Overview

overview

7

Static

static

3

SIR_KeyGen.exe

windows7-x64

7

SIR_KeyGen.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    115s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2023 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SIR_KeyGen.exe

  • Size

    460KB

  • MD5

    11c9fd0206d5e4804882d32d75af679d

  • SHA1

    8247508f0d8b3942a3e4e937e78e6667d0dc5eeb

  • SHA256

    e5338f0d9bdf9e098fe24121ff9d06c6eeadfea7c29d1ddd6883449e2d4b2d65

  • SHA512

    e0b56ae29bffe9ac169b2f9bb7e88c111995f6cf38ec06b27ba65e817d0c270768d955bb033cdf473703d2f74710e7628a209bc9ec8e4ab08bca0477bfd0a6eb

  • SSDEEP

    6144:98LxBV2nA8P9tlASRzKW3Ztns1q1YcA1ticGsx7W6TknlFamGRqCKJvbi7MDhUyf:cc9t2SllJts1fnU5GvyQYve7uSU

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SIR_KeyGen.exe
    "C:\Users\Admin\AppData\Local\Temp\SIR_KeyGen.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Users\Admin\AppData\Local\Temp\keygen.exe
      C:\Users\Admin\AppData\Local\Temp\keygen.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      PID:1332
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3f4 0x2b4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1344
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SubmitSkip.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:4312

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll
    Filesize

    33KB

    MD5

    e4ec57e8508c5c4040383ebe6d367928

    SHA1

    b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

    SHA256

    8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

    SHA512

    77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll
    Filesize

    33KB

    MD5

    e4ec57e8508c5c4040383ebe6d367928

    SHA1

    b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

    SHA256

    8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

    SHA512

    77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\R2RSIRKG2.dll
    Filesize

    54KB

    MD5

    860ceb6259942f4c214ba91502a37f37

    SHA1

    e6e9c7ae2072e279c6d54d0e01c98b735f000386

    SHA256

    24863ef03b9e2d59a86d13cbb1cf11b71f15f27ccf991b66f9ca529cc4ad34a9

    SHA512

    9286aeb0535bc9aa18b4fe24e45ae159c64cf394e3dbe52a01defab079b4f46cb8b9699a402aa57e4c667ce0c642cc64ad56b9943492ccfc29edd617db65f19b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\R2RSIRKG2.dll
    Filesize

    54KB

    MD5

    860ceb6259942f4c214ba91502a37f37

    SHA1

    e6e9c7ae2072e279c6d54d0e01c98b735f000386

    SHA256

    24863ef03b9e2d59a86d13cbb1cf11b71f15f27ccf991b66f9ca529cc4ad34a9

    SHA512

    9286aeb0535bc9aa18b4fe24e45ae159c64cf394e3dbe52a01defab079b4f46cb8b9699a402aa57e4c667ce0c642cc64ad56b9943492ccfc29edd617db65f19b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\R2RSIRKG2.dll
    Filesize

    54KB

    MD5

    860ceb6259942f4c214ba91502a37f37

    SHA1

    e6e9c7ae2072e279c6d54d0e01c98b735f000386

    SHA256

    24863ef03b9e2d59a86d13cbb1cf11b71f15f27ccf991b66f9ca529cc4ad34a9

    SHA512

    9286aeb0535bc9aa18b4fe24e45ae159c64cf394e3dbe52a01defab079b4f46cb8b9699a402aa57e4c667ce0c642cc64ad56b9943492ccfc29edd617db65f19b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bgm.xm
    Filesize

    80KB

    MD5

    f9e13476c9f385fa14e7c54448f1c61d

    SHA1

    9a5aa237b7e74a60aa44b60f386d3470c41a1bb0

    SHA256

    7c59114e61b69cbe5db306741fb95b11db6fbe4f0a3cb479aecac461db61eb05

    SHA512

    3aa19b8f14b9bf997bcf31a2833a16c0ce189555c9fad4e90cffc72c592fd063804d973e5d2ea6201c6004617b5dc3e1e69b87050f85689115aa655cbdf5ec26

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\keygen.exe
    Filesize

    491KB

    MD5

    d28b75b09e347c90996985a656cc61a1

    SHA1

    45b1de4870b12e226d356fd7d3a5973968688cc2

    SHA256

    e43e891422899a8585b7d400cd48b96faeb75b9295cfde77ff1f0e4351a19444

    SHA512

    2f0bfe50336d7a40cbde6a593ed50afbe54aeb0776c06555c0f5436c08c7fc4207d770002b52acf130f39be23f98633efbf0c1bd9dc1b4e72d200008272a9583

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\keygen.exe
    Filesize

    491KB

    MD5

    d28b75b09e347c90996985a656cc61a1

    SHA1

    45b1de4870b12e226d356fd7d3a5973968688cc2

    SHA256

    e43e891422899a8585b7d400cd48b96faeb75b9295cfde77ff1f0e4351a19444

    SHA512

    2f0bfe50336d7a40cbde6a593ed50afbe54aeb0776c06555c0f5436c08c7fc4207d770002b52acf130f39be23f98633efbf0c1bd9dc1b4e72d200008272a9583

    Download Submit

  • memory/1332-153-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-154-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-146-0x0000000000A00000-0x0000000000A11000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1332-150-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-151-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-152-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-140-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1332-148-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-155-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-156-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-157-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-158-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-159-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-160-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1332-161-0x0000000010000000-0x0000000010013000-memory.dmp

    Filesize

    76KB

    Download