Resubmissions
13-01-2022 13:19
220113-qkhx6sade2 412-09-2021 07:40
210912-jhysaacbd3 1012-09-2021 07:40
210912-jhp55sfbbr 1012-09-2021 07:39
210912-jhc6kscbd2 1012-09-2021 07:39
210912-jg161sfbbp 1012-09-2021 07:38
210912-jgmnmafbbn 10Analysis
-
max time kernel
1748s -
max time network
1761s -
platform
windows11_x64 -
resource
win11 -
submitted
12-09-2021 07:38
General
-
Target
Dot.Tk.123.ticket.keygen.by.CORE.bin.exe
-
Size
6.2MB
-
MD5
0cb3efeb5d9312e068c57e7e55affed7
-
SHA1
aad1c65d257c7d2929ffb916114bc532feba0a16
-
SHA256
a974231d8889e05fedfbe73b5cc58e414de6fd5031765c998a24ac326f35b0b2
-
SHA512
236ce9aa9e71f279e7833c4f0afbad15a2de4aaf62e78a82f1132224951f25f0a184aacfe5c963a20481c20cdb12e1a56e6aaf662f4a07c756abe0c539488898
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
redline
newmixnew
94.140.115.194:31858
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dot.Tk.123.ticket.keygen.by.CORE.bin.exe"C:\Users\Admin\AppData\Local\Temp\Dot.Tk.123.ticket.keygen.by.CORE.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exekeygen-step-6.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe" >> NUL4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\winnetdriv.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe" 1631432336 04⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\PlsWnEU2.exe"C:\Users\Admin\Documents\PlsWnEU2.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
1.6MB
-
Filesize
956KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
5.5MB
-
Filesize
5.5MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
356KB
-
Filesize
312KB
-
Filesize
916KB
-
Filesize
96KB