1ff9294afabf3cb4b61670abd50e253a0ee878e533293bde60b2a1ced34e5869

General

Target

Output_CR_KeyGen.exe
Size

749KB
MD5

4f68d134394ba001f944d7274af3d380
SHA1

9736a8a08de260ae03df023675c3cf39c759f2fc
SHA256

1ff9294afabf3cb4b61670abd50e253a0ee878e533293bde60b2a1ced34e5869
SHA512

86bdbc54c80c400ad43961ef274865ad497b9e2368839fb88b84da5c3348c2f72d796cd678ad717e4f08f688284f5c627cd91ea68b2de7b6f4a0f63c2b4aa904
SSDEEP

12288:XYkc9t2Sll/vXr9fIUfMJfaoJzBG1Y8aW4O/Z18yEJK+AigMJlt0FOBH4:XYkcL5vjMJXZBG1n/Z18yEJK+wMJlwa4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	keygen.exe

Loads dropped DLL 4 IoCs

pid	Process
2292	Output_CR_KeyGen.exe
2292	Output_CR_KeyGen.exe
2808	keygen.exe
2808	keygen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Output_CR_KeyGen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2808	2292	Output_CR_KeyGen.exe	30
PID 2292 wrote to memory of 2808	2292	Output_CR_KeyGen.exe	30
PID 2292 wrote to memory of 2808	2292	Output_CR_KeyGen.exe	30
PID 2292 wrote to memory of 2808	2292	Output_CR_KeyGen.exe	30

C:\Users\Admin\AppData\Local\Temp\Output_CR_KeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\Output_CR_KeyGen.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\keygen.exe
  C:\Users\Admin\AppData\Local\Temp\keygen.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bgm.xm

Filesize
620KB

MD5
62f5bd0ddf24713f168193b7ac4f1060

SHA1
d86df52d3ca6954b1d1c8c876c57f7fa77d68fa2

SHA256
e386ff4d04afd77a9be93a8591606aa3d67e067c1da40a57a1ad9d255e38a613

SHA512
58fd29bc39485b6c0a1659ea7cf08fd92311946afea54323cf4f01b68347a35fdcd7b1744aa956da8604fe091de149c8733545ef1b9b19081e10b3ad536c718c

Download Submit
\Users\Admin\AppData\Local\Temp\BASSMOD.dll

Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Local\Temp\R2RJUCE.dll

Filesize
242KB

MD5
90a452c84f7f2b5ca5a61bccaaa17e92

SHA1
3fb5829be5db5af55ee4043f0dce7f9253d800dd

SHA256
674a6eafb277261cd6959a4145329ab8b612fe5948fc8daf064192498fa65f92

SHA512
41304120d3b2d0489fa82c13abce47fca967c6415e28c05382c0c567a167ff400f7d58b843afdfcc33227d4caa8fbb32af38fa7175fd066631fe1bb82615975b

Download Submit
\Users\Admin\AppData\Local\Temp\keygen.exe

Filesize
491KB

MD5
b7a0d2a3cc5f085ecf92aa825b7ffe10

SHA1
a1bc7ec71149911f1805d0120b1be59e70c9912c

SHA256
c4c81270316396493d689feda96cff009d483803a43969d89734191972e8b4bf

SHA512
0b9cd151c23444a5d5d68197773a5abaee8b6ca831b448e98167b53054d5612896e79d1b6f509a196a62ddb5e8c0a51c4ba9fa36ca0a16d2f4163aac3b7c470e

Download Submit
memory/2808-24-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-27-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-17-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2808-21-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-22-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-23-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2808-25-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-26-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-19-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-28-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-29-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-30-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-31-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-32-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-33-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-34-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2808-35-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing