Analysis
-
max time kernel
90s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-11-2024 12:28
Behavioral task
behavioral1
Sample
keygen-step-1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
keygen-step-1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
keygen-step-1.exe
Resource
win11-20241007-en
General
-
Target
keygen-step-1.exe
-
Size
112KB
-
MD5
bbfd7d876f91ad6143e6868c87df9207
-
SHA1
ed062210d4bdbffc41758bb00ba6ace7650788a5
-
SHA256
0edbf3602761c7f1cfa639cc8a45c48d281d7382b2118d1a0b5fff49aa6219e7
-
SHA512
c69ffcb42370cb9aaeb563511cde72be28aa9c65b72fad97fa6194f376848aa01838760ce38051fa78b46cd968a3253fe04a9e25e2b6e630e224b6882b016432
-
SSDEEP
3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgipq:faZ1tme++wiY
Malware Config
Extracted
azorult
http://regdnl.online/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Loads dropped DLL 4 IoCs
pid Process 3528 keygen-step-1.exe 3528 keygen-step-1.exe 3528 keygen-step-1.exe 3528 keygen-step-1.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook keygen-step-1.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook keygen-step-1.exe Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook keygen-step-1.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen-step-1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 keygen-step-1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString keygen-step-1.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3684 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3528 keygen-step-1.exe 3528 keygen-step-1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3528 wrote to memory of 4920 3528 keygen-step-1.exe 80 PID 3528 wrote to memory of 4920 3528 keygen-step-1.exe 80 PID 3528 wrote to memory of 4920 3528 keygen-step-1.exe 80 PID 4920 wrote to memory of 3684 4920 cmd.exe 82 PID 4920 wrote to memory of 3684 4920 cmd.exe 82 PID 4920 wrote to memory of 3684 4920 cmd.exe 82 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook keygen-step-1.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook keygen-step-1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "keygen-step-1.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3684
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
7Credentials In Files
6Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f