404keylogger | 15d3b7ae0f5586fa70da1da483dac816f2cdfc464c558c0426707e4a86443e0d

General

Target

INV_2020.exe
Size

311KB
MD5

032e8660388186848cda8c3955f53202
SHA1

356a668840a4dc5fc9a209189ffed7a462c8633a
SHA256

24b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8
SHA512

042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30

Score

10^/10

404keylogger keylogger persistence stealer

Malware Config

Signatures

404 Keylogger
Information stealer and keylogger first seen in 2019.
stealer keylogger 404keylogger

404 Keylogger Main Executable 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1528-66-0x0000000000400000-0x0000000000422000-memory.dmp	family_404keylogger
behavioral1/memory/1528-67-0x0000000000400000-0x0000000000422000-memory.dmp	family_404keylogger
behavioral1/memory/1528-65-0x0000000000400000-0x0000000000422000-memory.dmp	family_404keylogger
behavioral1/memory/1528-68-0x000000000041CC4E-mapping.dmp	family_404keylogger
behavioral1/memory/1528-71-0x0000000000400000-0x0000000000422000-memory.dmp	family_404keylogger
behavioral1/memory/1528-73-0x0000000000400000-0x0000000000422000-memory.dmp	family_404keylogger

Executes dropped EXE 1 IoCs

Processes:

INV_2020.exe

pid process

1528 INV_2020.exe
Loads dropped DLL 6 IoCs

Processes:

INV_2020.exeWerFault.exe

pid process

1672 INV_2020.exe
1012 WerFault.exe
1012 WerFault.exe
1012 WerFault.exe
1012 WerFault.exe
1012 WerFault.exe

pid	process
1528	INV_2020.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

INV_2020.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\KulintunHost = "\"C:\\Users\\Admin\\KulintunHost.exe\""	INV_2020.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

INV_2020.exe

description pid process target process

PID 1672 set thread context of 1528 1672 INV_2020.exe INV_2020.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1012 1528 WerFault.exe INV_2020.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 1672 set thread context of 1528	1672	INV_2020.exe	INV_2020.exe

pid	pid_target	process	target process
1012	1528	WerFault.exe	INV_2020.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

INV_2020.exe

pid	process
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe
1672	INV_2020.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INV_2020.exeINV_2020.exe

description pid process

Token: SeDebugPrivilege 1672 INV_2020.exe
Token: SeDebugPrivilege 1528 INV_2020.exe

description	pid	process
Token: SeDebugPrivilege	1672	INV_2020.exe
Token: SeDebugPrivilege	1528	INV_2020.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

INV_2020.exeINV_2020.exe

description	pid	process	target process
PID 1672 wrote to memory of 1528	1672	INV_2020.exe	INV_2020.exe
PID 1672 wrote to memory of 1528	1672	INV_2020.exe	INV_2020.exe
PID 1672 wrote to memory of 1528	1672	INV_2020.exe	INV_2020.exe
PID 1672 wrote to memory of 1528	1672	INV_2020.exe	INV_2020.exe
PID 1672 wrote to memory of 1528	1672	INV_2020.exe	INV_2020.exe
PID 1672 wrote to memory of 1528	1672	INV_2020.exe	INV_2020.exe
PID 1672 wrote to memory of 1528	1672	INV_2020.exe	INV_2020.exe
PID 1672 wrote to memory of 1528	1672	INV_2020.exe	INV_2020.exe
PID 1672 wrote to memory of 1528	1672	INV_2020.exe	INV_2020.exe
PID 1528 wrote to memory of 1012	1528	INV_2020.exe	WerFault.exe
PID 1528 wrote to memory of 1012	1528	INV_2020.exe	WerFault.exe
PID 1528 wrote to memory of 1012	1528	INV_2020.exe	WerFault.exe
PID 1528 wrote to memory of 1012	1528	INV_2020.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\INV_2020.exe
"C:\Users\Admin\AppData\Local\Temp\INV_2020.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\INV_2020.exe
"C:\Users\Admin\AppData\Local\Temp\INV_2020.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1096
3⤵
- Loads dropped DLL
- Program crash
PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INV_2020.exe
Filesize
311KB

MD5
032e8660388186848cda8c3955f53202

SHA1
356a668840a4dc5fc9a209189ffed7a462c8633a

SHA256
24b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8

SHA512
042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30

Download Submit
\Users\Admin\AppData\Local\Temp\INV_2020.exe
Filesize
311KB

MD5
032e8660388186848cda8c3955f53202

SHA1
356a668840a4dc5fc9a209189ffed7a462c8633a

SHA256
24b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8

SHA512
042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30

Download Submit
\Users\Admin\AppData\Local\Temp\INV_2020.exe
Filesize
311KB

MD5
032e8660388186848cda8c3955f53202

SHA1
356a668840a4dc5fc9a209189ffed7a462c8633a

SHA256
24b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8

SHA512
042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30

Download Submit
\Users\Admin\AppData\Local\Temp\INV_2020.exe
Filesize
311KB

MD5
032e8660388186848cda8c3955f53202

SHA1
356a668840a4dc5fc9a209189ffed7a462c8633a

SHA256
24b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8

SHA512
042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30

Download Submit
\Users\Admin\AppData\Local\Temp\INV_2020.exe
Filesize
311KB

MD5
032e8660388186848cda8c3955f53202

SHA1
356a668840a4dc5fc9a209189ffed7a462c8633a

SHA256
24b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8

SHA512
042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30

Download Submit
\Users\Admin\AppData\Local\Temp\INV_2020.exe
Filesize
311KB

MD5
032e8660388186848cda8c3955f53202

SHA1
356a668840a4dc5fc9a209189ffed7a462c8633a

SHA256
24b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8

SHA512
042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30

Download Submit
\Users\Admin\AppData\Local\Temp\INV_2020.exe
Filesize
311KB

MD5
032e8660388186848cda8c3955f53202

SHA1
356a668840a4dc5fc9a209189ffed7a462c8633a

SHA256
24b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8

SHA512
042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30

Download Submit
memory/1012-75-0x0000000000000000-mapping.dmp

Download
memory/1528-71-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1528-73-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1528-67-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1528-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1528-63-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1528-68-0x000000000041CC4E-mapping.dmp

Download
memory/1528-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1528-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1672-54-0x0000000000B10000-0x0000000000B64000-memory.dmp

Filesize
336KB

Download
memory/1672-60-0x0000000001F70000-0x0000000001F82000-memory.dmp

Filesize
72KB

Download
memory/1672-59-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/1672-58-0x00000000008F0000-0x0000000000906000-memory.dmp

Filesize
88KB

Download
memory/1672-57-0x0000000000440000-0x000000000046A000-memory.dmp

Filesize
168KB

Download
memory/1672-56-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1672-55-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads