General
-
Target
Minitab.17.2.1.key.generator.by.CORE.zip
-
Size
5.2MB
-
Sample
210412-hv77z7ralj
-
MD5
99a52471063ffd6795886327d03008ee
-
SHA1
b60a8d0738bc416f5e58e437979534c7b52f0a5f
-
SHA256
4326f90536468f800479504e0fc472920c08cf75a88ba9004d11f59f09444e14
-
SHA512
52a75dce5aba1b7287258aaf4783b7f85e8cbb1f06f19c798cb21c6b85fcf501c3882e2c065056c5baac6d77828df775a3aa69af4a871a1fc39acc15f7abdc33
Static task
static1
Behavioral task
behavioral1
Sample
Minitab.17.2.1.key.generator.by.CORE.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
Minitab.17.2.1.key.generator.by.CORE.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
Minitab.17.2.1.key.generator.by.CORE.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
Minitab.17.2.1.key.generator.by.CORE.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
Minitab.17.2.1.key.generator.by.CORE.exe
Resource
win7v20210410
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
icedid
1925120085
Extracted
http://labsclub.com/welcome
Extracted
zloader
googleaktualizacija
googleaktualizacija2
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Targets
-
-
Target
Minitab.17.2.1.key.generator.by.CORE.exe
-
Size
5.3MB
-
MD5
27124fbde509a2d9586148e6e51dbb8a
-
SHA1
92bc86f7038b61d1b47e3621dd9f703464451109
-
SHA256
11f650aad12fb2bfa993e912cf6454d7a6c42cc3a01d8206786572f1de2c4a0c
-
SHA512
bb1e8830990a1dc41b211333a570b4621e6818643fed72af6a535150270513deedd122c0a59f470b9b3392199edb14e2bc6197c3254cb024e81e4c13d50fd43d
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Program crash
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
New Service
1Registry Run Keys / Startup Folder
1Hidden Files and Directories
1Defense Evasion
Virtualization/Sandbox Evasion
1File Permissions Modification
1Modify Registry
3Install Root Certificate
1Hidden Files and Directories
1