Overview
overview
10Static
static
10keygen-pr.exe
windows7_x64
1keygen-pr.exe
windows10_x64
1keygen-step-1.exe
windows7_x64
10keygen-step-1.exe
windows10_x64
10keygen-step-3.exe
windows7_x64
7keygen-step-3.exe
windows10_x64
1keygen-step-4.exe
windows7_x64
10keygen-step-4.exe
windows10_x64
9keygen.bat
windows7_x64
10keygen.bat
windows10_x64
10Analysis
-
max time kernel
13s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-02-2021 10:24
Static task
static1
Behavioral task
behavioral1
Sample
keygen-pr.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
keygen-pr.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
keygen-step-1.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
keygen-step-1.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
keygen-step-3.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
keygen-step-3.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
keygen-step-4.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
keygen-step-4.exe
Resource
win10v20201028
General
-
Target
keygen-step-3.exe
-
Size
704KB
-
MD5
62d2a07135884c5c8ff742c904fddf56
-
SHA1
46ce1f7fdf8b4cb2abe479efd5f352db9728a40b
-
SHA256
a12fee020eb54a0f012545074c689893113d130498d9ad411d5852c786770b81
-
SHA512
19c4dc3558308052bb13f71ca633ab05d55d57b68fc240fcc6d06e583fa61c5ccea87ef0f8196acc19b37d87deb42e5c204a2a05fce63f1accaf9e39c219f519
Malware Config
Signatures
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
keygen-step-3.execmd.exedescription pid process target process PID 4092 wrote to memory of 1552 4092 keygen-step-3.exe cmd.exe PID 4092 wrote to memory of 1552 4092 keygen-step-3.exe cmd.exe PID 4092 wrote to memory of 1552 4092 keygen-step-3.exe cmd.exe PID 1552 wrote to memory of 2188 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 2188 1552 cmd.exe PING.EXE PID 1552 wrote to memory of 2188 1552 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe