594cc84501df037599cca2203104a63aaf4fcafd8f5b54fef875bd4c0df0285f

Analysis

max time kernel
310s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20231215-es
resource tags

arch:x64arch:x86image:win10v2004-20231215-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
09-04-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XForce Keygen x64.rar
Size

325KB
MD5

9f7d5294f598a9d7b3425bfb9719412d
SHA1

901cdb3dcf69a89e1afea5ab3f8ded0aaf7a5f89
SHA256

594cc84501df037599cca2203104a63aaf4fcafd8f5b54fef875bd4c0df0285f
SHA512

32df50f1657d824ed581cdad306febf38618c8a70625449cec96a020567b99efe336ac1725d0a7c647e6bb12b452439184d24dc35c257b9ca40419c75aa0cf7e
SSDEEP

6144:7IeESiP1BD34QIe9S0FSa8TO6HHQsu8bt990fTqCnNsdbqBUmKMoQbmlsuwi:7IeENT34QIQSJy6V3SfTd6bqBUmKjQbG

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2688	Keygen.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023213-4.dat	upx
behavioral2/memory/2688-5-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/2688-9-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/2688-10-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/2688-11-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/2688-13-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/2688-14-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4148	7zFM.exe
Token: 35	4148	7zFM.exe
Token: SeSecurityPrivilege	4148	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4148	7zFM.exe
4148	7zFM.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 4148	1056	cmd.exe	86
PID 1056 wrote to memory of 4148	1056	cmd.exe	86

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\XForce Keygen x64.rar"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XForce Keygen x64.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4616

C:\Users\Admin\Desktop\CorelDRAW_Graphics_Suite_X6_fix\Keygen.exe
"C:\Users\Admin\Desktop\CorelDRAW_Graphics_Suite_X6_fix\Keygen.exe"
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Password 123.txt
1⤵
PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\CorelDRAW_Graphics_Suite_X6_fix\Keygen.exe

Filesize
377KB

MD5
ba3021b4002a06eb3ab8a9f51bef3607

SHA1
ae637dda8a6b20ab7490c189d3658a77c482e8f5

SHA256
f2110d88c3bdafea0c44cdecf00863fcc4da9874d0676ab89034e53331bf89f9

SHA512
7f02235b90e04c0697b852bd79dcf2fea221f42cc98c1bb476441e0c2956999a686d9f1564d29dfbb807f28b7ca4c3357854315a95ecdf1947e85b1829c8651f

Download Submit
C:\Users\Admin\Desktop\Password 123.txt

Filesize
59B

MD5
25bc3ce38f72e50f587ac765281b5e79

SHA1
97325d27dc69e7078685d67a5f82fc7230065120

SHA256
234875ec94a5d6cbd7c2bd087b6b40ef312e01f38ffc248e00b7e838e6b6d74f

SHA512
a4635ad7685d521c4f32f60992d9d13195730da9ca26d09f12676813928c64f2e3c48d753d89b8a0535fbfd06001bbcbca0e9598776c2c36b56df2e8aedafe3e

Download Submit
memory/2688-5-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2688-7-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2688-9-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2688-10-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2688-11-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2688-12-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2688-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2688-14-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download