Overview
overview
10Static
static
10keygen-step-1.exe
windows11_x64
10keygen-step-1.exe
windows10_x64
10keygen-step-1.exe
windows10_x64
10keygen-step-3.exe
windows11_x64
10keygen-step-3.exe
windows10_x64
8keygen-step-3.exe
windows10_x64
8keygen-ste...ck.exe
windows11_x64
10keygen-ste...ck.exe
windows10_x64
10keygen-ste...ck.exe
windows10_x64
10keygen-ste...28.exe
windows11_x64
10keygen-ste...28.exe
windows10_x64
10keygen-ste...28.exe
windows10_x64
10keygen-ste...up.exe
windows11_x64
10keygen-ste...up.exe
windows10_x64
10keygen-ste...up.exe
windows10_x64
10keygen-ste...5f.exe
windows11_x64
10keygen-ste...5f.exe
windows10_x64
keygen-ste...5f.exe
windows10_x64
10keygen-ste...af.exe
windows11_x64
7keygen-ste...af.exe
windows10_x64
7keygen-ste...af.exe
windows10_x64
7keygen-step-4/ss.exe
windows11_x64
10keygen-step-4/ss.exe
windows10_x64
9keygen-step-4/ss.exe
windows10_x64
9keygen-step-6.exe
windows11_x64
6keygen-step-6.exe
windows10_x64
6keygen-step-6.exe
windows10_x64
6keygen.bat
windows11_x64
10keygen.bat
windows10_x64
10keygen.bat
windows10_x64
10Analysis
-
max time kernel
320s -
max time network
1719s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-09-2021 18:08
Static task
static1
Behavioral task
behavioral1
Sample
keygen-step-1.exe
Resource
win11
Behavioral task
behavioral2
Sample
keygen-step-1.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
keygen-step-1.exe
Resource
win10-en
Behavioral task
behavioral4
Sample
keygen-step-3.exe
Resource
win11
Behavioral task
behavioral5
Sample
keygen-step-3.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
keygen-step-3.exe
Resource
win10-en
Behavioral task
behavioral7
Sample
keygen-step-4/Crack.exe
Resource
win11
Behavioral task
behavioral8
Sample
keygen-step-4/Crack.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
keygen-step-4/Crack.exe
Resource
win10-en
Behavioral task
behavioral10
Sample
keygen-step-4/PBrowFile28.exe
Resource
win11
Behavioral task
behavioral11
Sample
keygen-step-4/PBrowFile28.exe
Resource
win10v20210408
Behavioral task
behavioral12
Sample
keygen-step-4/PBrowFile28.exe
Resource
win10-en
Behavioral task
behavioral13
Sample
keygen-step-4/Setup.exe
Resource
win11
Behavioral task
behavioral14
Sample
keygen-step-4/Setup.exe
Resource
win10v20210408
Behavioral task
behavioral15
Sample
keygen-step-4/Setup.exe
Resource
win10-en
Behavioral task
behavioral16
Sample
keygen-step-4/f2217e5f.exe
Resource
win11
Behavioral task
behavioral17
Sample
keygen-step-4/f2217e5f.exe
Resource
win10v20210408
Behavioral task
behavioral18
Sample
keygen-step-4/f2217e5f.exe
Resource
win10-en
Behavioral task
behavioral19
Sample
keygen-step-4/md1_1eaf.exe
Resource
win11
Behavioral task
behavioral20
Sample
keygen-step-4/md1_1eaf.exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
keygen-step-4/md1_1eaf.exe
Resource
win10-en
Behavioral task
behavioral22
Sample
keygen-step-4/ss.exe
Resource
win11
Behavioral task
behavioral23
Sample
keygen-step-4/ss.exe
Resource
win10v20210408
Behavioral task
behavioral24
Sample
keygen-step-4/ss.exe
Resource
win10-en
Behavioral task
behavioral25
Sample
keygen-step-6.exe
Resource
win11
Behavioral task
behavioral26
Sample
keygen-step-6.exe
Resource
win10v20210408
Behavioral task
behavioral27
Sample
keygen-step-6.exe
Resource
win10-en
Behavioral task
behavioral28
Sample
keygen.bat
Resource
win11
Behavioral task
behavioral29
Sample
keygen.bat
Resource
win10v20210408
Behavioral task
behavioral30
Sample
keygen.bat
Resource
win10-en
General
-
Target
keygen-step-4/ss.exe
-
Size
100KB
-
MD5
9a6071c1a67be3fb247f857fe5903bbf
-
SHA1
4a2e14763c51537e8695014007eceaf391a3f600
-
SHA256
01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
-
SHA512
c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
8163737.exe3669655.exe4912294.exeWinHoster.exepid process 3960 8163737.exe 3976 3669655.exe 824 4912294.exe 2132 WinHoster.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4912294.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4912294.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4912294.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\ProgramData\4912294.exe themida C:\ProgramData\4912294.exe themida behavioral23/memory/824-136-0x0000000000A10000-0x0000000000A11000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3669655.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 3669655.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
4912294.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4912294.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4912294.exepid process 824 4912294.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 676 3960 WerFault.exe 8163737.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
8163737.exeWerFault.exe4912294.exepid process 3960 8163737.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 676 WerFault.exe 824 4912294.exe 824 4912294.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ss.exe8163737.exeWerFault.exe4912294.exedescription pid process Token: SeDebugPrivilege 396 ss.exe Token: SeDebugPrivilege 3960 8163737.exe Token: SeDebugPrivilege 676 WerFault.exe Token: SeDebugPrivilege 824 4912294.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ss.exe3669655.exedescription pid process target process PID 396 wrote to memory of 3960 396 ss.exe 8163737.exe PID 396 wrote to memory of 3960 396 ss.exe 8163737.exe PID 396 wrote to memory of 3976 396 ss.exe 3669655.exe PID 396 wrote to memory of 3976 396 ss.exe 3669655.exe PID 396 wrote to memory of 3976 396 ss.exe 3669655.exe PID 396 wrote to memory of 824 396 ss.exe 4912294.exe PID 396 wrote to memory of 824 396 ss.exe 4912294.exe PID 396 wrote to memory of 824 396 ss.exe 4912294.exe PID 3976 wrote to memory of 2132 3976 3669655.exe WinHoster.exe PID 3976 wrote to memory of 2132 3976 3669655.exe WinHoster.exe PID 3976 wrote to memory of 2132 3976 3669655.exe WinHoster.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\ProgramData\8163737.exe"C:\ProgramData\8163737.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3960 -s 20363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676 -
C:\ProgramData\3669655.exe"C:\ProgramData\3669655.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
- Executes dropped EXE
PID:2132 -
C:\ProgramData\4912294.exe"C:\ProgramData\4912294.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\3669655.exeMD5
b9295c5e9138ccf15d67771f3726c778
SHA140cd9d94e9913a52877f09f340a5c2604030409c
SHA2568c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292
SHA5124e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08
-
C:\ProgramData\3669655.exeMD5
b9295c5e9138ccf15d67771f3726c778
SHA140cd9d94e9913a52877f09f340a5c2604030409c
SHA2568c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292
SHA5124e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08
-
C:\ProgramData\4912294.exeMD5
e443b3cad80895e17ec69b07afe14297
SHA1193afa9c566dd40a62504e20d96f6f710eca6cf9
SHA256358ad170b159e399c0086fce075d56abe680835b60e6c4c2e2ecc4e0caf1fa65
SHA512d3391a01768b5651703c51ef3c6f73c822735a2b00c125f15316c428f7ea9079e14f00eb5c23ded937be64bb4283f24c0f0ff6d1cef2a8ad5016725c5016a0e9
-
C:\ProgramData\4912294.exeMD5
e443b3cad80895e17ec69b07afe14297
SHA1193afa9c566dd40a62504e20d96f6f710eca6cf9
SHA256358ad170b159e399c0086fce075d56abe680835b60e6c4c2e2ecc4e0caf1fa65
SHA512d3391a01768b5651703c51ef3c6f73c822735a2b00c125f15316c428f7ea9079e14f00eb5c23ded937be64bb4283f24c0f0ff6d1cef2a8ad5016725c5016a0e9
-
C:\ProgramData\8163737.exeMD5
6452958f87d648cf539894e38e360832
SHA139e3b6b452edaaddeb2d76949e970794221f790e
SHA2568798d0b92a795f695ccd661417d824bf5044dcfc948e9c1ccee5b345bbbcb074
SHA5126d3788447dba7002a29784de66f37b9a913d3eb06955bdf6478c8866c7cc5cad45e8ab911a82801cc069de4e856e4c34ca3581a6e48f7287cf6a0419d5e99350
-
C:\ProgramData\8163737.exeMD5
6452958f87d648cf539894e38e360832
SHA139e3b6b452edaaddeb2d76949e970794221f790e
SHA2568798d0b92a795f695ccd661417d824bf5044dcfc948e9c1ccee5b345bbbcb074
SHA5126d3788447dba7002a29784de66f37b9a913d3eb06955bdf6478c8866c7cc5cad45e8ab911a82801cc069de4e856e4c34ca3581a6e48f7287cf6a0419d5e99350
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
b9295c5e9138ccf15d67771f3726c778
SHA140cd9d94e9913a52877f09f340a5c2604030409c
SHA2568c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292
SHA5124e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exeMD5
b9295c5e9138ccf15d67771f3726c778
SHA140cd9d94e9913a52877f09f340a5c2604030409c
SHA2568c4a2330010cdb34faf9f565943736d0bb9d21eb96a67ccc20c246cfe13e6292
SHA5124e1d7e74be77d151b79024db20f3427c53ddf0557bbccd71b93750514462b5d2d2130948c668b05e66cf4098a56ad34c75ec7d1bd2e21e1c0bda01f7f4345f08
-
memory/396-116-0x00000000007F0000-0x0000000000805000-memory.dmpFilesize
84KB
-
memory/396-117-0x0000000000820000-0x0000000000822000-memory.dmpFilesize
8KB
-
memory/396-114-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/824-166-0x00000000079E0000-0x00000000079E1000-memory.dmpFilesize
4KB
-
memory/824-143-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/824-129-0x0000000000000000-mapping.dmp
-
memory/824-164-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/824-162-0x0000000007650000-0x0000000007651000-memory.dmpFilesize
4KB
-
memory/824-147-0x0000000005B30000-0x0000000006136000-memory.dmpFilesize
6.0MB
-
memory/824-133-0x00000000776B0000-0x000000007783E000-memory.dmpFilesize
1.6MB
-
memory/824-136-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/824-169-0x0000000007CC0000-0x0000000007CC1000-memory.dmpFilesize
4KB
-
memory/824-160-0x0000000005C90000-0x0000000005C91000-memory.dmpFilesize
4KB
-
memory/824-145-0x0000000005D10000-0x0000000005D11000-memory.dmpFilesize
4KB
-
memory/824-151-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB
-
memory/824-142-0x0000000006140000-0x0000000006141000-memory.dmpFilesize
4KB
-
memory/824-163-0x0000000007D50000-0x0000000007D51000-memory.dmpFilesize
4KB
-
memory/824-168-0x0000000007AC0000-0x0000000007AC1000-memory.dmpFilesize
4KB
-
memory/2132-159-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/2132-161-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/2132-148-0x0000000000000000-mapping.dmp
-
memory/3960-126-0x00000000013E0000-0x000000000142B000-memory.dmpFilesize
300KB
-
memory/3960-131-0x000000001BC30000-0x000000001BC32000-memory.dmpFilesize
8KB
-
memory/3960-127-0x00000000016C0000-0x00000000016C1000-memory.dmpFilesize
4KB
-
memory/3960-125-0x00000000012D0000-0x00000000012D1000-memory.dmpFilesize
4KB
-
memory/3960-121-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/3960-118-0x0000000000000000-mapping.dmp
-
memory/3976-146-0x000000000A0C0000-0x000000000A0C1000-memory.dmpFilesize
4KB
-
memory/3976-144-0x000000000A0D0000-0x000000000A0D1000-memory.dmpFilesize
4KB
-
memory/3976-141-0x000000000A530000-0x000000000A531000-memory.dmpFilesize
4KB
-
memory/3976-140-0x00000000025F0000-0x00000000025FC000-memory.dmpFilesize
48KB
-
memory/3976-139-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/3976-135-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/3976-122-0x0000000000000000-mapping.dmp