Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-11-2024 11:15
Behavioral task
behavioral1
Sample
keygen-step-1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
keygen-step-1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
keygen-step-1.exe
Resource
win11-20241007-en
General
-
Target
keygen-step-1.exe
-
Size
112KB
-
MD5
43eb47b71c9f1003adc2d0f108d2679c
-
SHA1
5965eb51d289dc79ab56cb995d47f371472d4846
-
SHA256
913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1
-
SHA512
7713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0
-
SSDEEP
3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgiroq:faZ1tme++wiT
Malware Config
Extracted
azorult
http://upqx.ru/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Loads dropped DLL 4 IoCs
pid Process 5108 keygen-step-1.exe 5108 keygen-step-1.exe 5108 keygen-step-1.exe 5108 keygen-step-1.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook keygen-step-1.exe Key opened \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook keygen-step-1.exe Key opened \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook keygen-step-1.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen-step-1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 keygen-step-1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString keygen-step-1.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1084 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5108 keygen-step-1.exe 5108 keygen-step-1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5108 wrote to memory of 4580 5108 keygen-step-1.exe 77 PID 5108 wrote to memory of 4580 5108 keygen-step-1.exe 77 PID 5108 wrote to memory of 4580 5108 keygen-step-1.exe 77 PID 4580 wrote to memory of 1084 4580 cmd.exe 79 PID 4580 wrote to memory of 1084 4580 cmd.exe 79 PID 4580 wrote to memory of 1084 4580 cmd.exe 79 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook keygen-step-1.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook keygen-step-1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "keygen-step-1.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\timeout.exeC:\Windows\system32\timeout.exe 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1084
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
7Credentials In Files
6Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD59e682f1eb98a9d41468fc3e50f907635
SHA185e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed
-
Filesize
429KB
MD5109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
Filesize
1.2MB
MD5556ea09421a0f74d31c4c0a89a70dc23
SHA1f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA5122481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2
-
Filesize
81KB
MD57587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f