Resubmissions

12-11-2024 01:29

241112-bwgrxs1gnf 10

08-07-2021 12:18

210708-8z6d5h8z2n 10

06-07-2021 17:53

210706-g6we6sa7sa 10

19-06-2021 18:17

210619-vr8bj2dzfn 10

17-06-2021 21:39

210617-a9cvlnmrbx 10

11-06-2021 17:26

210611-wvab1yw2tj 10

08-06-2021 06:47

210608-qrbpch3y46 10

08-06-2021 06:47

210608-64tndgm1ln 10

05-06-2021 18:40

210605-cd6qpr55sx 10

04-06-2021 11:56

210604-5c416rs3ns 10

Analysis

  • max time kernel
    1799s
  • max time network
    1705s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    06-07-2021 17:53

General

  • Target

    keygen-step-4d.exe

  • Size

    4.6MB

  • MD5

    563107b1df2a00f4ec868acd9e08a205

  • SHA1

    9cb9c91d66292f5317aa50d92e38834861e9c9b7

  • SHA256

    bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

  • SHA512

    99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Malware Config

Signatures

  • Executes dropped EXE 11 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
    1⤵
      PID:1084
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s SENS
      1⤵
        PID:1356
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
          PID:2752
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s WpnService
          1⤵
            PID:2384
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
            1⤵
              PID:2360
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2332
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
              1⤵
                PID:2272
              • C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe
                "C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"
                1⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:4060
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
                  2⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1736
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
                    3⤵
                    • Loads dropped DLL
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3128
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3712
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:3808
                  • C:\Users\Admin\AppData\Local\Temp\is-I2846.tmp\Install.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-I2846.tmp\Install.tmp" /SL5="$4007E,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:2744
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
                  2⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  • Suspicious use of WriteProcessMemory
                  PID:3672
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1736
                    • C:\Windows\SysWOW64\PING.EXE
                      ping 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:2440
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
                  2⤵
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4436
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
                  2⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of WriteProcessMemory
                  PID:3808
                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                    3⤵
                    • Executes dropped EXE
                    PID:4720
                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3960
                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3168
                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2460
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                1⤵
                  PID:1892
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1288
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1196
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                        PID:932
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:68
                        • \??\c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s BITS
                          1⤵
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:496
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                            2⤵
                            • Checks processor information in registry
                            • Modifies data under HKEY_USERS
                            PID:3564
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                            2⤵
                            • Drops file in System32 directory
                            • Checks processor information in registry
                            • Modifies data under HKEY_USERS
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4308
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                          1⤵
                          • Drops file in Windows directory
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          PID:4148
                        • C:\Windows\system32\browser_broker.exe
                          C:\Windows\system32\browser_broker.exe -Embedding
                          1⤵
                          • Modifies Internet Explorer settings
                          PID:4196
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Suspicious behavior: MapViewOfSection
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:4532
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4680
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5048
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Modifies registry class
                          PID:4640
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Modifies registry class
                          PID:4568

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/68-143-0x0000015A8A140000-0x0000015A8A1B0000-memory.dmp

                          Filesize

                          448KB

                        • memory/68-255-0x0000015A8A7B0000-0x0000015A8A821000-memory.dmp

                          Filesize

                          452KB

                        • memory/68-140-0x0000015A89CA0000-0x0000015A89CEB000-memory.dmp

                          Filesize

                          300KB

                        • memory/496-154-0x0000019F4D6B0000-0x0000019F4D720000-memory.dmp

                          Filesize

                          448KB

                        • memory/932-263-0x0000017366850000-0x00000173668C1000-memory.dmp

                          Filesize

                          452KB

                        • memory/932-178-0x0000017366760000-0x00000173667D0000-memory.dmp

                          Filesize

                          448KB

                        • memory/1084-261-0x0000025C2FBB0000-0x0000025C2FC21000-memory.dmp

                          Filesize

                          452KB

                        • memory/1084-161-0x0000025C2FB40000-0x0000025C2FBB0000-memory.dmp

                          Filesize

                          448KB

                        • memory/1196-269-0x000001A02C320000-0x000001A02C391000-memory.dmp

                          Filesize

                          452KB

                        • memory/1196-184-0x000001A02C240000-0x000001A02C2B0000-memory.dmp

                          Filesize

                          448KB

                        • memory/1288-186-0x00000202F2340000-0x00000202F23B0000-memory.dmp

                          Filesize

                          448KB

                        • memory/1288-271-0x00000202F2910000-0x00000202F2981000-memory.dmp

                          Filesize

                          452KB

                        • memory/1356-265-0x0000023DC6E70000-0x0000023DC6EE1000-memory.dmp

                          Filesize

                          452KB

                        • memory/1356-180-0x0000023DC6E00000-0x0000023DC6E70000-memory.dmp

                          Filesize

                          448KB

                        • memory/1892-182-0x00000243BD940000-0x00000243BD9B0000-memory.dmp

                          Filesize

                          448KB

                        • memory/1892-267-0x00000243BE340000-0x00000243BE3B1000-memory.dmp

                          Filesize

                          452KB

                        • memory/2272-257-0x00000152B4AE0000-0x00000152B4B51000-memory.dmp

                          Filesize

                          452KB

                        • memory/2272-150-0x00000152B4A70000-0x00000152B4AE0000-memory.dmp

                          Filesize

                          448KB

                        • memory/2332-155-0x0000018A666C0000-0x0000018A66730000-memory.dmp

                          Filesize

                          448KB

                        • memory/2332-259-0x0000018A66CA0000-0x0000018A66D11000-memory.dmp

                          Filesize

                          452KB

                        • memory/2360-273-0x000002A3077A0000-0x000002A307811000-memory.dmp

                          Filesize

                          452KB

                        • memory/2360-188-0x000002A307730000-0x000002A3077A0000-memory.dmp

                          Filesize

                          448KB

                        • memory/2384-275-0x0000018BDC040000-0x0000018BDC0B1000-memory.dmp

                          Filesize

                          452KB

                        • memory/2384-190-0x0000018BDBF60000-0x0000018BDBFD0000-memory.dmp

                          Filesize

                          448KB

                        • memory/2744-198-0x00000000001F0000-0x00000000001F1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2752-164-0x0000022D02070000-0x0000022D020E0000-memory.dmp

                          Filesize

                          448KB

                        • memory/2752-253-0x0000022D02420000-0x0000022D02491000-memory.dmp

                          Filesize

                          452KB

                        • memory/3128-135-0x0000000004DB3000-0x0000000004EB4000-memory.dmp

                          Filesize

                          1.0MB

                        • memory/3128-138-0x0000000004FA0000-0x0000000004FFC000-memory.dmp

                          Filesize

                          368KB

                        • memory/3564-144-0x000001EF87000000-0x000001EF87070000-memory.dmp

                          Filesize

                          448KB

                        • memory/3672-203-0x0000000000BA0000-0x0000000000BAD000-memory.dmp

                          Filesize

                          52KB

                        • memory/3712-134-0x0000000002F70000-0x0000000002F8C000-memory.dmp

                          Filesize

                          112KB

                        • memory/3712-128-0x00000000016A0000-0x00000000016A1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3712-126-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3712-145-0x00000000030B0000-0x00000000030B2000-memory.dmp

                          Filesize

                          8KB

                        • memory/3712-141-0x00000000030A0000-0x00000000030A1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3808-193-0x0000000000400000-0x000000000042B000-memory.dmp

                          Filesize

                          172KB

                        • memory/4308-250-0x0000025843320000-0x000002584333B000-memory.dmp

                          Filesize

                          108KB

                        • memory/4308-248-0x0000025844100000-0x0000025844205000-memory.dmp

                          Filesize

                          1.0MB

                        • memory/4308-215-0x0000025841B00000-0x0000025841B71000-memory.dmp

                          Filesize

                          452KB

                        • memory/4308-214-0x0000025841800000-0x000002584184C000-memory.dmp

                          Filesize

                          304KB

                        • memory/4436-222-0x0000000003700000-0x0000000003710000-memory.dmp

                          Filesize

                          64KB

                        • memory/4436-216-0x0000000003560000-0x0000000003570000-memory.dmp

                          Filesize

                          64KB