Overview
overview
10Static
static
10keygen-pr.exe
windows7-x64
3keygen-pr.exe
windows10-2004-x64
3keygen-step-1.exe
windows7-x64
10keygen-step-1.exe
windows10-2004-x64
10keygen-step-3.exe
windows7-x64
7keygen-step-3.exe
windows10-2004-x64
7keygen-step-4.exe
windows7-x64
10keygen-step-4.exe
windows10-2004-x64
10keygen-step-5.exe
windows7-x64
7keygen-step-5.exe
windows10-2004-x64
7keygen-step-6.exe
windows7-x64
7keygen-step-6.exe
windows10-2004-x64
7keygen.bat
windows7-x64
10keygen.bat
windows10-2004-x64
10Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 08:20
Behavioral task
behavioral1
Sample
keygen-pr.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
keygen-pr.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
keygen-step-1.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
keygen-step-1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
keygen-step-3.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
keygen-step-3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
keygen-step-4.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
keygen-step-4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
keygen-step-5.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
keygen-step-5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
keygen-step-6.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
keygen-step-6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
keygen.bat
Resource
win7-20240903-en
General
-
Target
keygen-step-5.exe
-
Size
1.9MB
-
MD5
3b7a3bba78f866019d4addccffcf3942
-
SHA1
a1a467cc72b2b0b5678aed806435ab4e4f3a232e
-
SHA256
c9022d72e11ce317a5edd37195ac5e7aac341e1df29792f04d2c181eac6dea1b
-
SHA512
86978fd7b9f92338c6328494c00032b400ce596952df266b3123ed949ef7324708ae03927739c4686efdb89727f8e0a89147a6367bb3485290ba84ef9406c469
-
SSDEEP
24576:q9qFtP8Q12rlO5Onp6iMsKmLYcX7Kx6BPLNtszaEvxAirQuPZY88PDR3YWff8yP0:N1clGWIiSmVOEBwzacxAir/RYBDu/3uw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation keygen-step-5.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation yCLcV_JUHy~2UXJ.ExE -
Executes dropped EXE 2 IoCs
pid Process 3972 yCLcV_JUHy~2UXJ.ExE 2960 e58b745.exe -
Loads dropped DLL 2 IoCs
pid Process 2676 regsvr32.exe 2676 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1884 2960 WerFault.exe 108 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen-step-5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yCLcV_JUHy~2UXJ.ExE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e58b745.exe -
Kills process with taskkill 1 IoCs
pid Process 2888 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2676 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2888 taskkill.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2344 1840 keygen-step-5.exe 85 PID 1840 wrote to memory of 2344 1840 keygen-step-5.exe 85 PID 1840 wrote to memory of 2344 1840 keygen-step-5.exe 85 PID 2344 wrote to memory of 3972 2344 cmd.exe 87 PID 2344 wrote to memory of 3972 2344 cmd.exe 87 PID 2344 wrote to memory of 3972 2344 cmd.exe 87 PID 2344 wrote to memory of 2888 2344 cmd.exe 88 PID 2344 wrote to memory of 2888 2344 cmd.exe 88 PID 2344 wrote to memory of 2888 2344 cmd.exe 88 PID 3972 wrote to memory of 2104 3972 yCLcV_JUHy~2UXJ.ExE 90 PID 3972 wrote to memory of 2104 3972 yCLcV_JUHy~2UXJ.ExE 90 PID 3972 wrote to memory of 2104 3972 yCLcV_JUHy~2UXJ.ExE 90 PID 3972 wrote to memory of 3656 3972 yCLcV_JUHy~2UXJ.ExE 96 PID 3972 wrote to memory of 3656 3972 yCLcV_JUHy~2UXJ.ExE 96 PID 3972 wrote to memory of 3656 3972 yCLcV_JUHy~2UXJ.ExE 96 PID 3656 wrote to memory of 3604 3656 cmd.exe 98 PID 3656 wrote to memory of 3604 3656 cmd.exe 98 PID 3656 wrote to memory of 3604 3656 cmd.exe 98 PID 3656 wrote to memory of 2532 3656 cmd.exe 99 PID 3656 wrote to memory of 2532 3656 cmd.exe 99 PID 3656 wrote to memory of 2532 3656 cmd.exe 99 PID 3656 wrote to memory of 2676 3656 cmd.exe 101 PID 3656 wrote to memory of 2676 3656 cmd.exe 101 PID 3656 wrote to memory of 2676 3656 cmd.exe 101 PID 2676 wrote to memory of 2960 2676 regsvr32.exe 108 PID 2676 wrote to memory of 2960 2676 regsvr32.exe 108 PID 2676 wrote to memory of 2960 2676 regsvr32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C typE "C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe" > ..\yCLcV_JUHy~2UXJ.ExE && STaRT ..\YCLCV_JUHY~2UXJ.ExE -PdpV4tWBoTeEAefzfcz & IF ""==""for %I IN ("C:\Users\Admin\AppData\Local\Temp\keygen-step-5.exe" ) do taskkill /iM "%~NxI" -F > nUl2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\yCLcV_JUHy~2UXJ.ExE..\YCLCV_JUHY~2UXJ.ExE -PdpV4tWBoTeEAefzfcz3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /C typE "C:\Users\Admin\AppData\Local\Temp\yCLcV_JUHy~2UXJ.ExE" > ..\yCLcV_JUHy~2UXJ.ExE && STaRT ..\YCLCV_JUHY~2UXJ.ExE -PdpV4tWBoTeEAefzfcz & IF "-PdpV4tWBoTeEAefzfcz "==""for %I IN ("C:\Users\Admin\AppData\Local\Temp\yCLcV_JUHy~2UXJ.ExE" ) do taskkill /iM "%~NxI" -F > nUl4⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C ecHo %randoM%XyyM> S7YcxJ2.x & EcHO| seT /P ="MZ" > CepfIAXQ.8 &copY /Y /b cepfIAXQ.8 + KQTlyS.E+DPSBV.B+ P8AkH.lP + TE2K.C + 7_7S.4tB + _AqLYN6~.KN + 12UX9.H4T + S7YcxJ2.x ..\ID5A1C.7a > nUl & starTregsvr32.exe /S ..\ID5A1C.7A & dEl/q * > nuL4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHO"5⤵
- System Location Discovery: System Language Discovery
PID:3604
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /P ="MZ" 1>CepfIAXQ.8"5⤵
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /S ..\ID5A1C.7A5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\e58b745.exe"C:\Users\Admin\AppData\Local\Temp\e58b745.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 8087⤵
- Program crash
PID:1884
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /iM "keygen-step-5.exe" -F3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2960 -ip 29601⤵PID:1136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD50487f0b988b3a89a1f8c0a280d35c668
SHA19c29a470b5f0ea99105f9d25766b65e8ebdcf3d2
SHA2562a84fa9c15c71cf185d1e3031a72f0d1559adf556455e0875cda55bab553b66b
SHA51235c637a87883c0e4d429a19e11816b737ea05f37566ceeb22d9fd2c36ef568fb2ba699b10f23d276f640114ef3c1cc56481c0701046ad13a83fdf2693f6a35d6
-
Filesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
Filesize
428KB
MD59a66c3b6836700f26deb13b6d37aa4b6
SHA1013ecc7e28dd831c89660dd8dd042e7ea3dc9d2d
SHA2563ee047a4b812813f4777bac2f92a91849ab4519836076443c314ee296cba5ba9
SHA5121bccc6459a8e3190b542b04a15a8820bc27bb545f891d910badca3b18bceaea34fd046b1a651558fdbfbdbb7d1a93d7fdeb3a471e0903556c7c9910b77e4dc73
-
Filesize
86KB
MD5f4f7afc50a289cc67f88772c2aa9c2fa
SHA14b0126fb5baa302c18334f504e03a2d4c6e9c802
SHA256909f5d21d276cc1fc644dd57dcbabd4b25e02c6fc6888fafed04bb0a7ddb6fbd
SHA5120f73f5426c7e467eb0c03cb385571ba5bffed78f23743269be97336b11ed96d5f339a9a1173657f83b814621dd6109d26b8ac1fdb7864ef5497ffe55474afd66
-
Filesize
302KB
MD59a8e502f75614d00263a8ca83644f554
SHA11253d6b6386492c57191c6985e3643d7138cb939
SHA2563dca184debb9b047947d7b4689fe4db0c520ea330f6eee8a7780433b083eb37a
SHA512463ffc7f2c3d157215b64977fb60f0084884d6301c14988b37e89a4cf855df508f1e94d8fb3404f6f63711c5086e30dbb721c3489983dca786385a79bcae736f
-
Filesize
154KB
MD5e22775ce37deb96f373634c481830799
SHA17411eb24d3c5e197627d81e20f3a4551a040c166
SHA25636e2aeeceb8aa59e823f13e7bdbd6af8700ffd18f16a4d724991ecf31eb8dd6a
SHA5127b42cf7339e5c0e17dca42629a7df2d732c0b13f092269508b250772f4d1c64d40dd644b4639d4e1884573526a4b0bf3f646e0e2fa585d88b0723dbd6c7affbc
-
Filesize
123KB
MD5dbb25fece40a910dd4da12cf29d32392
SHA10f42f363bb3458b0bf5ff9dcd1ff9a8615baa6fd
SHA2560ffc3aeb41340555ec116f4c0e0004d37de7130613b19bbb3704be551234b57d
SHA512f07918a776c5f4f62b5a2ed1611aedb79eef5dc1982dd8727477f4b5c233870df6e3a82acef7691bb8d14d5f65d4919ae80351103e6e39e09b699a87748a1635
-
Filesize
21KB
MD5858939a54a0406e5be7220b92b6eb2b3
SHA1da24c0b6f723a74a8ec59e58c9c0aea3e86b7109
SHA256a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a
SHA5128875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401
-
Filesize
1.9MB
MD53b7a3bba78f866019d4addccffcf3942
SHA1a1a467cc72b2b0b5678aed806435ab4e4f3a232e
SHA256c9022d72e11ce317a5edd37195ac5e7aac341e1df29792f04d2c181eac6dea1b
SHA51286978fd7b9f92338c6328494c00032b400ce596952df266b3123ed949ef7324708ae03927739c4686efdb89727f8e0a89147a6367bb3485290ba84ef9406c469