multitimer.exe" 1 101
                6⤵
                • Executes dropped EXE
                PID:912
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
            4⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c taskkill /f /im chrome.exe
              5⤵
                PID:828
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im chrome.exe
                  6⤵
                  • Kills process with taskkill
                  PID:1652
            • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full_Version.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:1608
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
                5⤵
                  PID:1556
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
                    6⤵
                    • Loads dropped DLL
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    PID:596
              • C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies data under HKEY_USERS
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                PID:1072
                • C:\Users\Admin\AppData\Roaming\2B66.tmp.exe
                  "C:\Users\Admin\AppData\Roaming\2B66.tmp.exe"
                  5⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetThreadContext
                  • Modifies system certificate store
                  PID:988
                  • C:\Windows\system32\msiexec.exe
                    -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
                    6⤵
                      PID:944
                    • C:\Windows\system32\msiexec.exe
                      -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
                      6⤵
                      • Blocklisted process makes network request
                      PID:1084
                  • C:\Users\Admin\AppData\Roaming\2D4B.tmp.exe
                    "C:\Users\Admin\AppData\Roaming\2D4B.tmp.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:1352
                    • C:\Windows\SysWOW64\cmd.exe
                      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\2D4B.tmp.exe
                      6⤵
                        PID:1344
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout /t 3
                          7⤵
                          • Delays execution with timeout.exe
                          PID:1312
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
                      5⤵
                        PID:2016
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 127.0.0.1
                          6⤵
                          • Runs ping.exe
                          PID:1604
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
                      4⤵
                      • Executes dropped EXE
                      PID:988
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
                      4⤵
                      • Executes dropped EXE
                      PID:1444
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Adds Run key to start application
                      PID:1700
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        PID:948
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1524
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2412
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2600
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                1⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:1752
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:275457 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • NTFS ADS
                  • Suspicious use of SetWindowsHookEx
                  PID:1072

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/596-123-0x0000000000820000-0x0000000000876000-memory.dmp

                Filesize

                344KB

                Download

              • memory/596-122-0x0000000000170000-0x00000000001AA000-memory.dmp

                Filesize

                232KB

                Download

              • memory/628-36-0x0000000002360000-0x0000000002361000-memory.dmp

                Filesize

                4KB

                Download

              • memory/628-25-0x0000000002360000-0x0000000002361000-memory.dmp

                Filesize

                4KB

                Download

              • memory/824-56-0x0000000000400000-0x0000000000983000-memory.dmp

                Filesize

                5.5MB

                Download

              • memory/824-52-0x0000000000400000-0x0000000000983000-memory.dmp

                Filesize

                5.5MB

                Download

              • memory/880-125-0x0000000000C30000-0x0000000000C97000-memory.dmp

                Filesize

                412KB

                Download

              • memory/880-120-0x00000000009B0000-0x00000000009F4000-memory.dmp

                Filesize

                272KB

                Download

              • memory/912-71-0x000007FEF0D40000-0x000007FEF16DD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/912-74-0x00000000009C0000-0x00000000009C2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/912-72-0x000007FEF0D40000-0x000007FEF16DD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/944-133-0x0000000140000000-0x0000000140383000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/944-142-0x0000000140000000-0x0000000140383000-memory.dmp

                Filesize

                3.5MB

                Download

              • memory/988-130-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

                Filesize

                8KB

                Download

              • memory/988-151-0x0000000073BC0000-0x0000000073D63000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/1072-101-0x0000000000020000-0x000000000002D000-memory.dmp

                Filesize

                52KB

                Download

              • memory/1072-132-0x00000000028B0000-0x00000000028F8000-memory.dmp

                Filesize

                288KB

                Download

              • memory/1072-59-0x000000001B290000-0x000000001B292000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1072-57-0x0000000000A30000-0x0000000000A31000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1072-48-0x000007FEF4DF0000-0x000007FEF57DC000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/1084-141-0x0000000140000000-0x000000014070A000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/1084-135-0x0000000140000000-0x000000014070A000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/1084-138-0x0000000000100000-0x0000000000114000-memory.dmp

                Filesize

                80KB

                Download

              • memory/1084-139-0x0000000140000000-0x000000014070A000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/1084-143-0x0000000000690000-0x00000000006B0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/1352-137-0x0000000007280000-0x000000000C6FC000-memory.dmp

                Filesize

                84.5MB

                Download

              • memory/1352-140-0x0000000000400000-0x000000000587C000-memory.dmp

                Filesize

                84.5MB

                Download

              • memory/1444-154-0x0000000000F10000-0x0000000000F11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1444-157-0x0000000000260000-0x0000000000281000-memory.dmp

                Filesize

                132KB

                Download

              • memory/1444-158-0x0000000000150000-0x0000000000151000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1444-156-0x0000000000140000-0x0000000000141000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1444-159-0x000000001AF70000-0x000000001AF72000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1444-153-0x000007FEF4B30000-0x000007FEF551C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/1556-105-0x00000000027D0000-0x00000000027D4000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1560-35-0x000007FEF5B70000-0x000007FEF5DEA000-memory.dmp

                Filesize

                2.5MB

                Download

              • memory/1660-63-0x000007FEF0D40000-0x000007FEF16DD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/1660-66-0x0000000000920000-0x0000000000922000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1660-65-0x000007FEF0D40000-0x000007FEF16DD000-memory.dmp

                Filesize

                9.6MB

                Download

              • memory/1680-45-0x00000000024F0000-0x000000000268C000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/1680-75-0x0000000000120000-0x0000000000121000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1680-76-0x0000000000110000-0x000000000012B000-memory.dmp

                Filesize

                108KB

                Download

              • memory/1680-67-0x0000000002C10000-0x0000000002CFF000-memory.dmp

                Filesize

                956KB

                Download

              • memory/1788-2-0x0000000074D11000-0x0000000074D13000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2032-144-0x0000000002CB0000-0x0000000002DB6000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2032-127-0x00000000004E0000-0x0000000000547000-memory.dmp

                Filesize

                412KB

                Download