Overview
overview
10Static
static
10keygen-step-1.exe
windows7_x64
10keygen-step-1.exe
windows10_x64
10keygen-step-3.exe
windows7_x64
1keygen-step-3.exe
windows10_x64
7keygen-step-4.exe
windows7_x64
8keygen-step-4.exe
windows10_x64
10keygen-ste...ck.exe
windows7_x64
3keygen-ste...ck.exe
windows10_x64
10keygen-ste...33.exe
windows7_x64
9keygen-ste...33.exe
windows10_x64
9keygen-ste...H1.exe
windows7_x64
8keygen-ste...H1.exe
windows10_x64
8keygen-ste...ll.exe
windows7_x64
keygen-ste...ll.exe
windows10_x64
10keygen-ste...up.exe
windows7_x64
10keygen-ste...up.exe
windows10_x64
10keygen-step-4/low.exe
windows7_x64
10keygen-step-4/low.exe
windows10_x64
10keygen-ste...af.exe
windows7_x64
7keygen-ste...af.exe
windows10_x64
7keygen-ste...b1.exe
windows7_x64
10keygen-ste...b1.exe
windows10_x64
10keygen-step-6.exe
windows7_x64
6keygen-step-6.exe
windows10_x64
6keygen.bat
windows7_x64
10keygen.bat
windows10_x64
10Analysis
-
max time kernel
153s -
max time network
171s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
16-10-2021 06:51
Behavioral task
behavioral1
Sample
keygen-step-1.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
keygen-step-1.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
keygen-step-3.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
keygen-step-3.exe
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
keygen-step-4.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
keygen-step-4.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
keygen-step-4/Crack.exe
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
keygen-step-4/Crack.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
keygen-step-4/DownFlSetup133.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
keygen-step-4/DownFlSetup133.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
keygen-step-4/IDWCH1.exe
Resource
win7-en-20210920
Behavioral task
behavioral12
Sample
keygen-step-4/IDWCH1.exe
Resource
win10-en-20210920
Behavioral task
behavioral13
Sample
keygen-step-4/Install.exe
Resource
win7-en-20211014
Behavioral task
behavioral14
Sample
keygen-step-4/Install.exe
Resource
win10-en-20210920
Behavioral task
behavioral15
Sample
keygen-step-4/Setup.exe
Resource
win7-en-20211014
Behavioral task
behavioral16
Sample
keygen-step-4/Setup.exe
Resource
win10-en-20210920
Behavioral task
behavioral17
Sample
keygen-step-4/low.exe
Resource
win7-en-20211014
Behavioral task
behavioral18
Sample
keygen-step-4/low.exe
Resource
win10-en-20210920
Behavioral task
behavioral19
Sample
keygen-step-4/md1_1eaf.exe
Resource
win7-en-20210920
Behavioral task
behavioral20
Sample
keygen-step-4/md1_1eaf.exe
Resource
win10-en-20211014
Behavioral task
behavioral21
Sample
keygen-step-4/pub1.exe
Resource
win7-en-20210920
Behavioral task
behavioral22
Sample
keygen-step-4/pub1.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
keygen-step-6.exe
Resource
win7-en-20210920
Behavioral task
behavioral24
Sample
keygen-step-6.exe
Resource
win10-en-20211014
Behavioral task
behavioral25
Sample
keygen.bat
Resource
win7-en-20210920
Behavioral task
behavioral26
Sample
keygen.bat
Resource
win10-en-20210920
General
-
Target
keygen-step-4/low.exe
-
Size
336KB
-
MD5
95474ed3f97fb7167dff3990ff0155ec
-
SHA1
b55c38792f78c5f76f2f2ee656f24f59390fb0f6
-
SHA256
5e6b720e26146efd236e9c18c834f28723b9f182d9ce85d1c833ac3f8311eed0
-
SHA512
8bf50f00aa7d0f5c4e5f4c6eeb93131768bb2e974e5edd73453db6d64bcbf90f088f324102df6b17311dff268f79a4ef6357da609ada7440229563f09aefd956
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4064 created 3936 4064 WerFault.exe low.exe -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2020 3936 WerFault.exe low.exe 640 3936 WerFault.exe low.exe 1496 3936 WerFault.exe low.exe 3908 3936 WerFault.exe low.exe 3680 3936 WerFault.exe low.exe 4064 3936 WerFault.exe low.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid process 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3908 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 3680 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe 4064 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeRestorePrivilege 2020 WerFault.exe Token: SeBackupPrivilege 2020 WerFault.exe Token: SeDebugPrivilege 2020 WerFault.exe Token: SeDebugPrivilege 640 WerFault.exe Token: SeDebugPrivilege 1496 WerFault.exe Token: SeDebugPrivilege 3908 WerFault.exe Token: SeDebugPrivilege 3680 WerFault.exe Token: SeDebugPrivilege 4064 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\low.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\low.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 6602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 7722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 8242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 7842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 7642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 10642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken