Analysis
-
max time kernel
42s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 10:00
Behavioral task
behavioral1
Sample
Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
Resource
win10v2004-20220812-en
General
-
Target
Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
-
Size
362KB
-
MD5
d77fa14d6295188b4af7954b3c8f1a38
-
SHA1
7acef1bd3b324546c91862eb5f54773d1d28df20
-
SHA256
5195bd647e93ce3bbb304e507e551318929279334527d65c6286018d48cdad28
-
SHA512
f016d54979979d2ff649764e57c6b048cf3fc690cc1aa0b743c1be985f58b4705636b67487c8fb5bee48251a459cc33ffd478a434e3668e0e86cb7a0fabef184
-
SSDEEP
6144:x7/8yCh1wTvyk4vr4RNvKaJlllbXXPyCO8E7ih/kN5CtH9k8ryIV5G8Cb++1tdv:x77BTjCMRZfJlXf/O8mIICtH7HCb+6tt
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\msiinn32.dll acprotect \Windows\SysWOW64\msiinn32.dll acprotect \Windows\SysWOW64\msiinn32.dll acprotect \Windows\SysWOW64\msiinn32.dll acprotect \Windows\SysWOW64\msiinn32.dll acprotect -
Processes:
resource yara_rule behavioral1/memory/2032-55-0x0000000000400000-0x000000000046C000-memory.dmp upx C:\Windows\SysWOW64\msiinn32.dll upx \Windows\SysWOW64\msiinn32.dll upx \Windows\SysWOW64\msiinn32.dll upx \Windows\SysWOW64\msiinn32.dll upx \Windows\SysWOW64\msiinn32.dll upx behavioral1/memory/1880-67-0x0000000010000000-0x0000000010088000-memory.dmp upx behavioral1/memory/2032-68-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Rodokmen.Pro.v2.1.1.CZECH.keygen.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Rodokmen.Pro.v2.1.1.CZECH.keygen.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msiinn32.dll,XzXRQcUSq" Rodokmen.Pro.v2.1.1.CZECH.keygen.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exedescription ioc process File created C:\Windows\SysWOW64\msiinn32.dll Rodokmen.Pro.v2.1.1.CZECH.keygen.exe File opened for modification C:\Windows\SysWOW64\msiinn32.dll Rodokmen.Pro.v2.1.1.CZECH.keygen.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2012 2032 WerFault.exe Rodokmen.Pro.v2.1.1.CZECH.keygen.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exepid process 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exedescription pid process target process PID 2032 wrote to memory of 1880 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe PID 2032 wrote to memory of 1880 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe PID 2032 wrote to memory of 1880 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe PID 2032 wrote to memory of 1880 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe PID 2032 wrote to memory of 1880 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe PID 2032 wrote to memory of 1880 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe PID 2032 wrote to memory of 1880 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe PID 2032 wrote to memory of 2012 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe WerFault.exe PID 2032 wrote to memory of 2012 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe WerFault.exe PID 2032 wrote to memory of 2012 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe WerFault.exe PID 2032 wrote to memory of 2012 2032 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe WerFault.exe -
outlook_win_path 1 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rodokmen.Pro.v2.1.1.CZECH.keygen.exe"C:\Users\Admin\AppData\Local\Temp\Rodokmen.Pro.v2.1.1.CZECH.keygen.exe"1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe msiinn32.dll,XzXRQcUSq2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 3402⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\msiinn32.dllFilesize
174KB
MD5e8f30e1c5099edd4ee2d24cad67c333c
SHA1bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b
SHA256cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7
SHA512883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1
-
\Windows\SysWOW64\msiinn32.dllFilesize
174KB
MD5e8f30e1c5099edd4ee2d24cad67c333c
SHA1bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b
SHA256cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7
SHA512883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1
-
\Windows\SysWOW64\msiinn32.dllFilesize
174KB
MD5e8f30e1c5099edd4ee2d24cad67c333c
SHA1bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b
SHA256cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7
SHA512883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1
-
\Windows\SysWOW64\msiinn32.dllFilesize
174KB
MD5e8f30e1c5099edd4ee2d24cad67c333c
SHA1bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b
SHA256cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7
SHA512883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1
-
\Windows\SysWOW64\msiinn32.dllFilesize
174KB
MD5e8f30e1c5099edd4ee2d24cad67c333c
SHA1bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b
SHA256cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7
SHA512883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1
-
memory/1880-58-0x0000000000000000-mapping.dmp
-
memory/1880-67-0x0000000010000000-0x0000000010088000-memory.dmpFilesize
544KB
-
memory/2012-62-0x0000000000000000-mapping.dmp
-
memory/2032-59-0x0000000000350000-0x00000000003D8000-memory.dmpFilesize
544KB
-
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/2032-57-0x0000000000350000-0x00000000003D8000-memory.dmpFilesize
544KB
-
memory/2032-56-0x0000000000260000-0x00000000002BA000-memory.dmpFilesize
360KB
-
memory/2032-55-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2032-68-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/2032-69-0x0000000000260000-0x00000000002BA000-memory.dmpFilesize
360KB
-
memory/2032-70-0x0000000000350000-0x00000000003D8000-memory.dmpFilesize
544KB