bafbd9e8c5250de208ad3f088aabaf6659ee07ffa65f997e5f5a977f2a02d213

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KeeperRL.v2023.09.20/KeeperRL.v2023.09.20/keeper.exe
Size

263.1MB
MD5

ce04ce14bda84792dbe5857743b0641a
SHA1

b3029481dcf48a130f391899ffe287b6cc63a65b
SHA256

4429294729fe8a1017df229330d10bd86e7cec1d975619db754773d401d3fa0d
SHA512

d76a53f86051d8b02a153a2f43cbd127437d72737abce850f47b484aee8acb33c985fe92b002c96c482e6b9c8905b8c5f81c1f37c0ec44e4fd3ce695d24d0b2a
SSDEEP

1572864:9OajZ7BkIZ8IqcENrc/HA9BXK2mu63l4dR:LsJ3fKu6V4dR

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
876	keeper.exe
876	keeper.exe
4272	curl.exe
4272	curl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1368	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1368	AUDIODG.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 4360	876	keeper.exe	88
PID 876 wrote to memory of 4360	876	keeper.exe	88
PID 4360 wrote to memory of 808	4360	cmd.exe	90
PID 4360 wrote to memory of 808	4360	cmd.exe	90
PID 4360 wrote to memory of 4272	4360	cmd.exe	95
PID 4360 wrote to memory of 4272	4360	cmd.exe	95
PID 4360 wrote to memory of 4272	4360	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\keeper.exe
"C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\keeper.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c rungdb.bat "2df6c-dirty 2023-09-20"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\gdb.exe
    gdb.exe -batch -x gdb_input.txt keeper.exe KeeperRL.dmp
    3⤵
    PID:808
- - C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\curl.exe
    curl.exe --progress-bar -F "[email protected]" http://209.208.78.54/~michal/upload_stacktrace.php
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2dc 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\KeeperRL.dmp

Filesize
1.6MB

MD5
b029da69be0266339cb1458a0a1602ab

SHA1
c3d3db59faa72098c2b5a0b49930938b65c7fb88

SHA256
d63c82e577e141f0a94741a0ec1543599a08083f8f95277539339065ace74971

SHA512
070173a2d6cf4754b2a33b04a97fec8092adff9687e81850a452cf3ae6da6207ac8449bcbf4b0f3483861d276828504dc5bd75090863a8575b9e1ba3ad895d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\installId.txt

Filesize
8B

MD5
958e32443098de185f33baf22e9439fd

SHA1
1fb62f69afcd64be4ebb1965125a32e56d39e866

SHA256
f6169e9a7edd6ae4ed97a13c2ffda35b43b14886bd56e0c308fb288fa9472a9a

SHA512
79cdbf6cb6aec01ce48c4e14afcb1e4fafb83b9f01e5e12e386a95b0e9d9615a1f52fca3109a178dc02fdeb56dfab9d636f07cd0cebf6625f9b88b5d11d3e1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\report.txt

Filesize
17KB

MD5
4ffffa7fb8200e98d9c99e96d543ebbc

SHA1
b5649a8d32c8998b98ee46a2a8823105bec36c9b

SHA256
6d9eb766424c2838d144b64fbaae542ce99d471cb556cd1301f78801184c9775

SHA512
1c4dec207ea8535fb39f64468888bbd9c9f1c6542dfc7cddcde69237fb9b15127b01ecad292f94e82fc54acce1af8305c1fcb82e7e9829c171494b06c0c46599

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeeperRL.v2023.09.20\KeeperRL.v2023.09.20\stacktrace.out

Filesize
57B

MD5
2c43094682ec47cd82a01a969687cd13

SHA1
58db3821f8cfed2138e1113e56c90bd4eb7479ef

SHA256
b5685132555501e1919e2a65b120e81b93d1a12c83413a2a378b16952a357bba

SHA512
a39e746e080d8f68d8adef83adec4bf3d0c054184b6df3399db4ee0b5c3943f78d736d1a5336da68c8c98f33c202e7eba43a24b00d812078e15bf74f7d7e929a

Download Submit
memory/808-30-0x0000000000400000-0x0000000000CE5000-memory.dmp

Filesize
8.9MB

Download
memory/876-24-0x00000000653C0000-0x00000000658BD000-memory.dmp

Filesize
5.0MB

Download
memory/876-28-0x0000000061940000-0x0000000061C6E000-memory.dmp

Filesize
3.2MB

Download
memory/876-12-0x0000000065B40000-0x0000000065B77000-memory.dmp

Filesize
220KB

Download
memory/876-11-0x000000006D540000-0x000000006D59A000-memory.dmp

Filesize
360KB

Download
memory/876-14-0x000000006B3C0000-0x000000006B3E6000-memory.dmp

Filesize
152KB

Download
memory/876-16-0x0000000063D00000-0x0000000063D7F000-memory.dmp

Filesize
508KB

Download
memory/876-18-0x0000000063B40000-0x0000000063B9F000-memory.dmp

Filesize
380KB

Download
memory/876-20-0x0000000069A00000-0x0000000069B5D000-memory.dmp

Filesize
1.4MB

Download
memory/876-22-0x0000000061CC0000-0x0000000061D2D000-memory.dmp

Filesize
436KB

Download
memory/876-0-0x00000000008F0000-0x00000000009C4000-memory.dmp

Filesize
848KB

Download
memory/876-25-0x0000000066000000-0x000000006618F000-memory.dmp

Filesize
1.6MB

Download
memory/876-26-0x000000006B280000-0x000000006B356000-memory.dmp

Filesize
856KB

Download
memory/876-27-0x00000000649C0000-0x0000000064E18000-memory.dmp

Filesize
4.3MB

Download
memory/876-10-0x00007FFBDA3D0000-0x00007FFBDA3EC000-memory.dmp

Filesize
112KB

Download
memory/876-29-0x00000000008F0000-0x00000000009C4000-memory.dmp

Filesize
848KB

Download
memory/876-23-0x0000000068B40000-0x0000000068C6D000-memory.dmp

Filesize
1.2MB

Download
memory/876-21-0x0000000068EC0000-0x0000000069088000-memory.dmp

Filesize
1.8MB

Download
memory/876-19-0x000000006F600000-0x000000006F797000-memory.dmp

Filesize
1.6MB

Download
memory/876-17-0x00007FFBCAAB0000-0x00007FFBCAC87000-memory.dmp

Filesize
1.8MB

Download
memory/876-15-0x0000000062E80000-0x0000000062EAA000-memory.dmp

Filesize
168KB

Download
memory/876-13-0x00007FFBDA330000-0x00007FFBDA3C8000-memory.dmp

Filesize
608KB

Download
memory/876-9-0x0000000070680000-0x00000000706AC000-memory.dmp

Filesize
176KB

Download
memory/876-7-0x0000000070800000-0x0000000070894000-memory.dmp

Filesize
592KB

Download
memory/876-8-0x000000006A880000-0x000000006A930000-memory.dmp

Filesize
704KB

Download
memory/876-6-0x000000005FEA0000-0x0000000060783000-memory.dmp

Filesize
8.9MB

Download
memory/876-5-0x000000006B600000-0x000000006B734000-memory.dmp

Filesize
1.2MB

Download