60ea60b8f5416dc8f42fa3efc2ca4002c0a0b58c0d631cefe70205143691cc9e

General

Target

Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
Size

362KB
MD5

d77fa14d6295188b4af7954b3c8f1a38
SHA1

7acef1bd3b324546c91862eb5f54773d1d28df20
SHA256

5195bd647e93ce3bbb304e507e551318929279334527d65c6286018d48cdad28
SHA512

f016d54979979d2ff649764e57c6b048cf3fc690cc1aa0b743c1be985f58b4705636b67487c8fb5bee48251a459cc33ffd478a434e3668e0e86cb7a0fabef184
SSDEEP

6144:x7/8yCh1wTvyk4vr4RNvKaJlllbXXPyCO8E7ih/kN5CtH9k8ryIV5G8Cb++1tdv:x77BTjCMRZfJlXf/O8mIICtH7HCb+6tt

Score

9^/10

collection discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\msiinn32.dll	acprotect
\Windows\SysWOW64\msiinn32.dll	acprotect
\Windows\SysWOW64\msiinn32.dll	acprotect
\Windows\SysWOW64\msiinn32.dll	acprotect
\Windows\SysWOW64\msiinn32.dll	acprotect

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2032-55-0x0000000000400000-0x000000000046C000-memory.dmp	upx
C:\Windows\SysWOW64\msiinn32.dll	upx
\Windows\SysWOW64\msiinn32.dll	upx
\Windows\SysWOW64\msiinn32.dll	upx
\Windows\SysWOW64\msiinn32.dll	upx
\Windows\SysWOW64\msiinn32.dll	upx
behavioral1/memory/1880-67-0x0000000010000000-0x0000000010088000-memory.dmp	upx
behavioral1/memory/2032-68-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1880 rundll32.exe
1880 rundll32.exe
1880 rundll32.exe
1880 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1880	rundll32.exe
1880	rundll32.exe
1880	rundll32.exe
1880	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msiinn32.dll,XzXRQcUSq"	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msiinn32.dll	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
File opened for modification	C:\Windows\SysWOW64\msiinn32.dll	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2012 2032 WerFault.exe Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

pid	pid_target	process	target process
2012	2032	WerFault.exe	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

pid	process
2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

description	pid	process	target process
PID 2032 wrote to memory of 1880	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	rundll32.exe
PID 2032 wrote to memory of 1880	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	rundll32.exe
PID 2032 wrote to memory of 1880	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	rundll32.exe
PID 2032 wrote to memory of 1880	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	rundll32.exe
PID 2032 wrote to memory of 1880	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	rundll32.exe
PID 2032 wrote to memory of 1880	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	rundll32.exe
PID 2032 wrote to memory of 1880	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	rundll32.exe
PID 2032 wrote to memory of 2012	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	WerFault.exe
PID 2032 wrote to memory of 2012	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	WerFault.exe
PID 2032 wrote to memory of 2012	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	WerFault.exe
PID 2032 wrote to memory of 2012	2032	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe	WerFault.exe

outlook_win_path 1 IoCs

Processes:

Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Rodokmen.Pro.v2.1.1.CZECH.keygen.exe

C:\Users\Admin\AppData\Local\Temp\Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Rodokmen.Pro.v2.1.1.CZECH.keygen.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2032

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe msiinn32.dll,XzXRQcUSq
2⤵
- Loads dropped DLL
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 340
2⤵
- Program crash
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msiinn32.dll
Filesize
174KB

MD5
e8f30e1c5099edd4ee2d24cad67c333c

SHA1
bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b

SHA256
cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7

SHA512
883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1

Download Submit
\Windows\SysWOW64\msiinn32.dll
Filesize
174KB

MD5
e8f30e1c5099edd4ee2d24cad67c333c

SHA1
bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b

SHA256
cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7

SHA512
883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1

Download Submit
\Windows\SysWOW64\msiinn32.dll
Filesize
174KB

MD5
e8f30e1c5099edd4ee2d24cad67c333c

SHA1
bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b

SHA256
cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7

SHA512
883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1

Download Submit
\Windows\SysWOW64\msiinn32.dll
Filesize
174KB

MD5
e8f30e1c5099edd4ee2d24cad67c333c

SHA1
bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b

SHA256
cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7

SHA512
883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1

Download Submit
\Windows\SysWOW64\msiinn32.dll
Filesize
174KB

MD5
e8f30e1c5099edd4ee2d24cad67c333c

SHA1
bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b

SHA256
cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7

SHA512
883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1

Download Submit
memory/1880-58-0x0000000000000000-mapping.dmp

Download
memory/1880-67-0x0000000010000000-0x0000000010088000-memory.dmp

Filesize
544KB

Download
memory/2012-62-0x0000000000000000-mapping.dmp

Download
memory/2032-59-0x0000000000350000-0x00000000003D8000-memory.dmp

Filesize
544KB

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x0000000000350000-0x00000000003D8000-memory.dmp

Filesize
544KB

Download
memory/2032-56-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/2032-55-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-68-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2032-69-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/2032-70-0x0000000000350000-0x00000000003D8000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads