edaaa26f500024b459673c81b7d37b8e8281ef5f08de04291662021c3d44673a

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RecoverKeysInstaller.exe
Size

8.9MB
MD5

14d68897c90cc7a664444ab814514e9f
SHA1

2f295f5dc8d6b5c515fdeb45645c5a380dcf899d
SHA256

9ec7ff8bff95cb87561940849e877cb12f3e07d50762f2dc1c474b39d7c74b6a
SHA512

2c0ca9d49f5be5cbf3a1f3d629bccf0d0fdd4d0bf3f2b4222d9c763ac4df3b5924b37b97ea86aa95112a4cf1c9bb7509c97b02b91260b566143e117b4475ce91
SSDEEP

196608:StJMM796FzCSsOhQPsaOlzwSN+nGDuLbbGB6srwkv6y/2AQ:6JMM7yzQOuPxyj9aLbQ6sd7/2n

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

RecoverKeysInstaller.tmpRecoverKeys.exe

pid process

1712 RecoverKeysInstaller.tmp
1032 RecoverKeys.exe

pid	process
1712	RecoverKeysInstaller.tmp
1032	RecoverKeys.exe

Loads dropped DLL 5 IoCs

Processes:

RecoverKeysInstaller.exeRecoverKeysInstaller.tmp

pid	process
1908	RecoverKeysInstaller.exe
1712	RecoverKeysInstaller.tmp
1712	RecoverKeysInstaller.tmp
1712	RecoverKeysInstaller.tmp
1712	RecoverKeysInstaller.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 36 IoCs

Processes:

RecoverKeysInstaller.tmp

description	ioc	process
File created	C:\Program Files (x86)\Recover Keys\Lang\is-I95KB.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-FQOPG.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-B4VRT.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\unins000.dat	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-G0S3H.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-2V3K4.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-9MMHE.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-D1729.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-T9H55.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\is-FS4G9.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-KPJSP.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-NOFSD.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-3BD3A.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-40HBN.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\is-GIII7.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-2JBLR.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-CGOLB.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-CSKM8.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-R1GQ2.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-PIFRM.tmp	RecoverKeysInstaller.tmp
File opened for modification	C:\Program Files (x86)\Recover Keys\unins000.dat	RecoverKeysInstaller.tmp
File opened for modification	C:\Program Files (x86)\Recover Keys\RecoverKeys.exe	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-I693P.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-7JUS3.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-6TKGB.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-FHIBA.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-MU65D.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-8UTL6.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-160C4.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-7LUQC.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-GB1KI.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-N1UNJ.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-1IQC1.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-DG35R.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\Lang\is-1J9QV.tmp	RecoverKeysInstaller.tmp
File created	C:\Program Files (x86)\Recover Keys\unins000.msg	RecoverKeysInstaller.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RecoverKeysInstaller.tmp

pid process

1712 RecoverKeysInstaller.tmp
1712 RecoverKeysInstaller.tmp
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

RecoverKeysInstaller.tmpRecoverKeys.exe

pid process

1712 RecoverKeysInstaller.tmp
1032 RecoverKeys.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

RecoverKeys.exe

pid process

1032 RecoverKeys.exe
1032 RecoverKeys.exe
1032 RecoverKeys.exe
1032 RecoverKeys.exe

pid	process
1712	RecoverKeysInstaller.tmp
1712	RecoverKeysInstaller.tmp

pid	process
1712	RecoverKeysInstaller.tmp
1032	RecoverKeys.exe

pid	process
1032	RecoverKeys.exe
1032	RecoverKeys.exe
1032	RecoverKeys.exe
1032	RecoverKeys.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

RecoverKeysInstaller.exeRecoverKeysInstaller.tmpRecoverKeys.exe

description	pid	process	target process
PID 1908 wrote to memory of 1712	1908	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 1908 wrote to memory of 1712	1908	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 1908 wrote to memory of 1712	1908	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 1908 wrote to memory of 1712	1908	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 1908 wrote to memory of 1712	1908	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 1908 wrote to memory of 1712	1908	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 1908 wrote to memory of 1712	1908	RecoverKeysInstaller.exe	RecoverKeysInstaller.tmp
PID 1712 wrote to memory of 1032	1712	RecoverKeysInstaller.tmp	RecoverKeys.exe
PID 1712 wrote to memory of 1032	1712	RecoverKeysInstaller.tmp	RecoverKeys.exe
PID 1712 wrote to memory of 1032	1712	RecoverKeysInstaller.tmp	RecoverKeys.exe
PID 1712 wrote to memory of 1032	1712	RecoverKeysInstaller.tmp	RecoverKeys.exe
PID 1712 wrote to memory of 1032	1712	RecoverKeysInstaller.tmp	RecoverKeys.exe
PID 1712 wrote to memory of 1032	1712	RecoverKeysInstaller.tmp	RecoverKeys.exe
PID 1712 wrote to memory of 1032	1712	RecoverKeysInstaller.tmp	RecoverKeys.exe
PID 1032 wrote to memory of 848	1032	RecoverKeys.exe	splwow64.exe
PID 1032 wrote to memory of 848	1032	RecoverKeys.exe	splwow64.exe
PID 1032 wrote to memory of 848	1032	RecoverKeys.exe	splwow64.exe
PID 1032 wrote to memory of 848	1032	RecoverKeys.exe	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\RecoverKeysInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RecoverKeysInstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\is-U3L9C.tmp\RecoverKeysInstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U3L9C.tmp\RecoverKeysInstaller.tmp" /SL5="$60120,8764450,404480,C:\Users\Admin\AppData\Local\Temp\RecoverKeysInstaller.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files (x86)\Recover Keys\RecoverKeys.exe
"C:\Program Files (x86)\Recover Keys\RecoverKeys.exe" -LaunchedFromInstaller
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:848

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SkipProtect.vbs"
1⤵
PID:1404

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Recover Keys\Lang\English.xml
Filesize
47KB

MD5
b8e61acfa6f35e485a12a0e0efc9e7a1

SHA1
74de8886188c0f93deaf5c0a3b4468a41b6bb30b

SHA256
57ff378169f01e8b66a98e4baa369b501c1b05be16210143be23fad28faec892

SHA512
33389f479b236ca67284c9645c4674bd03ce55417cb86a7cf88d33c1ab84c5aaa0e31505048bd9ae85c6a18d8d6c96798c21fd09353b89df0a2436fc941b3b8a

Download Submit
C:\Program Files (x86)\Recover Keys\RecoverKeys.exe
Filesize
30.4MB

MD5
84104b4f62f9f58be6f2b279fe211ae8

SHA1
7f1f184cb12449b7f79b165c6dc2202c9f089220

SHA256
728122398db444d401681a74c364ec38e313bc26aacaed7de24f76bf7b38f620

SHA512
f256007a69a4c1e80cd32a3f5ae2a4d7172518ff6ae50f0d6d40c939ce7ac81021cb105280a85f3cf285a8f8ad05c1ef4b29db536847a024b797bcc396595795

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U3L9C.tmp\RecoverKeysInstaller.tmp
Filesize
1.4MB

MD5
2cd98880a00b07767aba76e78a28e92a

SHA1
7a659d5eb6f465a238550914c92a3f45b4de4b94

SHA256
7afc059d3953168ba0ae1e1b2bfb307f26f2f6d86b752e22c38d31ff18ec8918

SHA512
106eb0da5bc5165378ee11421658d3478b59618a150a85068e7a968739a276ae70d5af3aba96c65965fd0f6b1cfb7d2714f4442f4dfb5e9d0e097dad6801a883

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U3L9C.tmp\RecoverKeysInstaller.tmp
Filesize
1.4MB

MD5
2cd98880a00b07767aba76e78a28e92a

SHA1
7a659d5eb6f465a238550914c92a3f45b4de4b94

SHA256
7afc059d3953168ba0ae1e1b2bfb307f26f2f6d86b752e22c38d31ff18ec8918

SHA512
106eb0da5bc5165378ee11421658d3478b59618a150a85068e7a968739a276ae70d5af3aba96c65965fd0f6b1cfb7d2714f4442f4dfb5e9d0e097dad6801a883

Download Submit
\Program Files (x86)\Recover Keys\RecoverKeys.exe
Filesize
30.4MB

MD5
84104b4f62f9f58be6f2b279fe211ae8

SHA1
7f1f184cb12449b7f79b165c6dc2202c9f089220

SHA256
728122398db444d401681a74c364ec38e313bc26aacaed7de24f76bf7b38f620

SHA512
f256007a69a4c1e80cd32a3f5ae2a4d7172518ff6ae50f0d6d40c939ce7ac81021cb105280a85f3cf285a8f8ad05c1ef4b29db536847a024b797bcc396595795

Download Submit
\Program Files (x86)\Recover Keys\RecoverKeys.exe
Filesize
30.4MB

MD5
84104b4f62f9f58be6f2b279fe211ae8

SHA1
7f1f184cb12449b7f79b165c6dc2202c9f089220

SHA256
728122398db444d401681a74c364ec38e313bc26aacaed7de24f76bf7b38f620

SHA512
f256007a69a4c1e80cd32a3f5ae2a4d7172518ff6ae50f0d6d40c939ce7ac81021cb105280a85f3cf285a8f8ad05c1ef4b29db536847a024b797bcc396595795

Download Submit
\Program Files (x86)\Recover Keys\RecoverKeys.exe
Filesize
30.4MB

MD5
84104b4f62f9f58be6f2b279fe211ae8

SHA1
7f1f184cb12449b7f79b165c6dc2202c9f089220

SHA256
728122398db444d401681a74c364ec38e313bc26aacaed7de24f76bf7b38f620

SHA512
f256007a69a4c1e80cd32a3f5ae2a4d7172518ff6ae50f0d6d40c939ce7ac81021cb105280a85f3cf285a8f8ad05c1ef4b29db536847a024b797bcc396595795

Download Submit
\Program Files (x86)\Recover Keys\unins000.exe
Filesize
1.4MB

MD5
2cd98880a00b07767aba76e78a28e92a

SHA1
7a659d5eb6f465a238550914c92a3f45b4de4b94

SHA256
7afc059d3953168ba0ae1e1b2bfb307f26f2f6d86b752e22c38d31ff18ec8918

SHA512
106eb0da5bc5165378ee11421658d3478b59618a150a85068e7a968739a276ae70d5af3aba96c65965fd0f6b1cfb7d2714f4442f4dfb5e9d0e097dad6801a883

Download Submit
\Users\Admin\AppData\Local\Temp\is-U3L9C.tmp\RecoverKeysInstaller.tmp
Filesize
1.4MB

MD5
2cd98880a00b07767aba76e78a28e92a

SHA1
7a659d5eb6f465a238550914c92a3f45b4de4b94

SHA256
7afc059d3953168ba0ae1e1b2bfb307f26f2f6d86b752e22c38d31ff18ec8918

SHA512
106eb0da5bc5165378ee11421658d3478b59618a150a85068e7a968739a276ae70d5af3aba96c65965fd0f6b1cfb7d2714f4442f4dfb5e9d0e097dad6801a883

Download Submit
memory/848-73-0x0000000000000000-mapping.dmp

Download
memory/848-74-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/1032-68-0x0000000000000000-mapping.dmp

Download
memory/1032-72-0x0000000074591000-0x0000000074593000-memory.dmp

Filesize
8KB

Download
memory/1712-62-0x00000000747E1000-0x00000000747E3000-memory.dmp

Filesize
8KB

Download
memory/1712-58-0x0000000000000000-mapping.dmp

Download
memory/1908-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1908-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1908-71-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1908-55-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads