bafbd9e8c5250de208ad3f088aabaf6659ee07ffa65f997e5f5a977f2a02d213

Analysis

max time kernel
121s
max time network
132s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KeeperRL.v2023.09.20/KeeperRL.v2023.09.20/keeper.exe
Size

263.1MB
MD5

ce04ce14bda84792dbe5857743b0641a
SHA1

b3029481dcf48a130f391899ffe287b6cc63a65b
SHA256

4429294729fe8a1017df229330d10bd86e7cec1d975619db754773d401d3fa0d
SHA512

d76a53f86051d8b02a153a2f43cbd127437d72737abce850f47b484aee8acb33c985fe92b002c96c482e6b9c8905b8c5f81c1f37c0ec44e4fd3ce695d24d0b2a
SSDEEP

1572864:9OajZ7BkIZ8IqcENrc/HA9BXK2mu63l4dR:LsJ3fKu6V4dR

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1944	curl.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2420	keeper.exe
2420	keeper.exe
2420	keeper.exe
2420	keeper.exe
2420	keeper.exe
2420	keeper.exe
1944	curl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2420	keeper.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2664	2420	keeper.exe	28
PID 2420 wrote to memory of 2664	2420	keeper.exe	28
PID 2420 wrote to memory of 2664	2420	keeper.exe	28
PID 2664 wrote to memory of 2600	2664	cmd.exe	30
PID 2664 wrote to memory of 2600	2664	cmd.exe	30
PID 2664 wrote to memory of 2600	2664	cmd.exe	30
PID 2664 wrote to memory of 1944	2664	cmd.exe	33
PID 2664 wrote to memory of 1944	2664	cmd.exe	33
PID 2664 wrote to memory of 1944	2664	cmd.exe	33
PID 2664 wrote to memory of 1944	2664	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\keeper.exe
"C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\keeper.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rungdb.bat "2df6c-dirty 2023-09-20"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\gdb.exe
    gdb.exe -batch -x gdb_input.txt keeper.exe KeeperRL.dmp
    3⤵
    PID:2600
- - C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\curl.exe
    curl.exe --progress-bar -F "[email protected]" http://209.208.78.54/~michal/upload_stacktrace.php
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\KeeperRL.dmp

Filesize
1.8MB

MD5
59f99364d98b477572b7d96524fcd1e5

SHA1
bda575943310ea421ee17447ecbeaa8a48c0497c

SHA256
086403c31e7cc106370c38b2f8b549f5d55f8fdf3631b398b894e1e2e9169964

SHA512
7014c261295a3145d67b5c7dca6fa50b65bd43d953daa2f571f7bb19c780a98bd4aa2f45fffff7590d5e66998cbc5af98f9c79a8c68b6f50051e3b5d3bcd54e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\installId.txt

Filesize
8B

MD5
0730a9c22ead89774e59c8a1d647de4f

SHA1
a37a62c8f9d86a5298a0c7d8b9171b3726cda723

SHA256
7738b94e2b34fd66ed4d79880d04876fcd484e6874db8009a08e6278df26b789

SHA512
3613fba7cbca4bf1973d7009d3a1093acf83c0b968d67e871d45ad5f7cde20aa8a3f0a5b8235749467d673716ef2dbf14295111ac403511c3b220567f0d91089

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\report.txt

Filesize
18KB

MD5
3c196d74ac096febc90789268ebe9873

SHA1
1d5e0d399cb74b0f6f3ad5824626cde718de39d0

SHA256
99e8fdb50c2e98b7473b55e97a91a9382b6e2f1b9d1c332a325c75aaa5b4a48f

SHA512
632569f07431fb34cffaf91b9f149849c6b83563e4f2770f431f0c87e5f279270a52c216bdf9540958fe4bbda2f24e2d64da1a6d690aff53489f74c3477fb333

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\stacktrace.out

Filesize
57B

MD5
2c43094682ec47cd82a01a969687cd13

SHA1
58db3821f8cfed2138e1113e56c90bd4eb7479ef

SHA256
b5685132555501e1919e2a65b120e81b93d1a12c83413a2a378b16952a357bba

SHA512
a39e746e080d8f68d8adef83adec4bf3d0c054184b6df3399db4ee0b5c3943f78d736d1a5336da68c8c98f33c202e7eba43a24b00d812078e15bf74f7d7e929a

Download Submit
memory/2420-18-0x0000000066000000-0x000000006618F000-memory.dmp

Filesize
1.6MB

Download
memory/2420-21-0x0000000063B40000-0x0000000063B9F000-memory.dmp

Filesize
380KB

Download
memory/2420-10-0x0000000068B40000-0x0000000068C6D000-memory.dmp

Filesize
1.2MB

Download
memory/2420-11-0x0000000062E80000-0x0000000062EAA000-memory.dmp

Filesize
168KB

Download
memory/2420-12-0x0000000068EC0000-0x0000000069088000-memory.dmp

Filesize
1.8MB

Download
memory/2420-13-0x0000000063CC0000-0x0000000063D94000-memory.dmp

Filesize
848KB

Download
memory/2420-14-0x0000000061940000-0x0000000061C6E000-memory.dmp

Filesize
3.2MB

Download
memory/2420-15-0x0000000070800000-0x0000000070894000-memory.dmp

Filesize
592KB

Download
memory/2420-16-0x00000000002E0000-0x000000000035F000-memory.dmp

Filesize
508KB

Download
memory/2420-17-0x0000000061CC0000-0x0000000061D2D000-memory.dmp

Filesize
436KB

Download
memory/2420-8-0x000000006A880000-0x000000006A930000-memory.dmp

Filesize
704KB

Download
memory/2420-19-0x00000000649C0000-0x0000000064E18000-memory.dmp

Filesize
4.3MB

Download
memory/2420-20-0x000007FEFB650000-0x000007FEFB66C000-memory.dmp

Filesize
112KB

Download
memory/2420-9-0x0000000069A00000-0x0000000069B5D000-memory.dmp

Filesize
1.4MB

Download
memory/2420-22-0x00000000653C0000-0x00000000658BD000-memory.dmp

Filesize
5.0MB

Download
memory/2420-23-0x000000006B280000-0x000000006B356000-memory.dmp

Filesize
856KB

Download
memory/2420-24-0x0000000070680000-0x00000000706AC000-memory.dmp

Filesize
176KB

Download
memory/2420-25-0x0000000065B40000-0x0000000065B77000-memory.dmp

Filesize
220KB

Download
memory/2420-26-0x000000006D540000-0x000000006D59A000-memory.dmp

Filesize
360KB

Download
memory/2420-28-0x000007FEF5B90000-0x000007FEF5C28000-memory.dmp

Filesize
608KB

Download
memory/2420-27-0x000000006B3C0000-0x000000006B3E6000-memory.dmp

Filesize
152KB

Download
memory/2420-29-0x000007FEF59B0000-0x000007FEF5B87000-memory.dmp

Filesize
1.8MB

Download
memory/2420-5-0x000000006B600000-0x000000006B734000-memory.dmp

Filesize
1.2MB

Download
memory/2420-6-0x0000000074150000-0x0000000074A33000-memory.dmp

Filesize
8.9MB

Download
memory/2420-7-0x000000006F600000-0x000000006F797000-memory.dmp

Filesize
1.6MB

Download
memory/2600-56-0x0000000000400000-0x0000000000CE5000-memory.dmp

Filesize
8.9MB

Download
memory/2600-30-0x0000000000400000-0x0000000000CE5000-memory.dmp

Filesize
8.9MB

Download