Overview

overview

10

Static

static

10

keygen-step-1.exe

windows11_x64

10

keygen-step-1.exe

windows10_x64

10

keygen-step-1.exe

windows10_x64

10

keygen-step-3.exe

windows11_x64

10

keygen-step-3.exe

windows10_x64

8

keygen-step-3.exe

windows10_x64

8

keygen-ste...ck.exe

windows11_x64

10

keygen-ste...ck.exe

windows10_x64

10

keygen-ste...ck.exe

windows10_x64

10

keygen-ste...28.exe

windows11_x64

10

keygen-ste...28.exe

windows10_x64

10

keygen-ste...28.exe

windows10_x64

10

keygen-ste...up.exe

windows11_x64

10

keygen-ste...up.exe

windows10_x64

10

keygen-ste...up.exe

windows10_x64

10

keygen-ste...5f.exe

windows11_x64

10

keygen-ste...5f.exe

windows10_x64

keygen-ste...5f.exe

windows10_x64

10

keygen-ste...af.exe

windows11_x64

7

keygen-ste...af.exe

windows10_x64

7

keygen-ste...af.exe

windows10_x64

7

keygen-step-4/ss.exe

windows11_x64

10

keygen-step-4/ss.exe

windows10_x64

9

keygen-step-4/ss.exe

windows10_x64

9

keygen-step-6.exe

windows11_x64

6

keygen-step-6.exe

windows10_x64

6

keygen-step-6.exe

windows10_x64

6

keygen.bat

windows11_x64

10

keygen.bat

windows10_x64

10

keygen.bat

windows10_x64

10

Resubmissions

07-09-2021 18:08

210907-wq7rdadba9 10

07-09-2021 17:57

210907-wjxylagcfn 10

Analysis

  • max time kernel
    457s
  • max time network
    1609s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    07-09-2021 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4/ss.exe

  • Size

    100KB

  • MD5

    9a6071c1a67be3fb247f857fe5903bbf

  • SHA1

    4a2e14763c51537e8695014007eceaf391a3f600

  • SHA256

    01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c

  • SHA512

    c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

Score
10/10
discoveryevasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 4 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe
    "C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\ProgramData\1545230.exe
      "C:\ProgramData\1545230.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3640
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3640 -s 2296
        3⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3564
    • C:\ProgramData\769103.exe
      "C:\ProgramData\769103.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:1928
    • C:\ProgramData\1982354.exe
      "C:\ProgramData\1982354.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4620
  • C:\Windows\System32\sihclient.exe
    C:\Windows\System32\sihclient.exe /cv dn8LwwbFRkCXo9mq/8woaw.0.2
    1⤵
    • Modifies data under HKEY_USERS
    PID:4856
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 448 -p 3640 -ip 3640
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:860
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:696
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
    1⤵
      PID:1176

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\1545230.exe
      MD5

      6452958f87d648cf539894e38e360832

      SHA1

      39e3b6b452edaaddeb2d76949e970794221f790e

      SHA256

      8798d0b92a795f695ccd661417d824bf5044dcfc948e9c1ccee5b345bbbcb074

      SHA512

      6d3788447dba7002a29784de66f37b9a913d3eb06955bdf6478c8866c7cc5cad45e8ab911a82801cc069de4e856e4c34ca3581a6e48f7287cf6a0419d5e99350

      Download Submit
    • C:\ProgramData\1545230.exe
      MD5

      6452958f87d648cf539894e38e360832

      SHA1

      39e3b6b452edaaddeb2d76949e970794221f790e

      SHA256

      8798d0b92a795f695ccd661417d824bf5044dcfc948e9c1ccee5b345bbbcb074

      SHA512

      6d3788447dba7002a29784de66f37b9a913d3eb06955bdf6478c8866c7cc5cad45e8ab911a82801cc069de4e856e4c34ca3581a6e48f7287cf6a0419d5e99350

      Download Submit
    • C:\ProgramData\1982354.exe
      MD5

      e443b3cad80895e17ec69b07afe14297

      SHA1

      193afa9c566dd40a62504e20d96f6f710eca6cf9

      SHA256

      358ad170b159e399c0086fce075d56abe680835b60e6c4c2e2ecc4e0caf1fa65

      SHA512

      d3391a01768b5651703c51ef3c6f73c822735a2b00c125f15316c428f7ea9079e14f00eb5c23ded937be64bb4283f24c0f0ff6d1cef2a8ad5016725c5016a0e9

      Download Submit
    • C:\ProgramData\1982354.exe
      MD5

      e443b3cad80895e17ec69b07afe14297

      SHA1

      193afa9c566dd40a62504e20d96f6f710eca6cf9

      SHA256

      358ad170b159e399c0086fce075d56abe680835b60e6c4c2e2ecc4e0caf1fa65

      SHA512

      d3391a01768b5651703c51ef3c6f73c822735a2b00c125f15316c428f7ea9079e14f00eb5c23ded937be64bb4283f24c0f0ff6d1cef2a8ad5016725c5016a0e9

      Download Submit
    • C:\ProgramData\769103.exe
      MD5

      b9295c5e9138ccf15d67771f3726c778

      SHA1

      40cd9d94e9913a52877f09f340a5c2604030409c

      SHA256

      8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

      SHA512

      4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

      Download Submit
    • C:\ProgramData\769103.exe
      MD5

      b9295c5e9138ccf15d67771f3726c778

      SHA1

      40cd9d94e9913a52877f09f340a5c2604030409c

      SHA256

      8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

      SHA512

      4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

      Download Submit
    • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      MD5

      b9295c5e9138ccf15d67771f3726c778

      SHA1

      40cd9d94e9913a52877f09f340a5c2604030409c

      SHA256

      8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

      SHA512

      4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

      Download Submit
    • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      MD5

      b9295c5e9138ccf15d67771f3726c778

      SHA1

      40cd9d94e9913a52877f09f340a5c2604030409c

      SHA256

      8c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292

      SHA512

      4e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08

      Download Submit
    • memory/696-213-0x000001FACD140000-0x000001FACD141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/696-209-0x000001FACA860000-0x000001FACA870000-memory.dmp
      Filesize

      64KB

      Download
    • memory/696-215-0x000001FACCEB0000-0x000001FACCEB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/696-217-0x000001FACAB90000-0x000001FACAB91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/696-216-0x000001FACCEB0000-0x000001FACCEB4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/696-214-0x000001FACCEC0000-0x000001FACCEC4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/696-210-0x000001FACA8E0000-0x000001FACA8F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/696-212-0x000001FACD180000-0x000001FACD184000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1928-200-0x0000000005630000-0x0000000005631000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1928-179-0x0000000000000000-mapping.dmp
      Download
    • memory/1928-198-0x0000000005E20000-0x0000000005E21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-167-0x000000001C130000-0x000000001C131000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-166-0x000000001B490000-0x000000001B492000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3640-169-0x000000001C830000-0x000000001C831000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-157-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-160-0x0000000001100000-0x0000000001101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-152-0x00000000007F0000-0x00000000007F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-174-0x000000001C010000-0x000000001C011000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3640-149-0x0000000000000000-mapping.dmp
      Download
    • memory/3640-159-0x00000000029D0000-0x0000000002A1B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4148-161-0x0000000000F10000-0x0000000000F11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4148-172-0x0000000003310000-0x0000000003311000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4148-154-0x0000000000000000-mapping.dmp
      Download
    • memory/4148-163-0x00000000058F0000-0x00000000058F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4148-164-0x0000000003280000-0x000000000328C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4148-165-0x000000000A4D0000-0x000000000A4D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4148-168-0x0000000005B00000-0x0000000005B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-191-0x00000000069D0000-0x00000000069D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-206-0x00000000080F0000-0x00000000080F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-197-0x0000000005F00000-0x0000000005F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-178-0x0000000006120000-0x0000000006121000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-199-0x0000000005B00000-0x0000000006118000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4620-170-0x0000000000000000-mapping.dmp
      Download
    • memory/4620-201-0x0000000007B00000-0x0000000007B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-202-0x0000000008200000-0x0000000008201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-203-0x0000000007CD0000-0x0000000007CD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-194-0x0000000005E90000-0x0000000005E91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-207-0x0000000008730000-0x0000000008731000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-208-0x00000000088F0000-0x00000000088F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-188-0x0000000005BB0000-0x0000000005BB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-186-0x0000000005D90000-0x0000000005D91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-184-0x0000000005C80000-0x0000000005C81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-182-0x0000000005B50000-0x0000000005B51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4620-176-0x0000000000860000-0x0000000000861000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4852-158-0x00000000024E0000-0x00000000024E2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4852-146-0x0000000000330000-0x0000000000331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4852-148-0x0000000000BF0000-0x0000000000C05000-memory.dmp
      Filesize

      84KB

      Download