30b50c9a1de2f21ef1eb78f18695bcb0f3989fff880a4872a3be3458d5f73433

General

Target

Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA/Keygen.exe
Size

473KB
MD5

18941095bbf897e1880bdd77f1f50c2b
SHA1

d44eb8f9d83828372106e88858fcf67becb81ab0
SHA256

73b232df35f94e6b31052a33e2a14fc57e353928fadd30b1292b6823c8595ed5
SHA512

d93e76d777dae2845750fd297f14336c20caecbbb7366f06e5fa5a06292e7a75d8e9893b8a448b28435c166cafb7ebdc6ca4cdb7020279029e24c85d6a0cddda
SSDEEP

6144:hJaiaZTY1DAA5Nw6dWW+18gVVZKtHdvYG5F8D4qpAH2sxJag/gwHgNU:JaZTYGA5Nw6odVyRYK2D4rV5HgU

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	Keygen.exe

Executes dropped EXE 3 IoCs

pid	Process
1408	setup_m.exe
4272	setup.exe
2084	winlogon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\winlogon.exe"	winlogon.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fmod.dll	setup.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	setup.exe
File created	C:\Windows\winlogon.exe	setup_m.exe
File opened for modification	C:\Windows\assembly	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2084	winlogon.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 1408	348	Keygen.exe	88
PID 348 wrote to memory of 1408	348	Keygen.exe	88
PID 348 wrote to memory of 1408	348	Keygen.exe	88
PID 348 wrote to memory of 4272	348	Keygen.exe	89
PID 348 wrote to memory of 4272	348	Keygen.exe	89
PID 1408 wrote to memory of 2084	1408	setup_m.exe	91
PID 1408 wrote to memory of 2084	1408	setup_m.exe	91
PID 1408 wrote to memory of 2084	1408	setup_m.exe	91

C:\Users\Admin\AppData\Local\Temp\Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA\Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Mocha.Telnet.v3.2.XScale.Smartphone200x.Incl.Keygen-SyMPDA\Keygen.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:348
- C:\Users\Admin\AppData\Local\Temp\setup_m.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_m.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\winlogon.exe
    C:\Windows\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:2084
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
268KB

MD5
de766c83c2ad4769622bc890201d3006

SHA1
1ed22427a79cd039e53a28f8d2c7499c1ef413f7

SHA256
039c40cad38397190a15e5817e73725586926893423f0c5a35056498371e60e3

SHA512
4041184371a9c1bb5d5af93b68ddea1aa94edc61aeb6010539ae02f1420c8b0d651f5139b9fb6927efaef837a041c4792556ce4f85ceae452c964bb5fe7bfacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_m.exe

Filesize
200KB

MD5
292a5adf25ddf66b98616243fdd11ed7

SHA1
b8de129bbed53d5de11c84a63f4d5b9602846a15

SHA256
45ae78216e5c0339848bc101dc18ad41f23e6cb673bdf0f26f4558342343901c

SHA512
67983db229d54958362f1d320f08d375911da5d68f1961c55613294f36295f20a2ec523b3d189c88bef198970a79f98fae76b26de37ad26c1190e702f4b97171

Download Submit
memory/348-21-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/348-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1408-32-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1408-16-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2084-33-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4272-24-0x000000001BC00000-0x000000001C0CE000-memory.dmp

Filesize
4.8MB

Download
memory/4272-39-0x000000001CE60000-0x000000001CF06000-memory.dmp

Filesize
664KB

Download
memory/4272-26-0x00007FFDB2B40000-0x00007FFDB34E1000-memory.dmp

Filesize
9.6MB

Download
memory/4272-27-0x0000000001190000-0x0000000001198000-memory.dmp

Filesize
32KB

Download
memory/4272-23-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4272-22-0x00007FFDB2B40000-0x00007FFDB34E1000-memory.dmp

Filesize
9.6MB

Download
memory/4272-34-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4272-35-0x000000001EA80000-0x000000001EAC0000-memory.dmp

Filesize
256KB

Download
memory/4272-38-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4272-25-0x000000001C170000-0x000000001C20C000-memory.dmp

Filesize
624KB

Download
memory/4272-43-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4272-44-0x00007FFDB2B40000-0x00007FFDB34E1000-memory.dmp

Filesize
9.6MB

Download
memory/4272-45-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4272-46-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4272-47-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4272-48-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/4272-49-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads