Overview

overview

10

Static

static

3

Dolby_Surr...TY.exe

windows7-x64

10

Dolby_Surr...TY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dolby_Surround_for_crack_by_FUTURiTY.exe

  • Size

    6.5MB

  • MD5

    a7046cf7b7f365ad5cbe1abe8424546d

  • SHA1

    1dda689815b57ff34a48c4ec11138ed03fe384af

  • SHA256

    a9c5e980225a4b1ecf8ca683dd59f1e5a9dee119964a0ef38481ecd1890f3dc9

  • SHA512

    5763150bae74468465add87aba71b5f138f9dc99b16bbcb49e9fc8104c72b857c8dc083a2f97fce64141a91ae598c74c8ad265c8b2da441f4b3f64971e624d91

  • SSDEEP

    196608:ehw16V6LxwNYQKnmFrG2V9BdioOJdVwIIP:LkOQrFrG2VXdSPVwIIP

Score
10/10
azorultponycollectioncredential_accessdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://upqx.ru/1210776429.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dolby_Surround_for_crack_by_FUTURiTY.exe
    "C:\Users\Admin\AppData\Local\Temp\Dolby_Surround_for_crack_by_FUTURiTY.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
        keygen-pj.exe -pAevKviq48c
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3148
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_win_path
          PID:1584
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240642359.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe" "
            5⤵
            • System Location Discovery: System Language Discovery
            PID:716
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
        keygen-step-1.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:412
      • C:\Windows\System32\control.exe
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3312
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:2256
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4804
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:3436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\240642359.bat
      Filesize

      94B

      MD5

      3880eeb1c736d853eb13b44898b718ab

      SHA1

      4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

      SHA256

      936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

      SHA512

      3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
      Filesize

      363KB

      MD5

      c0f34f38475aa244c9c8696aeed709a5

      SHA1

      0194b56c80c4b5192873400fdc96ce7d8df682a2

      SHA256

      831c985a5c9cc76c7c3de456f2eafeeba65a8930ef5e2aecc69fc7bd739f1046

      SHA512

      15defe7601a9d49325719b746422ddc60492935d3e34db058ed7f726cfeff0b3dac6faf2bcb9113ce14bdf9e8d295bef33931fd23e58c995cc6a4f42fa310ced

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
      Filesize

      112KB

      MD5

      43eb47b71c9f1003adc2d0f108d2679c

      SHA1

      5965eb51d289dc79ab56cb995d47f371472d4846

      SHA256

      913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1

      SHA512

      7713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl
      Filesize

      8.9MB

      MD5

      8fd595d53725ff47a752b5c8e6eb1e0d

      SHA1

      bdbc98eb8a14039978484c8fa1407321b0f1a496

      SHA256

      24b7605dc44c07af14a4caa4e06815eb6460c1c1c2fd568d033d929aa6cfba9a

      SHA512

      fc9f2d576a0f6e49e4ef700667e70e3ebb738300f0ce4c9384c29cfd0bd61eb8c2b65a6b89136691aa5c564027e977aa74ea073ae3247157de8a73827d1dcc82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
      Filesize

      97B

      MD5

      b7da5b5251bfd8f57cbac943155601a9

      SHA1

      133751b2b7a68a92ad1e21417dd4d2b1d44cc2da

      SHA256

      023d11aa3cbc04bc1591c0bb608f35da7c124f8a30c57accaf6be067b889c2ee

      SHA512

      7e71857c603dee06fc7a63a8a0e7cfb7f18d24b676c0a3df45f5b011f638a84faf4bb5d69ebc2c5a998482c4bbad1b726c43aa6e5669d3762f263a56d4e47368

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      Filesize

      103KB

      MD5

      2fbf80a7ba32f036bb97a2d0d909283c

      SHA1

      ed00a832320f3806ef3ecacfb54356e55b8e713f

      SHA256

      aaa583789b2a7d918ab2654f48b2f401588f43f8b835ea176ea4276c59bed4ee

      SHA512

      a74ec6ffc270d3800f673aa83a76d6dc59857a71791470a4e09653bbfc18ec192b8949566ab15adaf923a3f9b54d568f6de93ad36df70357450d3effb09160ef

      Download Submit

    • memory/412-48-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download