d52b5275d5876aa7de35a894c4dbbb3fc254ba7fde72da94ace7118792cebb2c

Resubmissions

16-07-2023 05:08

230716-fsz7bade5s 7

16-07-2023 05:05

230716-fq1p3ade41 7

Analysis

max time kernel
74s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2023 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen/kg.exe
Size

274KB
MD5

3b4d64258593a36db824dd09394fd7bc
SHA1

52838b9dd2dfc6bde5fb26b4832c1572f838dd05
SHA256

bd281b3bf4c15e41f8b40b4259babdc7279d02eae5e3136b388c3ed02092c74e
SHA512

2df872dd784c582090df34f42f71bd1a8864f7a8ee0042b37182176c6a95e6d28f615bf4b7162f38473be0078230d2be420259894b981e1699de9802dbfc8e52
SSDEEP

6144:CAqimqS3lEL7YpAJ5I+b6DuMsfuqaeiSp5dwO1WfF5c8PoSt:zqiI2L73PbKvSiSAFF5roS

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/432-133-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-135-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-136-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-138-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-139-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-140-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-141-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-142-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-143-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-144-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-145-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-146-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-147-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-148-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-149-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/432-150-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Runs regedit.exe 1 IoCs

pid	Process
4724	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4724	regedit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4864	AUDIODG.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\keygen\kg.exe
"C:\Users\Admin\AppData\Local\Temp\keygen\kg.exe"
1⤵
PID:432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x2cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4780

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:4724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-133-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-134-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/432-135-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-136-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-137-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/432-138-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-139-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-140-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-141-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-142-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-143-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-144-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-145-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-146-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-147-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-148-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-149-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/432-150-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download