azorult | dd3f34e733ac0ac0c51ce0cba7bc026c70a7bcad306ca47122d429abf078d7ed

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
Size

1.8MB
MD5

2fcdb055e476ab664b8cafb6576f7329
SHA1

1d13dbbcc7971ada80fff2bee44dc84d1f85981c
SHA256

dd3f34e733ac0ac0c51ce0cba7bc026c70a7bcad306ca47122d429abf078d7ed
SHA512

6ee8f56b6560c8d2624e36012343409b25f2756bca04fd30c5e42f178138b90b286107ae83cc10a3439006e2a2fa3646198e72c58f7d8d306340ae3f03b88e63
SSDEEP

24576:jNqnCJFJXDVNmZDZY4ec9BfsuE8vkZDKMAoXJBw1eQi6WylSrLCwG8mWyIQHMvf6:M2TEZXVvk4oZfQi6xlrAyWX1JS9

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2520	WScript.exe
5	2520	WScript.exe
7	2520	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
2620	logs.exe
3064	game.exe
2176	youwins.exe

Loads dropped DLL 13 IoCs

pid	Process
3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
2968	cmd.exe
2176	youwins.exe
2176	youwins.exe
2176	youwins.exe
2176	youwins.exe
2176	youwins.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	iplogger.org
3	iplogger.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2620 set thread context of 944	2620	logs.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	logs.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2520	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2520	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2520	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2520	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2520	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2520	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2520	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	28
PID 3036 wrote to memory of 2620	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	29
PID 3036 wrote to memory of 2620	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	29
PID 3036 wrote to memory of 2620	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	29
PID 3036 wrote to memory of 2620	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	29
PID 3036 wrote to memory of 2620	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	29
PID 3036 wrote to memory of 2620	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	29
PID 3036 wrote to memory of 2620	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	29
PID 3036 wrote to memory of 3064	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	30
PID 3036 wrote to memory of 3064	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	30
PID 3036 wrote to memory of 3064	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	30
PID 3036 wrote to memory of 3064	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	30
PID 3036 wrote to memory of 3064	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	30
PID 3036 wrote to memory of 3064	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	30
PID 3036 wrote to memory of 3064	3036	2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2524	3064	game.exe	31
PID 3064 wrote to memory of 2524	3064	game.exe	31
PID 3064 wrote to memory of 2524	3064	game.exe	31
PID 3064 wrote to memory of 2524	3064	game.exe	31
PID 3064 wrote to memory of 2524	3064	game.exe	31
PID 3064 wrote to memory of 2524	3064	game.exe	31
PID 3064 wrote to memory of 2524	3064	game.exe	31
PID 2524 wrote to memory of 2968	2524	WScript.exe	32
PID 2524 wrote to memory of 2968	2524	WScript.exe	32
PID 2524 wrote to memory of 2968	2524	WScript.exe	32
PID 2524 wrote to memory of 2968	2524	WScript.exe	32
PID 2524 wrote to memory of 2968	2524	WScript.exe	32
PID 2524 wrote to memory of 2968	2524	WScript.exe	32
PID 2524 wrote to memory of 2968	2524	WScript.exe	32
PID 2968 wrote to memory of 2176	2968	cmd.exe	34
PID 2968 wrote to memory of 2176	2968	cmd.exe	34
PID 2968 wrote to memory of 2176	2968	cmd.exe	34
PID 2968 wrote to memory of 2176	2968	cmd.exe	34
PID 2968 wrote to memory of 2176	2968	cmd.exe	34
PID 2968 wrote to memory of 2176	2968	cmd.exe	34
PID 2968 wrote to memory of 2176	2968	cmd.exe	34
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38
PID 2620 wrote to memory of 944	2620	logs.exe	38

C:\Users\Admin\AppData\Local\Temp\2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fcdb055e476ab664b8cafb6576f7329_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\ActualBetting\report.vbs"
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  PID:2520
- C:\ProgramData\ActualBetting\logs.exe
  "C:\ProgramData\ActualBetting\logs.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:944
- C:\ProgramData\ActualBetting\game.exe
  "C:\ProgramData\ActualBetting\game.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\XSoftbet\cert.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\XSoftbet\logs.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\ProgramData\XSoftbet\youwins.exe
        
        youwins.exe /S
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ActualBetting\report.vbs

Filesize
226B

MD5
863414e82e272ec5be83f73b07ca31b0

SHA1
9e1b4bf9b9b6af6b0a0d1b126508e233b86df0b0

SHA256
78f4d5d2694fd8b592fc546895c43da086946ca44aec18a3d6cdea030dc6b95a

SHA512
8e566a6c7e37910df68c42a4aabf6810375110c66a5a0b33e77d08c36135745a797e35345f4ccb94e98a97d816b9ca46fd9f39f37704d0ae67508227f44b246b

Download Submit
C:\ProgramData\XSoftbet\cert.vbs

Filesize
116B

MD5
e589127ee5fa1ecb7269e6ebc2484886

SHA1
278ddec68598765fe5b0b7411ecf0b677f70cbde

SHA256
d0d4666d97bb8a47e5869ffb83a779d1232a7964beec4e9868e11a729a37b896

SHA512
1ce04a0833730d315d4f2688e75ae0f4ee63e1f54655a5402ebb37899b1d921c4ffc5bec222de498ba60cfb12e3d0e362e15fea7cefdd1208c8cb1e76510695a

Download Submit
C:\ProgramData\XSoftbet\logs.bat

Filesize
22B

MD5
ca6dbebc42f9fcf5e9abd7a8a1fabe13

SHA1
114b0ffe3f0c1273469c8100a4cba3b7ff757c4d

SHA256
2971d4ef7296b7ce2e2a1883e7db85d3f9d4a11ba320948a7ae2dee120fe1da8

SHA512
d9fa4f14a4b45df176b6a9c7a93770d4d9b8e362653fa37b734caf948f4a80fc95ffa063435b1b20a256d297c1082fd6f76a0b4b6a5d38ac506a83137b491cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
710da369ab1731d39617212c5fb8623b

SHA1
51e3eb0f32c8bf48371b528dacc3c878a35f3eca

SHA256
3081d3a133169153d98ac4c28858674c79d5f8aedf974fa9a0abfa2c71db6119

SHA512
a0148098985188534e62f5bdbb4254e7f701d654462ea6ac7edad09c32e4c5712ecd1f60769ff4679b3f8c11b7eaa0535718fc706602d35bb5141ce407a7d36e

Download Submit
C:\Users\Admin\AppData\Local\1xCorp N.V\1xWin\uninstall.exe

Filesize
349KB

MD5
9fe1044b57800163fcf0ba03826d1bc6

SHA1
5df10d8962a264d4c9260e8de5ba234fd8e29ba4

SHA256
598e0a1424448b473ab83d7a9fd3d30c475b69dbff17727996a770407d86676d

SHA512
6a0d4a186bf7929c36de449da7a62453a52ff0bbcecf3936c2f6a3c07bcfdae82eba25f966eace967ccbf602f8923de53e63fe0fd636be20544189adf866ffd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab787C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar79EA.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy72FF.tmp\DotNetChecker.dll

Filesize
83KB

MD5
e02ed575cffbc793af912c5541c7ffb3

SHA1
1fd8f5ed9417b3804c1fbd18340eba4d09326f60

SHA256
45e15d319084e019d4db5a3081533ba8c032308cf35384abf8b65ddbac6c5f9d

SHA512
76804c9df7f97dc50ff375d1f1d972f2d20b57e2c543986a47de61fc2a0ec87225bc22d69ef31a37a12ecec46e477595184a964587ef469d6b0698cd71ebb5f8

Download Submit
\ProgramData\ActualBetting\game.exe

Filesize
1.3MB

MD5
9d96676c1d426c407550695b1d01d239

SHA1
e6b6c87fb56dd971954332f50c0a4c6f5b4ff611

SHA256
d48b188842eed60cc1040ae91d236a3b46cc70a6506565359bc915151085fa82

SHA512
70005cdd43cd506788f76a0fc63e85150b2147df05ac368cc2457d3e898d4296c2079b358debbbe42d7955f2ffa78273b0bceb1623f48ad8cb544984dd17af29

Download Submit
\ProgramData\ActualBetting\logs.exe

Filesize
363KB

MD5
32d94df6096d2936a3b9f83edd40209a

SHA1
891696aa3414f073414c6c273cbc051f71ff7c61

SHA256
d38dceb9aa402989b12a4360e5bc453905330182ffc47e5352da17600deab671

SHA512
a253028fab71abdb8896500b1688f6a355b28c669d754b74880cb5dbffd2154ef6da41acf6f72bf6eedcdc16199ac382b62d3b25114d601317e31adbafc9a7b1

Download Submit
\ProgramData\XSoftbet\youwins.exe

Filesize
1.1MB

MD5
7498209032e1d69ab6e0dc12c73c9516

SHA1
c769d9192155497ecba8a51099c8ecbf04bdc419

SHA256
f59f48893f943fd272924d6779b437eae18e47efed5e8e600bf8e84da9140410

SHA512
1cf6977ff2ed8a9e7a1ec4f2a387db32f0b45dec3c2dbb25fa6fa0ff8ed0b09230245b5a4f7ad85fdc7dbca1b4fa40542c838054142742a9ee20e87a4a28f23d

Download Submit
\Users\Admin\AppData\Local\1xCorp N.V\1xWin\Starter.exe

Filesize
2.2MB

MD5
37ba8e2839e6a42ecfe76765b2fe26de

SHA1
c06548cca82f1b50a63bc7fbfe51a847fd91bfe3

SHA256
83a32f74b6a440439f173b4bd1cd12767ee2d1a92489ac0bb736bfc9d64b3c9a

SHA512
90b963ea47cf98f3f0f52abd5fc1a64d533a0d9d7154fcc38251688711b123570c735f9cc16272f713240fe77be772e14500100989917c145719e2d8c16f6add

Download Submit
\Users\Admin\AppData\Local\Temp\nsy72FF.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
memory/944-159-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-160-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-161-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-162-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-163-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-154-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-150-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-158-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/944-156-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-165-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/944-164-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2620-80-0x0000000000380000-0x00000000003A8000-memory.dmp

Filesize
160KB

Download
memory/2620-81-0x00000000004C0000-0x00000000004DA000-memory.dmp

Filesize
104KB

Download
memory/2620-45-0x0000000000270000-0x00000000002D4000-memory.dmp

Filesize
400KB

Download