Resubmissions
06-04-2021 13:50
210406-gc51ndzsc2 1026-03-2021 23:40
210326-d1ybrjhevx 1013-03-2021 17:16
210313-8s7b52z63e 1005-03-2021 14:52
210305-34k3zj54f2 1001-03-2021 13:17
210301-naamxpgf4e 1028-02-2021 20:46
210228-6q3b959xae 1028-02-2021 20:15
210228-mbr268za12 1028-02-2021 18:32
210228-h944b5cpxa 1028-02-2021 15:10
210228-hnwwpyjy7j 10Analysis
-
max time kernel
1349s -
max time network
1352s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-04-2021 13:50
Static task
static1
Behavioral task
behavioral1
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win7v20201028
General
-
Target
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
-
Size
9.2MB
-
MD5
b806267b5f3b7760df56396b1cf05e6d
-
SHA1
5166d4c1d3e476281d9e991eababc3e4aa9ec5ad
-
SHA256
f95d12a0dbd8199d16f48d8e4cbe69a8d4ec16c534efb36e52a662664e1c1783
-
SHA512
30e393bb3898edc8ab5fb04e62ce421ddf3903075f59e3880408b300f46bb74a85088336d6e1203b2101152cebeef4c1730290b41ca77604ecb722c8f627328b
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 5 IoCs
Processes:
keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exepid process 1180 keygen-pr.exe 324 keygen-step-1.exe 524 keygen-step-3.exe 472 keygen-step-4.exe 1796 key.exe -
Loads dropped DLL 10 IoCs
Processes:
cmd.exekeygen-pr.exekey.exepid process 1608 cmd.exe 1608 cmd.exe 1608 cmd.exe 1608 cmd.exe 1608 cmd.exe 1180 keygen-pr.exe 1180 keygen-pr.exe 1180 keygen-pr.exe 1180 keygen-pr.exe 1796 key.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.execmd.exekeygen-pr.exekey.exekeygen-step-3.execmd.exedescription pid process target process PID 2004 wrote to memory of 1608 2004 [CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe cmd.exe PID 2004 wrote to memory of 1608 2004 [CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe cmd.exe PID 2004 wrote to memory of 1608 2004 [CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe cmd.exe PID 2004 wrote to memory of 1608 2004 [CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe cmd.exe PID 1608 wrote to memory of 1180 1608 cmd.exe keygen-pr.exe PID 1608 wrote to memory of 1180 1608 cmd.exe keygen-pr.exe PID 1608 wrote to memory of 1180 1608 cmd.exe keygen-pr.exe PID 1608 wrote to memory of 1180 1608 cmd.exe keygen-pr.exe PID 1608 wrote to memory of 1180 1608 cmd.exe keygen-pr.exe PID 1608 wrote to memory of 1180 1608 cmd.exe keygen-pr.exe PID 1608 wrote to memory of 1180 1608 cmd.exe keygen-pr.exe PID 1608 wrote to memory of 324 1608 cmd.exe keygen-step-1.exe PID 1608 wrote to memory of 324 1608 cmd.exe keygen-step-1.exe PID 1608 wrote to memory of 324 1608 cmd.exe keygen-step-1.exe PID 1608 wrote to memory of 324 1608 cmd.exe keygen-step-1.exe PID 1608 wrote to memory of 524 1608 cmd.exe keygen-step-3.exe PID 1608 wrote to memory of 524 1608 cmd.exe keygen-step-3.exe PID 1608 wrote to memory of 524 1608 cmd.exe keygen-step-3.exe PID 1608 wrote to memory of 524 1608 cmd.exe keygen-step-3.exe PID 1608 wrote to memory of 472 1608 cmd.exe keygen-step-4.exe PID 1608 wrote to memory of 472 1608 cmd.exe keygen-step-4.exe PID 1608 wrote to memory of 472 1608 cmd.exe keygen-step-4.exe PID 1608 wrote to memory of 472 1608 cmd.exe keygen-step-4.exe PID 1180 wrote to memory of 1796 1180 keygen-pr.exe key.exe PID 1180 wrote to memory of 1796 1180 keygen-pr.exe key.exe PID 1180 wrote to memory of 1796 1180 keygen-pr.exe key.exe PID 1180 wrote to memory of 1796 1180 keygen-pr.exe key.exe PID 1180 wrote to memory of 1796 1180 keygen-pr.exe key.exe PID 1180 wrote to memory of 1796 1180 keygen-pr.exe key.exe PID 1180 wrote to memory of 1796 1180 keygen-pr.exe key.exe PID 1796 wrote to memory of 948 1796 key.exe key.exe PID 1796 wrote to memory of 948 1796 key.exe key.exe PID 1796 wrote to memory of 948 1796 key.exe key.exe PID 1796 wrote to memory of 948 1796 key.exe key.exe PID 1796 wrote to memory of 948 1796 key.exe key.exe PID 1796 wrote to memory of 948 1796 key.exe key.exe PID 1796 wrote to memory of 948 1796 key.exe key.exe PID 524 wrote to memory of 616 524 keygen-step-3.exe cmd.exe PID 524 wrote to memory of 616 524 keygen-step-3.exe cmd.exe PID 524 wrote to memory of 616 524 keygen-step-3.exe cmd.exe PID 524 wrote to memory of 616 524 keygen-step-3.exe cmd.exe PID 616 wrote to memory of 1428 616 cmd.exe PING.EXE PID 616 wrote to memory of 1428 616 cmd.exe PING.EXE PID 616 wrote to memory of 1428 616 cmd.exe PING.EXE PID 616 wrote to memory of 1428 616 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe"C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30001⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exeMD5
84291ae7fb0b96b7a251f4713776d26a
SHA179306721714fe88e5ce1905c2488965051d0668e
SHA256859c80bd87795914b9b95a5b93c5a5c9a67ac2ffc4588f5ccc045fbb2d146d25
SHA512694d55693afed8e83d65576089fd90db4b98656514d4ad890fd775915a8d7f540db4d79c7a70d697ecba030f1e9ef105d775ab6345d1a1582138365c6434024c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exeMD5
84291ae7fb0b96b7a251f4713776d26a
SHA179306721714fe88e5ce1905c2488965051d0668e
SHA256859c80bd87795914b9b95a5b93c5a5c9a67ac2ffc4588f5ccc045fbb2d146d25
SHA512694d55693afed8e83d65576089fd90db4b98656514d4ad890fd775915a8d7f540db4d79c7a70d697ecba030f1e9ef105d775ab6345d1a1582138365c6434024c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exeMD5
9b1372abe17a439bfcca639334246f98
SHA12bb99dca239e3e74f0c5d73d8092437a77c384d5
SHA256b038b6a3e4cbb588a099ff589e135965b7641b004727ba268865c0e310ca4d05
SHA512e5ec133fdca82e40525daf8a69c3be1dc5b0cda772902a52a5ff74b0e462543f0c2d41d30ad9c5ed737a6b8d6c7fc4f4d2487995262e09946c1945b9fa70251b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exeMD5
9b1372abe17a439bfcca639334246f98
SHA12bb99dca239e3e74f0c5d73d8092437a77c384d5
SHA256b038b6a3e4cbb588a099ff589e135965b7641b004727ba268865c0e310ca4d05
SHA512e5ec133fdca82e40525daf8a69c3be1dc5b0cda772902a52a5ff74b0e462543f0c2d41d30ad9c5ed737a6b8d6c7fc4f4d2487995262e09946c1945b9fa70251b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.batMD5
f2632c204f883c59805093720dfe5a78
SHA1c96e3aa03805a84fec3ea4208104a25a2a9d037e
SHA256f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68
SHA5125a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.datMD5
12476321a502e943933e60cfb4429970
SHA1c71d293b84d03153a1bd13c560fca0f8857a95a7
SHA25614a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29
SHA512f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exeMD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exeMD5
84291ae7fb0b96b7a251f4713776d26a
SHA179306721714fe88e5ce1905c2488965051d0668e
SHA256859c80bd87795914b9b95a5b93c5a5c9a67ac2ffc4588f5ccc045fbb2d146d25
SHA512694d55693afed8e83d65576089fd90db4b98656514d4ad890fd775915a8d7f540db4d79c7a70d697ecba030f1e9ef105d775ab6345d1a1582138365c6434024c
-
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exeMD5
9b1372abe17a439bfcca639334246f98
SHA12bb99dca239e3e74f0c5d73d8092437a77c384d5
SHA256b038b6a3e4cbb588a099ff589e135965b7641b004727ba268865c0e310ca4d05
SHA512e5ec133fdca82e40525daf8a69c3be1dc5b0cda772902a52a5ff74b0e462543f0c2d41d30ad9c5ed737a6b8d6c7fc4f4d2487995262e09946c1945b9fa70251b
-
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeMD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
memory/324-12-0x0000000000000000-mapping.dmp
-
memory/472-22-0x0000000000000000-mapping.dmp
-
memory/472-25-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/524-17-0x0000000000000000-mapping.dmp
-
memory/616-39-0x0000000000000000-mapping.dmp
-
memory/784-38-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmpFilesize
2.5MB
-
memory/1180-7-0x0000000000000000-mapping.dmp
-
memory/1428-40-0x0000000000000000-mapping.dmp
-
memory/1608-3-0x0000000000000000-mapping.dmp
-
memory/1796-41-0x00000000022A0000-0x000000000243C000-memory.dmpFilesize
1.6MB
-
memory/1796-31-0x0000000000000000-mapping.dmp
-
memory/2004-2-0x0000000075EA1000-0x0000000075EA3000-memory.dmpFilesize
8KB