152ed75bb4b87c3830c6b353a2bf84cb6a4ea1ff9450207a7ccf07d0e1c633da

Analysis

max time kernel
67s
max time network
22s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
13-07-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IK_Multimedia_Keygen.exe
Size

432KB
MD5

f9951fb657998fc97adf46d1b1c4091d
SHA1

8b09c07867f1fce07e879dbc90b440ce0831b5cb
SHA256

152ed75bb4b87c3830c6b353a2bf84cb6a4ea1ff9450207a7ccf07d0e1c633da
SHA512

9a47140b30df8a0f850cd57127c0508762e1c54f48dae78f9ab99ab8418cd0489aa8ab78dcd642343f1f8ff2b32a4842eb001a37960d73de021368175921ea4c
SSDEEP

6144:8hjmq2nA8P9tlASRzKW3ZzEzfrWwZLrNbBltRFbPIThWYdAQnrnWEJ/IquiRAR6v:Uc9t2SllJzafrNFlxbPxY2QnCE/IRYF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3584	keygen.exe

Loads dropped DLL 3 IoCs

pid	Process
3584	keygen.exe
3584	keygen.exe
3584	keygen.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	1872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1872	AUDIODG.EXE
Token: SeDebugPrivilege	4812	taskmgr.exe
Token: SeSystemProfilePrivilege	4812	taskmgr.exe
Token: SeCreateGlobalPrivilege	4812	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
3584	keygen.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe
4812	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3584	5060	IK_Multimedia_Keygen.exe	71
PID 5060 wrote to memory of 3584	5060	IK_Multimedia_Keygen.exe	71
PID 5060 wrote to memory of 3584	5060	IK_Multimedia_Keygen.exe	71

C:\Users\Admin\AppData\Local\Temp\IK_Multimedia_Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\IK_Multimedia_Keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  C:\Users\Admin\AppData\Local\Temp\keygen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:3584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BASSMOD.DLL

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
C:\Users\Admin\AppData\Local\Temp\R2RIKM2.dll

Filesize
6KB

MD5
5ab745c63015a8f7ad2e352f3e27ffa6

SHA1
451f220317dcd0e1693d0c2c53bf504ba5021393

SHA256
f0daf110506df054c349be136157fca6b534bc36b6029fbd112ce9fea5772bce

SHA512
604959c4521a79adcd217e3a97ae480bfdccdfec05e77342b3ecf092606188ef0268c247739af1030dcd4358b7a6a6a4dfa4f689a773b4a049d18c3d6c40a531

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgm.xm

Filesize
53KB

MD5
a30878984af33ee69ace5cf8e330b974

SHA1
916e9098ad80f3e79502adac42820b1ffbae1eb6

SHA256
498eadc5b3d65aaf34b8496954c3362f033297c489d7ef4559cba8890c530171

SHA512
f3ddaf6d3b4e12928efe5c167e8d010c858f19d4bf5a9698b4aabe21e53b5762ad667c81bd4e119083b6213bc96869056538dfc6fcdfc8147cfb1f1ea0c2162f

Download Submit
C:\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
606KB

MD5
1ca226c0081f578335f1c380df0ebd34

SHA1
202489bb90533245fc1b61d7f6ff4ebafa00ba0c

SHA256
867db4f5afa6db8a419e7c09e5a87082045fce0ce0e08d8b9af10a633802b2ee

SHA512
45602f4c438ed585acbd52c227e31e950d1be99a995d218770f6c9d63cd3724c481a1478de272d930466a542848d0a7e9b34a35de8c00325c10c84b9177af393

Download Submit
memory/3584-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-13-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3584-22-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3584-23-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3584-24-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3584-25-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3584-26-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download