| File name: | Patch-Keygen.zip |
| Full analysis: | https://app.any.run/tasks/535a702c-5d46-44c6-99b1-022a78484bfa |
| Verdict: | Malicious activity |
| Analysis date: | October 27, 2023, 06:41:50 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip multi-volume archive data, at least PKZIP v2.50 to extract |
| MD5: | C9B6E92404EF004CE0BDCAF631628CFD |
| SHA1: | 0C20C2FF01089E135AEDF572720B20B30F8F2C37 |
| SHA256: | 48BB58B6807435E3ADE5A106102C776D11C7689AA472C2F26AFE4D511EE5B3FC |
| SSDEEP: | 12288:cESWiWePDOtqT7AfplX07SakZ6VKFjDOtqT7AfplIwriTr:Aqe77m07XB4H7EriTr |
MALICIOUS
Application was dropped or rewritten from another process
- BC Reset 32-bit.exe (PID: 1768)
- keymaker.exe (PID: 3464)
- keymaker.exe (PID: 668)
SUSPICIOUS
Process drops legitimate windows executable
- WinRAR.exe (PID: 1396)
Executing commands from a ".bat" file
- BC Reset 32-bit.exe (PID: 1768)
Starts CMD.EXE for commands execution
- BC Reset 32-bit.exe (PID: 1768)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 960)
Reads the Internet Settings
- BC Reset 32-bit.exe (PID: 1768)
INFO
Checks supported languages
- BC Reset 32-bit.exe (PID: 1768)
- keymaker.exe (PID: 3464)
- keymaker.exe (PID: 668)
Reads the computer name
- BC Reset 32-bit.exe (PID: 1768)
Manual execution by a user
- BC Reset 32-bit.exe (PID: 1768)
- keymaker.exe (PID: 3464)
- keymaker.exe (PID: 668)
Create files in a temporary directory
- BC Reset 32-bit.exe (PID: 1768)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 1396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (multivolume) (100) |
|---|
Total processes
53
Monitored processes
13
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 668 | "C:\Users\admin\Desktop\keymaker.exe" | C:\Users\admin\Desktop\keymaker.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 183 Modules
| |||||||||||||||
| 960 | "C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\1C2C.tmp\1C2D.tmp\1C2E.bat "C:\Users\admin\Desktop\BC Reset 32-bit.exe"" | C:\Windows\System32\cmd.exe | — | BC Reset 32-bit.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1372 | reg delete HKLM\SOFTWARE\BANDISOFT\BANDICAM\OPTION /v sUserData /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1396 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Patch-Keygen.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1440 | reg delete HKCU\Software\BANDISOFT\BANDICAM\OPTION /v sUserInfo2 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1768 | "C:\Users\admin\Desktop\BC Reset 32-bit.exe" | C:\Users\admin\Desktop\BC Reset 32-bit.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 2016 | reg delete HKCU\Software\BANDISOFT\BANDICAM\OPTION /v sUserInfo /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2436 | reg delete HKLM\SOFTWARE\BANDISOFT\BANDICAM\OPTION /v sUserInfo /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2876 | reg add HKLM\SOFTWARE\BANDISOFT\BANDICAM\OPTION /v sCode /d 9843b4f4abf8c93b1746c123eb49e710 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3112 | reg add HKLM\SOFTWARE\BANDISOFT\BANDICAM\OPTION /v sCode2 /d aa43cef8f7fe6f8266e57e97d45db82cfd689cdf4e92acafa6e908809dc4477f8588a8cae78be3c5 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 133
Read events
1 116
Write events
17
Delete events
0
Modification events
| (PID) Process: | (1396) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1396) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (1396) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (1396) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (1396) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1396) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1396) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1396) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1768) BC Reset 32-bit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1768) BC Reset 32-bit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
4
Suspicious files
0
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1396 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1396.41844\msimg32.dll | executable | |
MD5:4B4705640975B0DF28ADB898AC74811F | SHA256:523198B4B933F95AF21970328E505F28BB7A7331C6193626FBB681CF3BCCA65E | |||
| 1396 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1396.41844\keymaker.exe | executable | |
MD5:8A8A0D8AA60C7529753089DFD1D7D8A5 | SHA256:3921C96EE71D9F7271C2D256958BDFC2C1081D9E3D5149F035635E0421253892 | |||
| 1396 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1396.41844\BC Reset 64-bit.exe | executable | |
MD5:66C058437EC794ABA3F851CC7E3CF4FA | SHA256:00748D7EA4CCFB6FC6FF59E3FE24C46B862AB3DD9C562FF6B13B5DFB31326BC6 | |||
| 1396 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1396.41844\BC Reset 32-bit.exe | executable | |
MD5:0CB81E9844E38D82E96AD5C797981634 | SHA256:EC14CA80084366C2CA2B34BD717EA2C7CF6A1437F70BE3780A396697C709025F | |||
| 1396 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1396.41844\Readme.txt | text | |
MD5:F1A89BF9290845A2B5B7F8B9614F5F2C | SHA256:D6612B93752D6BB2733C1317DE2307EE1096F08FCAD86FD540DB6C1809256386 | |||
| 1768 | BC Reset 32-bit.exe | C:\Users\admin\AppData\Local\Temp\1C2C.tmp\1C2D.tmp\1C2E.bat | text | |
MD5:A0185759E79BB8FFA690FA098A214225 | SHA256:D5DF3640A406662FA9A513383F61A7650BC6B5F20E0731BBA9395DBD8DB752DE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2656 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |