Overview

overview

10

Static

static

URLScan

urlscan

1

http://keygenninja.n...

windows7_x64

8

http://keygenninja.n...

windows10_x64

10

http://keygenninja.n...

windows10-2004_x64

8

Analysis

  • max time kernel
    547s
  • max time network
    552s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    26-01-2022 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://keygenninja.net

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" http://keygenninja.net
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" http://keygenninja.net
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3156
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3156.0.1933596429\1738714300" -parentBuildID 20200403170909 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 1 -prefMapSize 219548 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3156 "\\.\pipe\gecko-crash-server-pipe.3156" 1800 gpu
        3⤵
          PID:2344
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3156.3.1944671924\184640204" -childID 1 -isForBrowser -prefsHandle 2420 -prefMapHandle 2436 -prefsLen 78 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3156 "\\.\pipe\gecko-crash-server-pipe.3156" 2484 tab
          3⤵
            PID:3544
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3156.13.1774102702\73544517" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 945 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3156 "\\.\pipe\gecko-crash-server-pipe.3156" 3492 tab
            3⤵
              PID:904
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3156.20.511046736\928918083" -childID 3 -isForBrowser -prefsHandle 3808 -prefMapHandle 3804 -prefsLen 6936 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3156 "\\.\pipe\gecko-crash-server-pipe.3156" 3820 tab
              3⤵
                PID:3200
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3156.27.1985394323\1262236062" -childID 4 -isForBrowser -prefsHandle 8168 -prefMapHandle 8172 -prefsLen 10764 -prefMapSize 219548 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3156 "\\.\pipe\gecko-crash-server-pipe.3156" 8160 tab
                3⤵
                  PID:1476
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
              1⤵
                PID:1408
              • C:\Windows\System32\WaaSMedicAgent.exe
                C:\Windows\System32\WaaSMedicAgent.exe 4afc02e6edc033e4fc1d29fcf3fa5e59 IlQUBDt6ekGQQj2n1bnoDg.0.1.0.0.0
                1⤵
                • Modifies data under HKEY_USERS
                PID:4412
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k wusvcs -p
                1⤵
                  PID:4620
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:4228
                  • C:\Program Files\7-Zip\7zG.exe
                    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMSauto\" -spe -an -ai#7zMap19518:76:7zEvent27505
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:3292
                  • C:\Program Files\7-Zip\7zG.exe
                    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\" -spe -an -ai#7zMap24813:104:7zEvent6097
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:2712
                  • C:\Windows\System32\Notepad.exe
                    "C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\script.vbs
                    1⤵
                      PID:4112
                    • C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\build.exe
                      "C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\build.exe"
                      1⤵
                      • Executes dropped EXE
                      PID:4948
                    • C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\KMSAuto Net.exe
                      "C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\KMSAuto Net.exe"
                      1⤵
                      • Executes dropped EXE
                      PID:4360

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\Downloads\KMSauto.zip
                      MD5

                      14063373723dbd5872ae443e8906f543

                      SHA1

                      4ca380f44f237a4efe30a0631806c4f560e4ebb1

                      SHA256

                      c3c018be2ccfb5d88e79781f4e18de921df606ba799c2a69999b5a940cb0c169

                      SHA512

                      fe9bec659a5a656514eeb04231e170aa6d21a3395c4d644656ffb8938b77ec8c8ca9c3692de88d8d7665f4904ba08908702a1f49141ecca2740e7419e3190024

                      Download Submit
                    • C:\Users\Admin\Downloads\KMSauto\KMSauto-setup.exe
                      MD5

                      1736e5fac5c7eec9cd04bf36c4259c6c

                      SHA1

                      111db7cedcb00945d92217e2de2d90025120ea2c

                      SHA256

                      29775a3f92792a858dd842588b76ba9205f24be7898e43851aba26b17e411203

                      SHA512

                      211f7f2c798c1f2b4d69fe481b16796e79b99910e63ecb0863951654c804d07542dddcfc730166ce15ca143984b8ea17d662e0f0d34d9fa4c6f8207ce2063aeb

                      Download Submit
                    • C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\KMSAuto Net.exe
                      MD5

                      93a3a8ce440197d31168fac569082937

                      SHA1

                      fad3066803a1ba8f9cb8bb7d1969eea0398b5ea0

                      SHA256

                      22ef521964080e77d7006f9341d720683fa98409361c62a7bc4fe81ec474b1b2

                      SHA512

                      08efe7e24d8d9e484d39c1381421c3fbbf231e46a5ac33c22bf3735a06c4a3d278a752c25afeb4217cc663a6c6955a55985056a7d5d5142e57c2ac5d99e5d0c8

                      Download Submit
                    • C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\KMSAuto Net.exe
                      MD5

                      7fc71f8f2091f7c81bc70254c240e45a

                      SHA1

                      c20c3ca4e3ddcb64e8e3a3cf8299f3800608ac4d

                      SHA256

                      2e032ee9d1328a5410966ab65fcb515045e3b50b5caaf8e7ba9eac225b68f52e

                      SHA512

                      99dd09cea6690397f6b09d7154cea44d1a49aec64acb9406b386c5ab0888596df4aca1a4b2f301ad9f7ba53f600d596c583b8276c6ce4d1b2647ea97526b83bd

                      Download Submit
                    • C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\build.exe
                      MD5

                      f3afdb99001b373339d801a2bb52a071

                      SHA1

                      1194f3c3377cdcfca3f7c5843c8f002fe291335b

                      SHA256

                      1550e90b235a43401b6c660a24849f96c0ae514dbbdc1336a12a286a5cbfeca7

                      SHA512

                      57d76d81c72548d298d3324486cf7750ed76a212ff8aa1cc45d11f404a6933a0daa39d71d1115607e50e4464dce4178717aafe2dccdc6968974d0ea0e4b0dd59

                      Download Submit
                    • C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\build.exe
                      MD5

                      f3afdb99001b373339d801a2bb52a071

                      SHA1

                      1194f3c3377cdcfca3f7c5843c8f002fe291335b

                      SHA256

                      1550e90b235a43401b6c660a24849f96c0ae514dbbdc1336a12a286a5cbfeca7

                      SHA512

                      57d76d81c72548d298d3324486cf7750ed76a212ff8aa1cc45d11f404a6933a0daa39d71d1115607e50e4464dce4178717aafe2dccdc6968974d0ea0e4b0dd59

                      Download Submit
                    • C:\Users\Admin\Downloads\KMSauto\KMSauto-setup\script.vbs
                      MD5

                      0dea7d1c1544d71cc604cd364f5b9e52

                      SHA1

                      c02058d9241ec21c9dd81f280fa2f988b6762544

                      SHA256

                      fd3a646f5f862fb4eb34a1a7b4274a8be4a6afd8364e2f24a58c6dbde1e10214

                      SHA512

                      abaf39f768931dd4c7cb749d6c5a280d443888b445beed4b12aa41bee5259407683e62cfaa7ab8e4d61ff223867356dcfd2de2eeed39a1f1273653b28f912ba1

                      Download Submit
                    • memory/4948-137-0x00000000006D0000-0x0000000000718000-memory.dmp
                      Filesize

                      288KB

                      Download