Analysis
-
max time kernel
29s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 06:27
General
-
Target
KeyFinderInstaller.exe
-
Size
894KB
-
MD5
4b2139441df5fdaeda146339c7e6777e
-
SHA1
8c07195a795889badc7759a402a6e992f96ebe1b
-
SHA256
7ff75915724b2c6ee04d52f56d2e9ae0f45bebff8a378246fd61b8d6afece159
-
SHA512
1d9746960c6f938121f147f8d65e1a5a641b3ff2c38edc3f4850670577a476d01d8b8f553475ac704a51ba200e7815f8b07357eb90bd6c7d5f0f899c6b56a48a
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\KeyFinderInstaller.exe"C:\Users\Admin\AppData\Local\Temp\KeyFinderInstaller.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5G620.tmp\KeyFinderInstaller.tmp"C:\Users\Admin\AppData\Local\Temp\is-5G620.tmp\KeyFinderInstaller.tmp" /SL5="$20116,502541,137216,C:\Users\Admin\AppData\Local\Temp\KeyFinderInstaller.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Magical Jelly Bean\keyfinder.exe"C:\Program Files (x86)\Magical Jelly Bean\keyfinder.exe"3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Magical Jelly Bean\keyfinder.cfgMD5
140d038ef89652a973d8d6e4cb78971e
SHA19921cebfae5089f969f87323c0d47a6be8f71415
SHA25684664b7e451616ca3408db08823d8577d6df71d69c90448a0524c33964101122
SHA5120baf3fd8a731eb7a1dde57a5f893bb0807128e9fca585bb5b3dd907a3752cd4bff8455cf0b1385570aeae803986ec216a4286b68be17d8e6d53edc31995ef9ef
-
C:\Program Files (x86)\Magical Jelly Bean\keyfinder.exeMD5
a0d6fa3ef06e5996e4f053081850100c
SHA10d4d7b798bd931030cadae9ac96cf50b890dec02
SHA256a386a7668cbc84122de89eebee08d3276c78e395edfc7b482c2ad895be03b557
SHA512f980cccbb132fd0ec44dbcdde1e5612add4d3178237daee3ccc0154414d9b282382c971251aefe4f9435dc487e8249f7ff664dccddd10b0c08b83b2316e0ac49
-
C:\Program Files (x86)\Magical Jelly Bean\keyfinder.exeMD5
a0d6fa3ef06e5996e4f053081850100c
SHA10d4d7b798bd931030cadae9ac96cf50b890dec02
SHA256a386a7668cbc84122de89eebee08d3276c78e395edfc7b482c2ad895be03b557
SHA512f980cccbb132fd0ec44dbcdde1e5612add4d3178237daee3ccc0154414d9b282382c971251aefe4f9435dc487e8249f7ff664dccddd10b0c08b83b2316e0ac49
-
C:\Users\Admin\AppData\Local\Temp\is-5G620.tmp\KeyFinderInstaller.tmpMD5
ef74b73ac878eb31fcd693466fd34dbd
SHA106d322207bd709e9458e0db04977afe8a924b1dc
SHA2566860c2451dfd038819f4002d6adddb7fe056182456535fdc909b7a052e73accb
SHA5129a1c29fe30221050b7a2f6c4b39101a39d10b6f1cbd2fe6c4969d3c0619f67444b5aa448a7fc2829bf581bbf29c6776e50b7ba9c911504cbbf2f0c6f72ee4aeb
-
C:\Users\Admin\AppData\Local\Temp\is-5G620.tmp\KeyFinderInstaller.tmpMD5
ef74b73ac878eb31fcd693466fd34dbd
SHA106d322207bd709e9458e0db04977afe8a924b1dc
SHA2566860c2451dfd038819f4002d6adddb7fe056182456535fdc909b7a052e73accb
SHA5129a1c29fe30221050b7a2f6c4b39101a39d10b6f1cbd2fe6c4969d3c0619f67444b5aa448a7fc2829bf581bbf29c6776e50b7ba9c911504cbbf2f0c6f72ee4aeb
-
memory/1928-3-0x0000000000000000-mapping.dmp
-
memory/2080-0-0x0000000000000000-mapping.dmp