e5338f0d9bdf9e098fe24121ff9d06c6eeadfea7c29d1ddd6883449e2d4b2d65

Analysis

max time kernel
136s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/05/2023, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SIR_KeyGen.exe
Size

460KB
MD5

11c9fd0206d5e4804882d32d75af679d
SHA1

8247508f0d8b3942a3e4e937e78e6667d0dc5eeb
SHA256

e5338f0d9bdf9e098fe24121ff9d06c6eeadfea7c29d1ddd6883449e2d4b2d65
SHA512

e0b56ae29bffe9ac169b2f9bb7e88c111995f6cf38ec06b27ba65e817d0c270768d955bb033cdf473703d2f74710e7628a209bc9ec8e4ab08bca0477bfd0a6eb
SSDEEP

6144:98LxBV2nA8P9tlASRzKW3Ztns1q1YcA1ticGsx7W6TknlFamGRqCKJvbi7MDhUyf:cc9t2SllJts1fnU5GvyQYve7uSU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
764	keygen.exe

Loads dropped DLL 4 IoCs

pid	Process
1552	SIR_KeyGen.exe
1552	SIR_KeyGen.exe
764	keygen.exe
764	keygen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1760	AUDIODG.EXE
Token: 33	1760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1760	AUDIODG.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 764	1552	SIR_KeyGen.exe	27
PID 1552 wrote to memory of 764	1552	SIR_KeyGen.exe	27
PID 1552 wrote to memory of 764	1552	SIR_KeyGen.exe	27
PID 1552 wrote to memory of 764	1552	SIR_KeyGen.exe	27
PID 1932 wrote to memory of 980	1932	chrome.exe	30
PID 1932 wrote to memory of 980	1932	chrome.exe	30
PID 1932 wrote to memory of 980	1932	chrome.exe	30

C:\Users\Admin\AppData\Local\Temp\SIR_KeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\SIR_KeyGen.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  C:\Users\Admin\AppData\Local\Temp\keygen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef63c9758,0x7fef63c9768,0x7fef63c9778
  2⤵
  PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
C:\Users\Admin\AppData\Local\Temp\R2RSIRKG2.dll

Filesize
54KB

MD5
860ceb6259942f4c214ba91502a37f37

SHA1
e6e9c7ae2072e279c6d54d0e01c98b735f000386

SHA256
24863ef03b9e2d59a86d13cbb1cf11b71f15f27ccf991b66f9ca529cc4ad34a9

SHA512
9286aeb0535bc9aa18b4fe24e45ae159c64cf394e3dbe52a01defab079b4f46cb8b9699a402aa57e4c667ce0c642cc64ad56b9943492ccfc29edd617db65f19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgm.xm

Filesize
80KB

MD5
f9e13476c9f385fa14e7c54448f1c61d

SHA1
9a5aa237b7e74a60aa44b60f386d3470c41a1bb0

SHA256
7c59114e61b69cbe5db306741fb95b11db6fbe4f0a3cb479aecac461db61eb05

SHA512
3aa19b8f14b9bf997bcf31a2833a16c0ce189555c9fad4e90cffc72c592fd063804d973e5d2ea6201c6004617b5dc3e1e69b87050f85689115aa655cbdf5ec26

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
491KB

MD5
d28b75b09e347c90996985a656cc61a1

SHA1
45b1de4870b12e226d356fd7d3a5973968688cc2

SHA256
e43e891422899a8585b7d400cd48b96faeb75b9295cfde77ff1f0e4351a19444

SHA512
2f0bfe50336d7a40cbde6a593ed50afbe54aeb0776c06555c0f5436c08c7fc4207d770002b52acf130f39be23f98633efbf0c1bd9dc1b4e72d200008272a9583

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
491KB

MD5
d28b75b09e347c90996985a656cc61a1

SHA1
45b1de4870b12e226d356fd7d3a5973968688cc2

SHA256
e43e891422899a8585b7d400cd48b96faeb75b9295cfde77ff1f0e4351a19444

SHA512
2f0bfe50336d7a40cbde6a593ed50afbe54aeb0776c06555c0f5436c08c7fc4207d770002b52acf130f39be23f98633efbf0c1bd9dc1b4e72d200008272a9583

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
491KB

MD5
d28b75b09e347c90996985a656cc61a1

SHA1
45b1de4870b12e226d356fd7d3a5973968688cc2

SHA256
e43e891422899a8585b7d400cd48b96faeb75b9295cfde77ff1f0e4351a19444

SHA512
2f0bfe50336d7a40cbde6a593ed50afbe54aeb0776c06555c0f5436c08c7fc4207d770002b52acf130f39be23f98633efbf0c1bd9dc1b4e72d200008272a9583

Download Submit
\Users\Admin\AppData\Local\Temp\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Local\Temp\R2RSIRKG2.dll

Filesize
54KB

MD5
860ceb6259942f4c214ba91502a37f37

SHA1
e6e9c7ae2072e279c6d54d0e01c98b735f000386

SHA256
24863ef03b9e2d59a86d13cbb1cf11b71f15f27ccf991b66f9ca529cc4ad34a9

SHA512
9286aeb0535bc9aa18b4fe24e45ae159c64cf394e3dbe52a01defab079b4f46cb8b9699a402aa57e4c667ce0c642cc64ad56b9943492ccfc29edd617db65f19b

Download Submit
\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
491KB

MD5
d28b75b09e347c90996985a656cc61a1

SHA1
45b1de4870b12e226d356fd7d3a5973968688cc2

SHA256
e43e891422899a8585b7d400cd48b96faeb75b9295cfde77ff1f0e4351a19444

SHA512
2f0bfe50336d7a40cbde6a593ed50afbe54aeb0776c06555c0f5436c08c7fc4207d770002b52acf130f39be23f98633efbf0c1bd9dc1b4e72d200008272a9583

Download Submit
\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
491KB

MD5
d28b75b09e347c90996985a656cc61a1

SHA1
45b1de4870b12e226d356fd7d3a5973968688cc2

SHA256
e43e891422899a8585b7d400cd48b96faeb75b9295cfde77ff1f0e4351a19444

SHA512
2f0bfe50336d7a40cbde6a593ed50afbe54aeb0776c06555c0f5436c08c7fc4207d770002b52acf130f39be23f98633efbf0c1bd9dc1b4e72d200008272a9583

Download Submit
memory/764-85-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-81-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-71-0x00000000001B0000-0x00000000001C1000-memory.dmp

Filesize
68KB

Download
memory/764-75-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/764-78-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-76-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-79-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-80-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-73-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-82-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-83-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-84-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-77-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-86-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-87-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/764-88-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download