Analysis
-
max time kernel
140s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 10:00
Behavioral task
behavioral1
Sample
Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
Resource
win10v2004-20220812-en
General
-
Target
Rodokmen.Pro.v2.1.1.CZECH.keygen.exe
-
Size
362KB
-
MD5
d77fa14d6295188b4af7954b3c8f1a38
-
SHA1
7acef1bd3b324546c91862eb5f54773d1d28df20
-
SHA256
5195bd647e93ce3bbb304e507e551318929279334527d65c6286018d48cdad28
-
SHA512
f016d54979979d2ff649764e57c6b048cf3fc690cc1aa0b743c1be985f58b4705636b67487c8fb5bee48251a459cc33ffd478a434e3668e0e86cb7a0fabef184
-
SSDEEP
6144:x7/8yCh1wTvyk4vr4RNvKaJlllbXXPyCO8E7ih/kN5CtH9k8ryIV5G8Cb++1tdv:x77BTjCMRZfJlXf/O8mIICtH7HCb+6tt
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Windows\SysWOW64\msirzs32.dll acprotect C:\Windows\SysWOW64\msirzs32.dll acprotect -
Processes:
resource yara_rule behavioral2/memory/4076-132-0x0000000000400000-0x000000000046C000-memory.dmp upx C:\Windows\SysWOW64\msirzs32.dll upx C:\Windows\SysWOW64\msirzs32.dll upx behavioral2/memory/2580-139-0x0000000010000000-0x0000000010088000-memory.dmp upx behavioral2/memory/4076-142-0x0000000000400000-0x000000000046C000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2580 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Rodokmen.Pro.v2.1.1.CZECH.keygen.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSIDLL = "C:\\Windows\\SysWOW64\\rundll32.exe msirzs32.dll,XzXRQcUSq" Rodokmen.Pro.v2.1.1.CZECH.keygen.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exedescription ioc process File created C:\Windows\SysWOW64\msirzs32.dll Rodokmen.Pro.v2.1.1.CZECH.keygen.exe File opened for modification C:\Windows\SysWOW64\msirzs32.dll Rodokmen.Pro.v2.1.1.CZECH.keygen.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1672 4076 WerFault.exe Rodokmen.Pro.v2.1.1.CZECH.keygen.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exepid process 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Rodokmen.Pro.v2.1.1.CZECH.keygen.exedescription pid process target process PID 4076 wrote to memory of 2580 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe PID 4076 wrote to memory of 2580 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe PID 4076 wrote to memory of 2580 4076 Rodokmen.Pro.v2.1.1.CZECH.keygen.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rodokmen.Pro.v2.1.1.CZECH.keygen.exe"C:\Users\Admin\AppData\Local\Temp\Rodokmen.Pro.v2.1.1.CZECH.keygen.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe msirzs32.dll,XzXRQcUSq2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 6842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4076 -ip 40761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\msirzs32.dllFilesize
174KB
MD5e8f30e1c5099edd4ee2d24cad67c333c
SHA1bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b
SHA256cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7
SHA512883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1
-
C:\Windows\SysWOW64\msirzs32.dllFilesize
174KB
MD5e8f30e1c5099edd4ee2d24cad67c333c
SHA1bcd3f120cb6d99ef27e7bcc8822ca3d9b40faa4b
SHA256cbfb7f70b2442f72d4172f349d0d92686dd864e223438e2331f3741a796852f7
SHA512883d6a71a2c7dd48b6fc1f54198666678e0b4ed2a3d77109bdad06491faa16635d0d7452f62f8c69a4d309fabed61e4acad9cdfd315440cb2f70925ff7d0b4f1
-
memory/2580-136-0x0000000000000000-mapping.dmp
-
memory/2580-139-0x0000000010000000-0x0000000010088000-memory.dmpFilesize
544KB
-
memory/4076-132-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/4076-133-0x0000000000A20000-0x0000000000A7A000-memory.dmpFilesize
360KB
-
memory/4076-134-0x00000000029A0000-0x0000000002A28000-memory.dmpFilesize
544KB
-
memory/4076-135-0x00000000029A0000-0x0000000002A28000-memory.dmpFilesize
544KB
-
memory/4076-140-0x0000000000A20000-0x0000000000A7A000-memory.dmpFilesize
360KB
-
memory/4076-141-0x00000000029A0000-0x0000000002A28000-memory.dmpFilesize
544KB
-
memory/4076-142-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB