30b50c9a1de2f21ef1eb78f18695bcb0f3989fff880a4872a3be3458d5f73433

General

Target

Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA/Keygen.exe
Size

473KB
MD5

18941095bbf897e1880bdd77f1f50c2b
SHA1

d44eb8f9d83828372106e88858fcf67becb81ab0
SHA256

73b232df35f94e6b31052a33e2a14fc57e353928fadd30b1292b6823c8595ed5
SHA512

d93e76d777dae2845750fd297f14336c20caecbbb7366f06e5fa5a06292e7a75d8e9893b8a448b28435c166cafb7ebdc6ca4cdb7020279029e24c85d6a0cddda
SSDEEP

6144:hJaiaZTY1DAA5Nw6dWW+18gVVZKtHdvYG5F8D4qpAH2sxJag/gwHgNU:JaZTYGA5Nw6odVyRYK2D4rV5HgU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2664	setup_m.exe
2528	setup.exe
2532	winlogon.exe

Loads dropped DLL 6 IoCs

pid	Process
1808	Keygen.exe
1808	Keygen.exe
1808	Keygen.exe
2664	setup_m.exe
2664	setup_m.exe
2664	setup_m.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fmod.dll	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	setup_m.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	dw20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2532	winlogon.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2664	1808	Keygen.exe	28
PID 1808 wrote to memory of 2664	1808	Keygen.exe	28
PID 1808 wrote to memory of 2664	1808	Keygen.exe	28
PID 1808 wrote to memory of 2664	1808	Keygen.exe	28
PID 1808 wrote to memory of 2664	1808	Keygen.exe	28
PID 1808 wrote to memory of 2664	1808	Keygen.exe	28
PID 1808 wrote to memory of 2664	1808	Keygen.exe	28
PID 1808 wrote to memory of 2528	1808	Keygen.exe	29
PID 1808 wrote to memory of 2528	1808	Keygen.exe	29
PID 1808 wrote to memory of 2528	1808	Keygen.exe	29
PID 1808 wrote to memory of 2528	1808	Keygen.exe	29
PID 2664 wrote to memory of 2532	2664	setup_m.exe	30
PID 2664 wrote to memory of 2532	2664	setup_m.exe	30
PID 2664 wrote to memory of 2532	2664	setup_m.exe	30
PID 2664 wrote to memory of 2532	2664	setup_m.exe	30
PID 2664 wrote to memory of 2532	2664	setup_m.exe	30
PID 2664 wrote to memory of 2532	2664	setup_m.exe	30
PID 2664 wrote to memory of 2532	2664	setup_m.exe	30
PID 2528 wrote to memory of 2916	2528	setup.exe	31
PID 2528 wrote to memory of 2916	2528	setup.exe	31
PID 2528 wrote to memory of 2916	2528	setup.exe	31

C:\Users\Admin\AppData\Local\Temp\Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA\Keygen.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\setup_m.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_m.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\winlogon.exe
    C:\Windows\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 648
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
268KB

MD5
de766c83c2ad4769622bc890201d3006

SHA1
1ed22427a79cd039e53a28f8d2c7499c1ef413f7

SHA256
039c40cad38397190a15e5817e73725586926893423f0c5a35056498371e60e3

SHA512
4041184371a9c1bb5d5af93b68ddea1aa94edc61aeb6010539ae02f1420c8b0d651f5139b9fb6927efaef837a041c4792556ce4f85ceae452c964bb5fe7bfacd

Download Submit
\Users\Admin\AppData\Local\Temp\setup_m.exe

Filesize
200KB

MD5
292a5adf25ddf66b98616243fdd11ed7

SHA1
b8de129bbed53d5de11c84a63f4d5b9602846a15

SHA256
45ae78216e5c0339848bc101dc18ad41f23e6cb673bdf0f26f4558342343901c

SHA512
67983db229d54958362f1d320f08d375911da5d68f1961c55613294f36295f20a2ec523b3d189c88bef198970a79f98fae76b26de37ad26c1190e702f4b97171

Download Submit
memory/1808-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1808-5-0x0000000002690000-0x000000000272A000-memory.dmp

Filesize
616KB

Download
memory/1808-18-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2528-48-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-46-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2528-25-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2528-50-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2528-49-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2528-28-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-23-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2528-52-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2528-47-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2528-38-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2528-39-0x000000001B080000-0x000000001B0C0000-memory.dmp

Filesize
256KB

Download
memory/2528-40-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2528-44-0x0000000001E70000-0x0000000001EF0000-memory.dmp

Filesize
512KB

Download
memory/2528-45-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-37-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2664-35-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2664-36-0x0000000002310000-0x00000000023AA000-memory.dmp

Filesize
616KB

Download
memory/2664-27-0x0000000000310000-0x00000000003AA000-memory.dmp

Filesize
616KB

Download
memory/2664-26-0x0000000000310000-0x00000000003AA000-memory.dmp

Filesize
616KB

Download
memory/2664-24-0x0000000000310000-0x00000000003AA000-memory.dmp

Filesize
616KB

Download
memory/2916-51-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads