Analysis
-
max time kernel
119s -
max time network
116s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-11-2024 11:14
Static task
static1
Behavioral task
behavioral1
Sample
Autodesk_AutoCAD_2023_License_keygen_by_KeyGenGuru.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Autodesk_AutoCAD_2023_License_keygen_by_KeyGenGuru.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Autodesk_AutoCAD_2023_License_keygen_by_KeyGenGuru.exe
Resource
win11-20241007-en
General
-
Target
Autodesk_AutoCAD_2023_License_keygen_by_KeyGenGuru.exe
-
Size
3.1MB
-
MD5
e518a3323f23fcffe3cf17d00dd1ee0e
-
SHA1
b957caeaac9f413fba2b7874f7dce4c961aea3f5
-
SHA256
559a6f34240f383ca9b6b18de51fbc77d708f2791b3f42dc93e0868c94947489
-
SHA512
7fa4598fb4ca8640ec78bcde2ac1131b0c9f254e7e7c604f14cdf7e057dd90953d5faf7e54fdad04a761487ec3162e68a266bb167fbe901d34ab66c2db75af63
-
SSDEEP
98304:ehz3pSHal+mRRx+b9pSHh0gnb4imYY6YtpP:ehzk6dsuB0rFL6S
Malware Config
Extracted
azorult
http://upqx.ru/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Pony family
-
Executes dropped EXE 3 IoCs
Processes:
keygen-pj.exekeygen-step-1.exekey.exepid process 2836 keygen-pj.exe 2408 keygen-step-1.exe 4944 key.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exekeygen-step-1.exepid process 2524 rundll32.exe 2408 keygen-step-1.exe 2408 keygen-step-1.exe 2408 keygen-step-1.exe 2408 keygen-step-1.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
key.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts key.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
key.exekeygen-step-1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook key.exe Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook keygen-step-1.exe Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook keygen-step-1.exe Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook keygen-step-1.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exetimeout.exekeygen-step-1.exekeygen-pj.exerundll32.exekey.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen-step-1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen-pj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language key.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
keygen-step-1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 keygen-step-1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString keygen-step-1.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5552 timeout.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
keygen-step-1.exepid process 2408 keygen-step-1.exe 2408 keygen-step-1.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
key.exedescription pid process Token: SeImpersonatePrivilege 4944 key.exe Token: SeTcbPrivilege 4944 key.exe Token: SeChangeNotifyPrivilege 4944 key.exe Token: SeCreateTokenPrivilege 4944 key.exe Token: SeBackupPrivilege 4944 key.exe Token: SeRestorePrivilege 4944 key.exe Token: SeIncreaseQuotaPrivilege 4944 key.exe Token: SeAssignPrimaryTokenPrivilege 4944 key.exe Token: SeImpersonatePrivilege 4944 key.exe Token: SeTcbPrivilege 4944 key.exe Token: SeChangeNotifyPrivilege 4944 key.exe Token: SeCreateTokenPrivilege 4944 key.exe Token: SeBackupPrivilege 4944 key.exe Token: SeRestorePrivilege 4944 key.exe Token: SeIncreaseQuotaPrivilege 4944 key.exe Token: SeAssignPrimaryTokenPrivilege 4944 key.exe Token: SeImpersonatePrivilege 4944 key.exe Token: SeTcbPrivilege 4944 key.exe Token: SeChangeNotifyPrivilege 4944 key.exe Token: SeCreateTokenPrivilege 4944 key.exe Token: SeBackupPrivilege 4944 key.exe Token: SeRestorePrivilege 4944 key.exe Token: SeIncreaseQuotaPrivilege 4944 key.exe Token: SeAssignPrimaryTokenPrivilege 4944 key.exe Token: SeImpersonatePrivilege 4944 key.exe Token: SeTcbPrivilege 4944 key.exe Token: SeChangeNotifyPrivilege 4944 key.exe Token: SeCreateTokenPrivilege 4944 key.exe Token: SeBackupPrivilege 4944 key.exe Token: SeRestorePrivilege 4944 key.exe Token: SeIncreaseQuotaPrivilege 4944 key.exe Token: SeAssignPrimaryTokenPrivilege 4944 key.exe Token: SeImpersonatePrivilege 4944 key.exe Token: SeTcbPrivilege 4944 key.exe Token: SeChangeNotifyPrivilege 4944 key.exe Token: SeCreateTokenPrivilege 4944 key.exe Token: SeBackupPrivilege 4944 key.exe Token: SeRestorePrivilege 4944 key.exe Token: SeIncreaseQuotaPrivilege 4944 key.exe Token: SeAssignPrimaryTokenPrivilege 4944 key.exe Token: SeImpersonatePrivilege 4944 key.exe Token: SeTcbPrivilege 4944 key.exe Token: SeChangeNotifyPrivilege 4944 key.exe Token: SeCreateTokenPrivilege 4944 key.exe Token: SeBackupPrivilege 4944 key.exe Token: SeRestorePrivilege 4944 key.exe Token: SeIncreaseQuotaPrivilege 4944 key.exe Token: SeAssignPrimaryTokenPrivilege 4944 key.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Autodesk_AutoCAD_2023_License_keygen_by_KeyGenGuru.execmd.execontrol.exerundll32.exekeygen-pj.exekey.exekeygen-step-1.execmd.exedescription pid process target process PID 5368 wrote to memory of 4828 5368 Autodesk_AutoCAD_2023_License_keygen_by_KeyGenGuru.exe cmd.exe PID 5368 wrote to memory of 4828 5368 Autodesk_AutoCAD_2023_License_keygen_by_KeyGenGuru.exe cmd.exe PID 4828 wrote to memory of 2836 4828 cmd.exe keygen-pj.exe PID 4828 wrote to memory of 2836 4828 cmd.exe keygen-pj.exe PID 4828 wrote to memory of 2836 4828 cmd.exe keygen-pj.exe PID 4828 wrote to memory of 2408 4828 cmd.exe keygen-step-1.exe PID 4828 wrote to memory of 2408 4828 cmd.exe keygen-step-1.exe PID 4828 wrote to memory of 2408 4828 cmd.exe keygen-step-1.exe PID 4828 wrote to memory of 1644 4828 cmd.exe control.exe PID 4828 wrote to memory of 1644 4828 cmd.exe control.exe PID 1644 wrote to memory of 5484 1644 control.exe rundll32.exe PID 1644 wrote to memory of 5484 1644 control.exe rundll32.exe PID 5484 wrote to memory of 2524 5484 rundll32.exe rundll32.exe PID 5484 wrote to memory of 2524 5484 rundll32.exe rundll32.exe PID 5484 wrote to memory of 2524 5484 rundll32.exe rundll32.exe PID 2836 wrote to memory of 4944 2836 keygen-pj.exe key.exe PID 2836 wrote to memory of 4944 2836 keygen-pj.exe key.exe PID 2836 wrote to memory of 4944 2836 keygen-pj.exe key.exe PID 4944 wrote to memory of 2764 4944 key.exe cmd.exe PID 4944 wrote to memory of 2764 4944 key.exe cmd.exe PID 4944 wrote to memory of 2764 4944 key.exe cmd.exe PID 2408 wrote to memory of 4592 2408 keygen-step-1.exe cmd.exe PID 2408 wrote to memory of 4592 2408 keygen-step-1.exe cmd.exe PID 2408 wrote to memory of 4592 2408 keygen-step-1.exe cmd.exe PID 4592 wrote to memory of 5552 4592 cmd.exe timeout.exe PID 4592 wrote to memory of 5552 4592 cmd.exe timeout.exe PID 4592 wrote to memory of 5552 4592 cmd.exe timeout.exe -
outlook_office_path 1 IoCs
Processes:
keygen-step-1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook keygen-step-1.exe -
outlook_win_path 1 IoCs
Processes:
keygen-step-1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook keygen-step-1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Autodesk_AutoCAD_2023_License_keygen_by_KeyGenGuru.exe"C:\Users\Admin\AppData\Local\Temp\Autodesk_AutoCAD_2023_License_keygen_by_KeyGenGuru.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5368 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exekeygen-pj.exe -pAevKviq48c3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240731765.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe" "5⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "keygen-step-1.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 35⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5552
-
-
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",3⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",4⤵
- Suspicious use of WriteProcessMemory
PID:5484 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2524
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
7Credentials In Files
6Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
Filesize
363KB
MD5c0f34f38475aa244c9c8696aeed709a5
SHA10194b56c80c4b5192873400fdc96ce7d8df682a2
SHA256831c985a5c9cc76c7c3de456f2eafeeba65a8930ef5e2aecc69fc7bd739f1046
SHA51215defe7601a9d49325719b746422ddc60492935d3e34db058ed7f726cfeff0b3dac6faf2bcb9113ce14bdf9e8d295bef33931fd23e58c995cc6a4f42fa310ced
-
Filesize
112KB
MD543eb47b71c9f1003adc2d0f108d2679c
SHA15965eb51d289dc79ab56cb995d47f371472d4846
SHA256913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1
SHA5127713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0
-
Filesize
2.7MB
MD590216b266bc1e5182f762df54012f29c
SHA15d04072cfa791b1c1f57ff722b1bf7de00d7454f
SHA2569d9398d6c7a36980524aae5a0e3c4c7187b44ba36163cd93e26bc954491117b7
SHA512560015eced6887f2c427c9a1f626d524ceeb068bee6344fd187e3ccfd255832e6e99565bd2e9b73694d3b63fae92348e8fd91a419fdeb3ee9bfaddb7c080f046
-
Filesize
97B
MD5b7da5b5251bfd8f57cbac943155601a9
SHA1133751b2b7a68a92ad1e21417dd4d2b1d44cc2da
SHA256023d11aa3cbc04bc1591c0bb608f35da7c124f8a30c57accaf6be067b889c2ee
SHA5127e71857c603dee06fc7a63a8a0e7cfb7f18d24b676c0a3df45f5b011f638a84faf4bb5d69ebc2c5a998482c4bbad1b726c43aa6e5669d3762f263a56d4e47368
-
Filesize
103KB
MD52fbf80a7ba32f036bb97a2d0d909283c
SHA1ed00a832320f3806ef3ecacfb54356e55b8e713f
SHA256aaa583789b2a7d918ab2654f48b2f401588f43f8b835ea176ea4276c59bed4ee
SHA512a74ec6ffc270d3800f673aa83a76d6dc59857a71791470a4e09653bbfc18ec192b8949566ab15adaf923a3f9b54d568f6de93ad36df70357450d3effb09160ef