Overview

overview

10

Static

static

10

keygen.exe

windows10-2004-x64

3

keygen.exe

windows11-21h2-x64

3

Analysis

  • max time kernel
    247s
  • max time network
    203s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen.exe

  • Size

    31KB

  • MD5

    71c3b2f765b04d0b7ea0328f6ce0c4e2

  • SHA1

    bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4

  • SHA256

    ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37

  • SHA512

    1923db134d7cee25389a07e4d48894dde7ee8f70d008cd890dd34a03b2741a54ec1555e6821755e5af8eae377ef5005e3f9afceb4681059bc1880276e9bcf035

  • SSDEEP

    768:A6+T41GjHbdWCWDwDD01riWpJxKpAQJs/3JGIDLQ5:b+U+hHIBpJxixgQ

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4144
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4372
    • C:\Users\Admin\AppData\Local\Temp\builder.exe
      "C:\Users\Admin\AppData\Local\Temp\builder.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      PID:3424
    • C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      PID:2904
    • C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      1⤵
        PID:3356
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Build.bat
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4860
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4480
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\config.json
          2⤵
          • Opens file in notepad (likely ransom note)
          • Suspicious use of FindShellTrayWindow
          PID:848

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads