201001-nyhbt4p25j_pw_infected[.]rar | Triage

Resubmissions

02-10-2020 21:14

201002-pjxdl9y6a6 10

01-10-2020 20:51

201001-e45lwcxsnn 10

01-10-2020 20:51

201001-fhxddb9gwe 10

01-10-2020 20:51

201001-ts8hns28ea 10

01-10-2020 20:51

201001-v1kt3kgljx 10

01-10-2020 20:51

201001-d2fbtjzv4s 10

01-10-2020 20:51

201001-cgj9prs442 10

01-10-2020 20:49

201001-t1jnpvwcgx 10

Analysis

max time kernel
5s
max time network
161s
platform
windows10_x64
resource
win10v200722
submitted
01-10-2020 20:51

Sharing

Report Analysis Logs

General

Target

201001-nyhbt4p25j_pw_infected/Keygen — копия (94) — копия.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Keygen.exe

pid process

3976 Keygen.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4080 timeout.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000_Classes\Local Settings cmd.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Keygen.exe

pid process

3976 Keygen.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

cmd.exe

description	pid	target process
PID 492 wrote to memory of 2376	492	cmd.exe
PID 492 wrote to memory of 2376	492	cmd.exe
PID 492 wrote to memory of 2376	492	cmd.exe
PID 2376 wrote to memory of 3976	2376	cmd.exe	Keygen.exe
PID 2376 wrote to memory of 3976	2376	cmd.exe	Keygen.exe
PID 2376 wrote to memory of 3976	2376	cmd.exe	Keygen.exe
PID 2376 wrote to memory of 3028	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 3028	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 3028	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 2560	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 2560	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 2560	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 4080	2376	cmd.exe	timeout.exe
PID 2376 wrote to memory of 4080	2376	cmd.exe	timeout.exe
PID 2376 wrote to memory of 4080	2376	cmd.exe	timeout.exe
PID 2376 wrote to memory of 3264	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 3264	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 3264	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 4060	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 4060	2376	cmd.exe	mshta.exe
PID 2376 wrote to memory of 4060	2376	cmd.exe	mshta.exe

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\74F7.tmp\start.bat" "C:\Users\Admin\AppData\Local\Temp\201001-nyhbt4p25j_pw_infected\Keygen — ????? (94) — ?????.exe""
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\74F7.tmp\Keygen.exe
Keygen.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\74F7.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3028

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\74F7.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:2560

C:\Windows\SysWOW64\timeout.exe
timeout 1
2⤵
- Delays execution with timeout.exe
PID:4080

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\74F7.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:3264

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\74F7.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74F7.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\74F7.tmp\Keygen.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\74F7.tmp\b.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\74F7.tmp\b1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\74F7.tmp\m.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\74F7.tmp\m1.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\74F7.tmp\start.bat

Download Submit
memory/2376-0-0x0000000000000000-mapping.dmp

Download
memory/2560-9-0x0000000000000000-mapping.dmp

Download
memory/3028-7-0x0000000000000000-mapping.dmp

Download
memory/3264-13-0x0000000000000000-mapping.dmp

Download
memory/3976-2-0x0000000000000000-mapping.dmp

Download
memory/3976-3-0x0000000000000000-mapping.dmp

Download
memory/4060-15-0x0000000000000000-mapping.dmp

Download
memory/4080-10-0x0000000000000000-mapping.dmp

Download