Overview
overview
10Static
static
10keygen-step-1.exe
windows11_x64
10keygen-step-1.exe
windows10_x64
10keygen-step-1.exe
windows10_x64
10keygen-step-3.exe
windows11_x64
10keygen-step-3.exe
windows10_x64
8keygen-step-3.exe
windows10_x64
8keygen-ste...ck.exe
windows11_x64
10keygen-ste...ck.exe
windows10_x64
10keygen-ste...ck.exe
windows10_x64
10keygen-ste...28.exe
windows11_x64
10keygen-ste...28.exe
windows10_x64
10keygen-ste...28.exe
windows10_x64
10keygen-ste...up.exe
windows11_x64
10keygen-ste...up.exe
windows10_x64
10keygen-ste...up.exe
windows10_x64
10keygen-ste...5f.exe
windows11_x64
10keygen-ste...5f.exe
windows10_x64
keygen-ste...5f.exe
windows10_x64
10keygen-ste...af.exe
windows11_x64
7keygen-ste...af.exe
windows10_x64
7keygen-ste...af.exe
windows10_x64
7keygen-step-4/ss.exe
windows11_x64
10keygen-step-4/ss.exe
windows10_x64
9keygen-step-4/ss.exe
windows10_x64
9keygen-step-6.exe
windows11_x64
6keygen-step-6.exe
windows10_x64
6keygen-step-6.exe
windows10_x64
6keygen.bat
windows11_x64
10keygen.bat
windows10_x64
10keygen.bat
windows10_x64
10Analysis
-
max time kernel
874s -
max time network
1588s -
platform
windows11_x64 -
resource
win11 -
submitted
07-09-2021 18:08
Static task
static1
Behavioral task
behavioral1
Sample
keygen-step-1.exe
Resource
win11
Behavioral task
behavioral2
Sample
keygen-step-1.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
keygen-step-1.exe
Resource
win10-en
Behavioral task
behavioral4
Sample
keygen-step-3.exe
Resource
win11
Behavioral task
behavioral5
Sample
keygen-step-3.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
keygen-step-3.exe
Resource
win10-en
Behavioral task
behavioral7
Sample
keygen-step-4/Crack.exe
Resource
win11
Behavioral task
behavioral8
Sample
keygen-step-4/Crack.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
keygen-step-4/Crack.exe
Resource
win10-en
Behavioral task
behavioral10
Sample
keygen-step-4/PBrowFile28.exe
Resource
win11
Behavioral task
behavioral11
Sample
keygen-step-4/PBrowFile28.exe
Resource
win10v20210408
Behavioral task
behavioral12
Sample
keygen-step-4/PBrowFile28.exe
Resource
win10-en
Behavioral task
behavioral13
Sample
keygen-step-4/Setup.exe
Resource
win11
Behavioral task
behavioral14
Sample
keygen-step-4/Setup.exe
Resource
win10v20210408
Behavioral task
behavioral15
Sample
keygen-step-4/Setup.exe
Resource
win10-en
Behavioral task
behavioral16
Sample
keygen-step-4/f2217e5f.exe
Resource
win11
Behavioral task
behavioral17
Sample
keygen-step-4/f2217e5f.exe
Resource
win10v20210408
Behavioral task
behavioral18
Sample
keygen-step-4/f2217e5f.exe
Resource
win10-en
Behavioral task
behavioral19
Sample
keygen-step-4/md1_1eaf.exe
Resource
win11
Behavioral task
behavioral20
Sample
keygen-step-4/md1_1eaf.exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
keygen-step-4/md1_1eaf.exe
Resource
win10-en
Behavioral task
behavioral22
Sample
keygen-step-4/ss.exe
Resource
win11
Behavioral task
behavioral23
Sample
keygen-step-4/ss.exe
Resource
win10v20210408
Behavioral task
behavioral24
Sample
keygen-step-4/ss.exe
Resource
win10-en
Behavioral task
behavioral25
Sample
keygen-step-6.exe
Resource
win11
Behavioral task
behavioral26
Sample
keygen-step-6.exe
Resource
win10v20210408
Behavioral task
behavioral27
Sample
keygen-step-6.exe
Resource
win10-en
Behavioral task
behavioral28
Sample
keygen.bat
Resource
win11
Behavioral task
behavioral29
Sample
keygen.bat
Resource
win10v20210408
Behavioral task
behavioral30
Sample
keygen.bat
Resource
win10-en
General
-
Target
keygen-step-6.exe
-
Size
267KB
-
MD5
093bc5ebd2d2a39d84c1d35fbd2d9efa
-
SHA1
e028ca17fe2c7cbf7ad234b28cd50ad2c7c440e5
-
SHA256
ee2994ea7f202516db816f85f23aac0a13ec32743d0555f81d68568bb40f4811
-
SHA512
da58e87b099d520f02715ffcf6b50e2a586b6baec5b64d5ee39fb4c4a81ee9b8c18c8e341ee8befcf9048088661d7f182a937a7948aacfac926f1710fa77bcfa
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 43 IoCs
Processes:
sihclient.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
keygen-step-6.execmd.exedescription pid process target process PID 2412 wrote to memory of 572 2412 keygen-step-6.exe cmd.exe PID 2412 wrote to memory of 572 2412 keygen-step-6.exe cmd.exe PID 2412 wrote to memory of 572 2412 keygen-step-6.exe cmd.exe PID 572 wrote to memory of 1440 572 cmd.exe PING.EXE PID 572 wrote to memory of 1440 572 cmd.exe PING.EXE PID 572 wrote to memory of 1440 572 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv bIwyp2o330q1fggh9KFnew.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/572-159-0x0000000000000000-mapping.dmp
-
memory/1440-160-0x0000000000000000-mapping.dmp
-
memory/2412-146-0x0000000000DE0000-0x0000000000DF8000-memory.dmpFilesize
96KB
-
memory/4192-150-0x0000026BE7270000-0x0000026BE7280000-memory.dmpFilesize
64KB
-
memory/4192-151-0x0000026BE72F0000-0x0000026BE7300000-memory.dmpFilesize
64KB
-
memory/4192-152-0x0000026BE98F0000-0x0000026BE98F4000-memory.dmpFilesize
16KB
-
memory/4192-153-0x0000026BE9BE0000-0x0000026BE9BE4000-memory.dmpFilesize
16KB
-
memory/4192-154-0x0000026BE9BA0000-0x0000026BE9BA1000-memory.dmpFilesize
4KB
-
memory/4192-155-0x0000026BE9920000-0x0000026BE9924000-memory.dmpFilesize
16KB
-
memory/4192-156-0x0000026BE9910000-0x0000026BE9911000-memory.dmpFilesize
4KB
-
memory/4192-157-0x0000026BE9910000-0x0000026BE9914000-memory.dmpFilesize
16KB
-
memory/4192-158-0x0000026BE75F0000-0x0000026BE75F1000-memory.dmpFilesize
4KB