Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-11-2020 06:27
Static task
static1
Behavioral task
behavioral1
Sample
KeyFinderInstaller.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
KeyFinderInstaller.exe
Resource
win10v20201028
General
-
Target
KeyFinderInstaller.exe
-
Size
894KB
-
MD5
4b2139441df5fdaeda146339c7e6777e
-
SHA1
8c07195a795889badc7759a402a6e992f96ebe1b
-
SHA256
7ff75915724b2c6ee04d52f56d2e9ae0f45bebff8a378246fd61b8d6afece159
-
SHA512
1d9746960c6f938121f147f8d65e1a5a641b3ff2c38edc3f4850670577a476d01d8b8f553475ac704a51ba200e7815f8b07357eb90bd6c7d5f0f899c6b56a48a
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
KeyFinderInstaller.tmpkeyfinder.exepid process 2012 KeyFinderInstaller.tmp 1580 keyfinder.exe -
Loads dropped DLL 7 IoCs
Processes:
KeyFinderInstaller.exeKeyFinderInstaller.tmppid process 1704 KeyFinderInstaller.exe 2012 KeyFinderInstaller.tmp 2012 KeyFinderInstaller.tmp 2012 KeyFinderInstaller.tmp 2012 KeyFinderInstaller.tmp 2012 KeyFinderInstaller.tmp 2012 KeyFinderInstaller.tmp -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
keyfinder.exedescription ioc process Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Avira\AntiVir PersonalEdition Classic keyfinder.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 7 IoCs
Processes:
KeyFinderInstaller.tmpdescription ioc process File created C:\Program Files (x86)\Magical Jelly Bean\is-8PVVF.tmp KeyFinderInstaller.tmp File created C:\Program Files (x86)\Magical Jelly Bean\unins000.msg KeyFinderInstaller.tmp File opened for modification C:\Program Files (x86)\Magical Jelly Bean\unins000.dat KeyFinderInstaller.tmp File opened for modification C:\Program Files (x86)\Magical Jelly Bean\keyfinder.exe KeyFinderInstaller.tmp File created C:\Program Files (x86)\Magical Jelly Bean\unins000.dat KeyFinderInstaller.tmp File created C:\Program Files (x86)\Magical Jelly Bean\is-R03J5.tmp KeyFinderInstaller.tmp File created C:\Program Files (x86)\Magical Jelly Bean\is-PP0I5.tmp KeyFinderInstaller.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
KeyFinderInstaller.tmppid process 2012 KeyFinderInstaller.tmp 2012 KeyFinderInstaller.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
KeyFinderInstaller.tmppid process 2012 KeyFinderInstaller.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
KeyFinderInstaller.exeKeyFinderInstaller.tmpdescription pid process target process PID 1704 wrote to memory of 2012 1704 KeyFinderInstaller.exe KeyFinderInstaller.tmp PID 1704 wrote to memory of 2012 1704 KeyFinderInstaller.exe KeyFinderInstaller.tmp PID 1704 wrote to memory of 2012 1704 KeyFinderInstaller.exe KeyFinderInstaller.tmp PID 1704 wrote to memory of 2012 1704 KeyFinderInstaller.exe KeyFinderInstaller.tmp PID 1704 wrote to memory of 2012 1704 KeyFinderInstaller.exe KeyFinderInstaller.tmp PID 1704 wrote to memory of 2012 1704 KeyFinderInstaller.exe KeyFinderInstaller.tmp PID 1704 wrote to memory of 2012 1704 KeyFinderInstaller.exe KeyFinderInstaller.tmp PID 2012 wrote to memory of 1580 2012 KeyFinderInstaller.tmp keyfinder.exe PID 2012 wrote to memory of 1580 2012 KeyFinderInstaller.tmp keyfinder.exe PID 2012 wrote to memory of 1580 2012 KeyFinderInstaller.tmp keyfinder.exe PID 2012 wrote to memory of 1580 2012 KeyFinderInstaller.tmp keyfinder.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KeyFinderInstaller.exe"C:\Users\Admin\AppData\Local\Temp\KeyFinderInstaller.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-JU7MF.tmp\KeyFinderInstaller.tmp"C:\Users\Admin\AppData\Local\Temp\is-JU7MF.tmp\KeyFinderInstaller.tmp" /SL5="$300F0,502541,137216,C:\Users\Admin\AppData\Local\Temp\KeyFinderInstaller.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Magical Jelly Bean\keyfinder.exe"C:\Program Files (x86)\Magical Jelly Bean\keyfinder.exe"3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Magical Jelly Bean\keyfinder.cfgMD5
140d038ef89652a973d8d6e4cb78971e
SHA19921cebfae5089f969f87323c0d47a6be8f71415
SHA25684664b7e451616ca3408db08823d8577d6df71d69c90448a0524c33964101122
SHA5120baf3fd8a731eb7a1dde57a5f893bb0807128e9fca585bb5b3dd907a3752cd4bff8455cf0b1385570aeae803986ec216a4286b68be17d8e6d53edc31995ef9ef
-
C:\Program Files (x86)\Magical Jelly Bean\keyfinder.exeMD5
a0d6fa3ef06e5996e4f053081850100c
SHA10d4d7b798bd931030cadae9ac96cf50b890dec02
SHA256a386a7668cbc84122de89eebee08d3276c78e395edfc7b482c2ad895be03b557
SHA512f980cccbb132fd0ec44dbcdde1e5612add4d3178237daee3ccc0154414d9b282382c971251aefe4f9435dc487e8249f7ff664dccddd10b0c08b83b2316e0ac49
-
C:\Users\Admin\AppData\Local\Temp\is-JU7MF.tmp\KeyFinderInstaller.tmpMD5
ef74b73ac878eb31fcd693466fd34dbd
SHA106d322207bd709e9458e0db04977afe8a924b1dc
SHA2566860c2451dfd038819f4002d6adddb7fe056182456535fdc909b7a052e73accb
SHA5129a1c29fe30221050b7a2f6c4b39101a39d10b6f1cbd2fe6c4969d3c0619f67444b5aa448a7fc2829bf581bbf29c6776e50b7ba9c911504cbbf2f0c6f72ee4aeb
-
C:\Users\Admin\AppData\Local\Temp\is-JU7MF.tmp\KeyFinderInstaller.tmpMD5
ef74b73ac878eb31fcd693466fd34dbd
SHA106d322207bd709e9458e0db04977afe8a924b1dc
SHA2566860c2451dfd038819f4002d6adddb7fe056182456535fdc909b7a052e73accb
SHA5129a1c29fe30221050b7a2f6c4b39101a39d10b6f1cbd2fe6c4969d3c0619f67444b5aa448a7fc2829bf581bbf29c6776e50b7ba9c911504cbbf2f0c6f72ee4aeb
-
\Program Files (x86)\Magical Jelly Bean\keyfinder.exeMD5
a0d6fa3ef06e5996e4f053081850100c
SHA10d4d7b798bd931030cadae9ac96cf50b890dec02
SHA256a386a7668cbc84122de89eebee08d3276c78e395edfc7b482c2ad895be03b557
SHA512f980cccbb132fd0ec44dbcdde1e5612add4d3178237daee3ccc0154414d9b282382c971251aefe4f9435dc487e8249f7ff664dccddd10b0c08b83b2316e0ac49
-
\Program Files (x86)\Magical Jelly Bean\keyfinder.exeMD5
a0d6fa3ef06e5996e4f053081850100c
SHA10d4d7b798bd931030cadae9ac96cf50b890dec02
SHA256a386a7668cbc84122de89eebee08d3276c78e395edfc7b482c2ad895be03b557
SHA512f980cccbb132fd0ec44dbcdde1e5612add4d3178237daee3ccc0154414d9b282382c971251aefe4f9435dc487e8249f7ff664dccddd10b0c08b83b2316e0ac49
-
\Program Files (x86)\Magical Jelly Bean\keyfinder.exeMD5
a0d6fa3ef06e5996e4f053081850100c
SHA10d4d7b798bd931030cadae9ac96cf50b890dec02
SHA256a386a7668cbc84122de89eebee08d3276c78e395edfc7b482c2ad895be03b557
SHA512f980cccbb132fd0ec44dbcdde1e5612add4d3178237daee3ccc0154414d9b282382c971251aefe4f9435dc487e8249f7ff664dccddd10b0c08b83b2316e0ac49
-
\Program Files (x86)\Magical Jelly Bean\unins000.exeMD5
ef74b73ac878eb31fcd693466fd34dbd
SHA106d322207bd709e9458e0db04977afe8a924b1dc
SHA2566860c2451dfd038819f4002d6adddb7fe056182456535fdc909b7a052e73accb
SHA5129a1c29fe30221050b7a2f6c4b39101a39d10b6f1cbd2fe6c4969d3c0619f67444b5aa448a7fc2829bf581bbf29c6776e50b7ba9c911504cbbf2f0c6f72ee4aeb
-
\Users\Admin\AppData\Local\Temp\is-JU7MF.tmp\KeyFinderInstaller.tmpMD5
ef74b73ac878eb31fcd693466fd34dbd
SHA106d322207bd709e9458e0db04977afe8a924b1dc
SHA2566860c2451dfd038819f4002d6adddb7fe056182456535fdc909b7a052e73accb
SHA5129a1c29fe30221050b7a2f6c4b39101a39d10b6f1cbd2fe6c4969d3c0619f67444b5aa448a7fc2829bf581bbf29c6776e50b7ba9c911504cbbf2f0c6f72ee4aeb
-
\Users\Admin\AppData\Local\Temp\is-P1FVJ.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-P1FVJ.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
memory/1580-20-0x0000000000000000-mapping.dmp
-
memory/2012-1-0x0000000000000000-mapping.dmp