1a817d66dd70b9e04ab7aebd99bc97d167f77d68f9551f617bdece2d7b2716be

General

Target

keymanager_setup.exe
Size

2.1MB
MD5

568bc261204f476b2b231cc86a5f56bc
SHA1

ccfa43f9b3bde80bdfbdfc6c8bf3459f6ad3ad47
SHA256

1a817d66dd70b9e04ab7aebd99bc97d167f77d68f9551f617bdece2d7b2716be
SHA512

33836a062ac001463e6f53c7a99619bc4b436b93e5b5fd8c3122ae1b8d26a0c8d7b2314d36b3f4fe6608f576f4ea9aa833bf9ac5c5be9f4ad38a62ea3e3f2a6c
SSDEEP

49152:E+xyvwIuPwcbvOVMrLHHkFevC4qGqr4UuWEpOO9GCkvf+ocky:04mcjrLY4Pqr4UTMG9X+oNy

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	keymanager.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	keymanager.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ATNSOFT Key Manager = "\"C:\\Program Files (x86)\\ATNSOFT Key Manager\\keymanager.exe\" /startup"	keymanager_setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ATNSOFT Key Manager\is-U9RRA.tmp	keymanager_setup.tmp
File created	C:\Program Files (x86)\ATNSOFT Key Manager\is-3ID0H.tmp	keymanager_setup.tmp
File created	C:\Program Files (x86)\ATNSOFT Key Manager\is-8PE2S.tmp	keymanager_setup.tmp
File created	C:\Program Files (x86)\ATNSOFT Key Manager\unins000.msg	keymanager_setup.tmp
File opened for modification	C:\Program Files (x86)\ATNSOFT Key Manager\unins000.dat	keymanager_setup.tmp
File opened for modification	C:\Program Files (x86)\ATNSOFT Key Manager\keymanager.exe	keymanager_setup.tmp
File created	C:\Program Files (x86)\ATNSOFT Key Manager\unins000.dat	keymanager_setup.tmp

Executes dropped EXE 2 IoCs

pid	Process
2316	keymanager_setup.tmp
2844	keymanager.exe

Loads dropped DLL 4 IoCs

pid	Process
1712	keymanager_setup.exe
2316	keymanager_setup.tmp
2316	keymanager_setup.tmp
2316	keymanager_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	keymanager_setup.tmp
2316	keymanager_setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2844	keymanager.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2316	keymanager_setup.tmp
2844	keymanager.exe
2844	keymanager.exe
2844	keymanager.exe
2844	keymanager.exe
2844	keymanager.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2844	keymanager.exe
2844	keymanager.exe
2844	keymanager.exe
2844	keymanager.exe
2844	keymanager.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2844	keymanager.exe
2844	keymanager.exe
2844	keymanager.exe
2844	keymanager.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2316	1712	keymanager_setup.exe	29
PID 1712 wrote to memory of 2316	1712	keymanager_setup.exe	29
PID 1712 wrote to memory of 2316	1712	keymanager_setup.exe	29
PID 1712 wrote to memory of 2316	1712	keymanager_setup.exe	29
PID 1712 wrote to memory of 2316	1712	keymanager_setup.exe	29
PID 1712 wrote to memory of 2316	1712	keymanager_setup.exe	29
PID 1712 wrote to memory of 2316	1712	keymanager_setup.exe	29
PID 2316 wrote to memory of 2844	2316	keymanager_setup.tmp	30
PID 2316 wrote to memory of 2844	2316	keymanager_setup.tmp	30
PID 2316 wrote to memory of 2844	2316	keymanager_setup.tmp	30
PID 2316 wrote to memory of 2844	2316	keymanager_setup.tmp	30

C:\Users\Admin\AppData\Local\Temp\keymanager_setup.exe
"C:\Users\Admin\AppData\Local\Temp\keymanager_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\is-HINJ4.tmp\keymanager_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HINJ4.tmp\keymanager_setup.tmp" /SL5="$401AE,1675432,121344,C:\Users\Admin\AppData\Local\Temp\keymanager_setup.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Program Files (x86)\ATNSOFT Key Manager\keymanager.exe
    "C:\Program Files (x86)\ATNSOFT Key Manager\keymanager.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ATNSOFT Key Manager\langinfo.dat

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
\Program Files (x86)\ATNSOFT Key Manager\keymanager.exe

Filesize
3.8MB

MD5
71289680572d02e75a7f83c24ba7894d

SHA1
f732d66cbc33d4e55dee04c06308f1e288590bd5

SHA256
ed0d7eb35b6696be5638e3db7a9f1503db2d8c91b9732ae83ba58dbaf1596a09

SHA512
75619c84cc44b1257279062418a1aee69c199cd9c27381fc53faf2ba486f643588d5a3beac3937f7581f890a436f8654bf001bb8624f12fef689af66133e3a0d

Download Submit
\Users\Admin\AppData\Local\Temp\is-HINJ4.tmp\keymanager_setup.tmp

Filesize
1.2MB

MD5
23753ae5d0a9db6215a037575e84d557

SHA1
295fb6921dc903db58fd91cd89de0d496708f88c

SHA256
093f33b70d42e3d6d613669e75e1d2239b6f0ab11328ae3315508e99b305aafd

SHA512
e27ca3c7d6e02f16f16d428b0f0fa49e1dbdd1d702bbc32b43efb06480635c22ff29e7f68bf3046a8d766a86afbd719fdea4f75a3eca5edfba406453ee1e025c

Download Submit
memory/1712-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1712-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1712-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1712-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2316-33-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2316-8-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2316-45-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2316-54-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2316-31-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2316-66-0x0000000004480000-0x0000000004B1F000-memory.dmp

Filesize
6.6MB

Download
memory/2316-11-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2316-62-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2844-59-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2844-68-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2844-71-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads