887f65c6eb3388028daa724cf86f8bff6fc534573c70cd86abad5a586c0117c0

General

Target

keybord-delay.exe
Size

96KB
MD5

267d28aaa43bea7b2e77b04e40f5d59f
SHA1

3f6fa31ab8a6d1e0260f4c904e2e7d1785bc3669
SHA256

887f65c6eb3388028daa724cf86f8bff6fc534573c70cd86abad5a586c0117c0
SHA512

17c933559be746f5328fb8db91a590f1f1422a6b4b5de35ab66ba82ad0cc18722f3e4bc0aa72a20eaca0131c0aca4353650f7e7ca4705e5b3ec5dc2c7997dc7c
SSDEEP

1536:T7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfowqyp159yO2:P7DhdC6kzWypvaQ0FxyNTBfo9y35u

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 10 IoCs

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\TypematicDelay = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "2"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\KeyboardSpeed = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\TypematicRate = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\KeyboardDelay = "0"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2524 reg.exe

pid	process
2524	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

keybord-delay.execmd.exe

description	pid	process	target process
PID 2284 wrote to memory of 2960	2284	keybord-delay.exe	cmd.exe
PID 2284 wrote to memory of 2960	2284	keybord-delay.exe	cmd.exe
PID 2284 wrote to memory of 2960	2284	keybord-delay.exe	cmd.exe
PID 2284 wrote to memory of 2960	2284	keybord-delay.exe	cmd.exe
PID 2960 wrote to memory of 2760	2960	cmd.exe	cacls.exe
PID 2960 wrote to memory of 2760	2960	cmd.exe	cacls.exe
PID 2960 wrote to memory of 2760	2960	cmd.exe	cacls.exe
PID 2960 wrote to memory of 2528	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2528	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2528	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2996	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2996	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2996	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 3004	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 3004	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 3004	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2968	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2968	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2968	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2580	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2580	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2580	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2592	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2592	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2592	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2640	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2640	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2640	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2644	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2644	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2644	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2656	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2656	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2656	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2664	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2664	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2664	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2828	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2828	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2828	2960	cmd.exe	attrib.exe
PID 2960 wrote to memory of 2588	2960	cmd.exe	chcp.com
PID 2960 wrote to memory of 2588	2960	cmd.exe	chcp.com
PID 2960 wrote to memory of 2588	2960	cmd.exe	chcp.com
PID 2960 wrote to memory of 2524	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2524	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2524	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2788	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2788	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2788	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 1636	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 1636	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 1636	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2600	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2600	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2600	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2548	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2548	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2548	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2072	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2072	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2072	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2672	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2672	2960	cmd.exe	reg.exe
PID 2960 wrote to memory of 2672	2960	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2996	attrib.exe
3004	attrib.exe
2968	attrib.exe
2580	attrib.exe
2592	attrib.exe
2640	attrib.exe
2828	attrib.exe
2528	attrib.exe
2656	attrib.exe
2664	attrib.exe
2644	attrib.exe

C:\Users\Admin\AppData\Local\Temp\keybord-delay.exe
"C:\Users\Admin\AppData\Local\Temp\keybord-delay.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\982.tmp\983.tmp\994.bat C:\Users\Admin\AppData\Local\Temp\keybord-delay.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
3⤵
PID:2760

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\982.tmp\983.tmp\994.bat"
3⤵
- Views/modifies file attributes
PID:2528

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\1f3cef86-6037-4c5d-8316-82ca2035d97f.tmp"
3⤵
- Views/modifies file attributes
PID:2996

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\4533cc06-2e77-44d1-9014-e43c9a25fe02.tmp"
3⤵
- Views/modifies file attributes
PID:3004

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Kno5D7D.tmp"
3⤵
- Views/modifies file attributes
PID:2968

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\KnoD316.tmp"
3⤵
- Views/modifies file attributes
PID:2580

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RD4A19.tmp"
3⤵
- Views/modifies file attributes
PID:2592

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RGI2138.tmp"
3⤵
- Views/modifies file attributes
PID:2640

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\RGI2138.tmp-tmp"
3⤵
- Views/modifies file attributes
PID:2644

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\982.tmp\983.tmp\995.tmp"
3⤵
- Views/modifies file attributes
PID:2656

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\4533cc06-2e77-44d1-9014-e43c9a25fe02.tmp"
3⤵
- Views/modifies file attributes
PID:2664

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\1f3cef86-6037-4c5d-8316-82ca2035d97f.tmp"
3⤵
- Views/modifies file attributes
PID:2828

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:2588

C:\Windows\system32\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit /v LastKey /t REG_SZ /d Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouclass\Parameters /f
3⤵
- Modifies registry key
PID:2524

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatDelay" /t reg_SZ /d "200" /f
3⤵
PID:2788

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "AutoRepeatRate" /t reg_SZ /d "6" /f
3⤵
PID:1636

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "BounceTime" /t reg_SZ /d "0" /f
3⤵
PID:2600

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "DelayBeforeAcceptance" /t reg_SZ /d "0" /f
3⤵
PID:2548

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t reg_SZ /d "59" /f
3⤵
PID:2072

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last BounceKey Setting" /t reg_DWORD /d "0" /f
3⤵
PID:2672

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Delay" /t reg_DWORD /d "0" /f
3⤵
PID:2436

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Repeat" /t reg_DWORD /d "0" /f
3⤵
PID:2432

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Last Valid Wait" /t reg_DWORD /d "1000" /f
3⤵
PID:2452

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t reg_SZ /d "506" /f
3⤵
PID:2468

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t reg_SZ /d "58" /f
3⤵
PID:2500

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t reg_SZ /d "38" /f
3⤵
PID:2512

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t reg_SZ /d "0" /f
3⤵
PID:2604

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t reg_SZ /d "0" /f
3⤵
PID:2896

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t reg_SZ /d "31" /f
3⤵
PID:2948

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f
3⤵
PID:2480

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "0" /f
3⤵
PID:2916

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Keyboard" /v "TypematicDelay" /t REG_DWORD /d "1" /f
3⤵
PID:1720

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Keyboard" /v "TypematicRate" /t REG_DWORD /d "1" /f
3⤵
PID:1760

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d "2" /f
3⤵
PID:2068

C:\Windows\system32\reg.exe
Reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f
3⤵
- Modifies data under HKEY_USERS
PID:2396

C:\Windows\system32\reg.exe
Reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "0" /f
3⤵
- Modifies data under HKEY_USERS
PID:1444

C:\Windows\system32\reg.exe
Reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v "TypematicDelay" /t REG_DWORD /d "1" /f
3⤵
- Modifies data under HKEY_USERS
PID:1312

C:\Windows\system32\reg.exe
Reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v "TypematicRate" /t REG_DWORD /d "1" /f
3⤵
- Modifies data under HKEY_USERS
PID:1236

C:\Windows\system32\reg.exe
Reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v "InitialKeyboardIndicators" /t REG_SZ /d "2" /f
3⤵
- Modifies data under HKEY_USERS
PID:1216

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "22" /f
3⤵
PID:1132

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Accessibility\Keyboard Preference" /v "On" /t REG_SZ /d "1" /f
3⤵
PID:1128

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters" /v "CrashOnCtrlScroll" /t REG_DWORD /d "1" /f
3⤵
PID:1360

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters" /v "CrashOnCtrlScroll" /t REG_DWORD /d "1" /f
3⤵
PID:1160

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "KeyboardSpeed" /t REG_DWORD /d "0" /f
3⤵
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\982.tmp\983.tmp\994.bat

Filesize
5KB

MD5
e7aec4d5923484d58a0ce39d5fe06821

SHA1
42ef26e0df2b35ef9785024ccdd8e480d9f8fcfb

SHA256
543d731315c946dd528ad823a318bd824258392d136d6b3aafbe6b2ed51ad884

SHA512
2ba731e8120bdc7f7bee610d297be76622bbf013347de576342441dcd525daa00d5ae9a201d55a79c2f9bc82db316fdda8be3cacadec072fb41a54f0fd63f3e0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads