Analysis
-
max time kernel
326s -
max time network
1559s -
platform
windows10_x64 -
resource
win10-ja-20211014 -
submitted
22-10-2021 14:39
General
-
Target
keygen-step-4.exe
-
Size
4.2MB
-
MD5
00ebc043e56f9f084116b06bdda236af
-
SHA1
5cd4266a7b4500f3c9bfa5174b535d52361167ed
-
SHA256
f6e16a4200c3510b4a0ddc031240495d36e9c1d47160e488606f0978e9bb0422
-
SHA512
03d5c4d62c09b18259d42168284b72eecb874e5ec12063edfb54637a833c376b0ab788fc20474f21969e674f29e135498aa46ddf1b62ef6f06c506037543ee67
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Executes dropped EXE 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Modifies data under HKEY_USERS 24 IoCs
-
Modifies registry class 44 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"1⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 520 -s 21123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"1⤵
- Modifies registry class
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeMD5
6a9bf2c46a15d1fc9142e16aed31e8dd
SHA1802024dc5b3b37d123dfaa05f2b3c19e82f1f83f
SHA256fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb
SHA512c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exeMD5
6a9bf2c46a15d1fc9142e16aed31e8dd
SHA1802024dc5b3b37d123dfaa05f2b3c19e82f1f83f
SHA256fa9a091c09bb374ef72215fba163e3dd7b77ee4c9720eea92795786a359b9abb
SHA512c563d2426d4db24c988801fedd252b425b291ad6b90540f1d6e78d9d8276a9726e93d06dc57a7ed183589ce531578e480ac544b331b1cd06946afaaa1cddff85
-
memory/520-117-0x0000000000000000-mapping.dmp
-
memory/520-120-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/520-122-0x000000001D270000-0x000000001D272000-memory.dmpFilesize
8KB
-
memory/520-123-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/520-124-0x000000001DD10000-0x000000001DD11000-memory.dmpFilesize
4KB
-
memory/520-125-0x000000001D272000-0x000000001D274000-memory.dmpFilesize
8KB
-
memory/520-126-0x000000001D274000-0x000000001D275000-memory.dmpFilesize
4KB
-
memory/4720-115-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/4720-116-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB