Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-12-2020 16:29
Static task
static1
Behavioral task
behavioral1
Sample
Vape V4 Crack.bin.exe
Resource
win7v20201028
General
-
Target
Vape V4 Crack.bin.exe
-
Size
1.7MB
-
MD5
6a669de1d724cc4874c42ae535ca892d
-
SHA1
de905655fd632fff874bc907726e9b9a16886ea9
-
SHA256
5d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454
-
SHA512
23ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
motionalt1@gmail.com - Password:
you@regay
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
Defender.exeDefender.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3" Defender.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3" Defender.exe -
Executes dropped EXE 5 IoCs
Processes:
Windows Update.exeEBFile_2.exeEBFile_3.exeDefender.exeDefender.exepid process 1580 Windows Update.exe 908 EBFile_2.exe 852 EBFile_3.exe 2032 Defender.exe 944 Defender.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 1580 Windows Update.exe -
Loads dropped DLL 4 IoCs
Processes:
Vape V4 Crack.bin.exeWindows Update.exeEBFile_2.exepid process 1084 Vape V4 Crack.bin.exe 1580 Windows Update.exe 1580 Windows Update.exe 908 EBFile_2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Processes:
Defender.exeDefender.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection Defender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1" Defender.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection Defender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Defender.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 whatismyipaddress.com 6 whatismyipaddress.com 8 whatismyipaddress.com -
Drops file in System32 directory 2 IoCs
Processes:
Defender.exedescription ioc process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Defender.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini Defender.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windows Update.exedescription pid process target process PID 1580 set thread context of 1844 1580 Windows Update.exe vbc.exe PID 1580 set thread context of 1372 1580 Windows Update.exe vbc.exe -
Processes:
EBFile_3.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e EBFile_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 EBFile_3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a EBFile_3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a EBFile_3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a EBFile_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 EBFile_3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e EBFile_3.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1560 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1859 IoCs
Processes:
Windows Update.exepid process 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe 1580 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Windows Update.exeEBFile_3.exeDefender.exedescription pid process Token: SeDebugPrivilege 1580 Windows Update.exe Token: SeDebugPrivilege 852 EBFile_3.exe Token: SeDebugPrivilege 2032 Defender.exe Token: SeAssignPrimaryTokenPrivilege 2032 Defender.exe Token: SeIncreaseQuotaPrivilege 2032 Defender.exe Token: 0 2032 Defender.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1580 Windows Update.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
Vape V4 Crack.bin.exeWindows Update.exeEBFile_2.exeEBFile_3.execmd.exeWScript.exeWScript.exedescription pid process target process PID 1084 wrote to memory of 1580 1084 Vape V4 Crack.bin.exe Windows Update.exe PID 1084 wrote to memory of 1580 1084 Vape V4 Crack.bin.exe Windows Update.exe PID 1084 wrote to memory of 1580 1084 Vape V4 Crack.bin.exe Windows Update.exe PID 1084 wrote to memory of 1580 1084 Vape V4 Crack.bin.exe Windows Update.exe PID 1084 wrote to memory of 1580 1084 Vape V4 Crack.bin.exe Windows Update.exe PID 1084 wrote to memory of 1580 1084 Vape V4 Crack.bin.exe Windows Update.exe PID 1084 wrote to memory of 1580 1084 Vape V4 Crack.bin.exe Windows Update.exe PID 1580 wrote to memory of 1560 1580 Windows Update.exe NOTEPAD.EXE PID 1580 wrote to memory of 1560 1580 Windows Update.exe NOTEPAD.EXE PID 1580 wrote to memory of 1560 1580 Windows Update.exe NOTEPAD.EXE PID 1580 wrote to memory of 1560 1580 Windows Update.exe NOTEPAD.EXE PID 1580 wrote to memory of 908 1580 Windows Update.exe EBFile_2.exe PID 1580 wrote to memory of 908 1580 Windows Update.exe EBFile_2.exe PID 1580 wrote to memory of 908 1580 Windows Update.exe EBFile_2.exe PID 1580 wrote to memory of 908 1580 Windows Update.exe EBFile_2.exe PID 1580 wrote to memory of 852 1580 Windows Update.exe EBFile_3.exe PID 1580 wrote to memory of 852 1580 Windows Update.exe EBFile_3.exe PID 1580 wrote to memory of 852 1580 Windows Update.exe EBFile_3.exe PID 1580 wrote to memory of 852 1580 Windows Update.exe EBFile_3.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1844 1580 Windows Update.exe vbc.exe PID 908 wrote to memory of 2032 908 EBFile_2.exe Defender.exe PID 908 wrote to memory of 2032 908 EBFile_2.exe Defender.exe PID 908 wrote to memory of 2032 908 EBFile_2.exe Defender.exe PID 908 wrote to memory of 2032 908 EBFile_2.exe Defender.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 1580 wrote to memory of 1372 1580 Windows Update.exe vbc.exe PID 852 wrote to memory of 1652 852 EBFile_3.exe WScript.exe PID 852 wrote to memory of 1652 852 EBFile_3.exe WScript.exe PID 852 wrote to memory of 1652 852 EBFile_3.exe WScript.exe PID 852 wrote to memory of 1568 852 EBFile_3.exe cmd.exe PID 852 wrote to memory of 1568 852 EBFile_3.exe cmd.exe PID 852 wrote to memory of 1568 852 EBFile_3.exe cmd.exe PID 1568 wrote to memory of 1508 1568 cmd.exe choice.exe PID 1568 wrote to memory of 1508 1568 cmd.exe choice.exe PID 1568 wrote to memory of 1508 1568 cmd.exe choice.exe PID 1652 wrote to memory of 2032 1652 WScript.exe WScript.exe PID 1652 wrote to memory of 2032 1652 WScript.exe WScript.exe PID 1652 wrote to memory of 2032 1652 WScript.exe WScript.exe PID 2032 wrote to memory of 1624 2032 WScript.exe cmd.exe PID 2032 wrote to memory of 1624 2032 WScript.exe cmd.exe PID 2032 wrote to memory of 1624 2032 WScript.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vape V4 Crack.bin.exe"C:\Users\Admin\AppData\Local\Temp\Vape V4 Crack.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\BFile_1.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe"C:\Users\Admin\AppData\Local\Temp\EBFile_2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Defender.exe"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D4⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Defender.exe"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 15⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
-
C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe"C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\finalres.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp.\finalres2.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp.\finalres.bat" "6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\EBFile_3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BFile_1.txtMD5
1a315f228b55458f972213ed7d06a82d
SHA1abd233b01b6532ff259e574f95f218a11c5b6caa
SHA256f31a1549c0ded4a9de1cfc44a7fe54b95c233379dae6dc58c56609a2381cc7f5
SHA5129427ec6918639f3e0f12f2cbcb6a4f2b379cdb5e7042993a53b74077139817f711e5ded15579a3a8e5ae9c47216c618dfee96847b340e58cf8e8475a5ac828cf
-
C:\Users\Admin\AppData\Local\Temp\Defender.exeMD5
ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
C:\Users\Admin\AppData\Local\Temp\Defender.exeMD5
ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
C:\Users\Admin\AppData\Local\Temp\Defender.exeMD5
ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
C:\Users\Admin\AppData\Local\Temp\EBFile_2.exeMD5
1d6a2397610b09dd6b49785182fd13d2
SHA14a4ccd35f98544d0dd5bd6a30f9101c7babb36d3
SHA256e96c14e2853a64717b64d3972e436dcfb39daa539ed1b67c8a58caafdf22c923
SHA512fe0c86e696e39386e58355ed887238ddb3ae5f1013cbcbae16fe61f968a537a831bae7c3deb4cd0342d898d5fa5b20d662831d83ad7ab22fb0ce9e7834d9cb82
-
C:\Users\Admin\AppData\Local\Temp\EBFile_2.exeMD5
1d6a2397610b09dd6b49785182fd13d2
SHA14a4ccd35f98544d0dd5bd6a30f9101c7babb36d3
SHA256e96c14e2853a64717b64d3972e436dcfb39daa539ed1b67c8a58caafdf22c923
SHA512fe0c86e696e39386e58355ed887238ddb3ae5f1013cbcbae16fe61f968a537a831bae7c3deb4cd0342d898d5fa5b20d662831d83ad7ab22fb0ce9e7834d9cb82
-
C:\Users\Admin\AppData\Local\Temp\EBFile_3.exeMD5
fde2f12ea09556a7d28e4d10a80c0e88
SHA19c44959deda54054be62d00fc1bd8254efcf4f69
SHA25653509887881cb405ddb046fb70dcaa55c7e8f02b23799384dbfb7b97cc898968
SHA512c7832129ec62fd788394a5622b95b4536e1e3cac3938572a85c9b5deb17da13ac86166f322aab83a4baed97a990e2323e84dca3f518931897970da039e343cee
-
C:\Users\Admin\AppData\Local\Temp\EBFile_3.exeMD5
fde2f12ea09556a7d28e4d10a80c0e88
SHA19c44959deda54054be62d00fc1bd8254efcf4f69
SHA25653509887881cb405ddb046fb70dcaa55c7e8f02b23799384dbfb7b97cc898968
SHA512c7832129ec62fd788394a5622b95b4536e1e3cac3938572a85c9b5deb17da13ac86166f322aab83a4baed97a990e2323e84dca3f518931897970da039e343cee
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtMD5
6d36037988c328ba2fe31d405e118572
SHA1db5d7a91456262daa9c9807602730fc92f490f8b
SHA256af1deef9bf3f5a67a2e594ffe2092d52520806c63df035d664de4dda83f697e5
SHA5128fe19e4aee0e351230a21b5a8152f48e6f163af64fcd9918bca28178db38f12e5b953294941756d87871b25390e6d999e78e01c529ed87653e0044d181464fe1
-
C:\Users\Admin\AppData\Local\Temp\finalres.batMD5
2574c5b67cffffae5c7a056455d1d3ae
SHA12386d127b47e27b236eb0cb6d90ffa67376891d2
SHA256b25df4870b5e471b57431771df6dbb10c68b0eb8f9d5fef9c72e4cf3844dc9fc
SHA512be6930b803980d1ed71cb2c9907884d172a93ad3f34cffda2ceadf3afad9fe3e354d95bebc250bf2db1179fd9cbaa57da71925e45f2f2430d3ae72f587a9d610
-
C:\Users\Admin\AppData\Local\Temp\finalres.vbsMD5
cbca85af83070314b060c23175f9f4df
SHA1a881531b0a737c4cd2a910478836ad0d78a5d4c0
SHA25697de4041a56e13945df8a7db417de01f4ea5f1ece5623fb557b5d8e36e4f2f91
SHA512ea74acef42ca1558a0734b7adf5ee9192e244f0d9b30985ae7ad3dfb0d303205d51f863e10b0f4ad00165c0aa70edf48a4a9f002c8752e75c7e059b567b5c46d
-
C:\Users\Admin\AppData\Local\Temp\finalres2.vbsMD5
50f631e85016c256f4f103d8a8f711b1
SHA12e39050ce0bc06e9426f3ac440fec9067777eba2
SHA2568610901e51055bcbbef41f30194f46a13ecfaf1876a2019de0c9078d67d63bb4
SHA512b5e643cbdaac4a07d31ea71c001e514ccf165a03e207f773a87c633f4d8728049eccb775d7f594ad6225dda2b73538e323861438957ab5453ca1140529a3f80b
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeMD5
6a669de1d724cc4874c42ae535ca892d
SHA1de905655fd632fff874bc907726e9b9a16886ea9
SHA2565d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454
SHA51223ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeMD5
6a669de1d724cc4874c42ae535ca892d
SHA1de905655fd632fff874bc907726e9b9a16886ea9
SHA2565d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454
SHA51223ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708
-
\Users\Admin\AppData\Local\Temp\Defender.exeMD5
ac34ba84a5054cd701efad5dd14645c9
SHA1dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b
SHA256c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e
SHA512df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a
-
\Users\Admin\AppData\Local\Temp\EBFile_2.exeMD5
1d6a2397610b09dd6b49785182fd13d2
SHA14a4ccd35f98544d0dd5bd6a30f9101c7babb36d3
SHA256e96c14e2853a64717b64d3972e436dcfb39daa539ed1b67c8a58caafdf22c923
SHA512fe0c86e696e39386e58355ed887238ddb3ae5f1013cbcbae16fe61f968a537a831bae7c3deb4cd0342d898d5fa5b20d662831d83ad7ab22fb0ce9e7834d9cb82
-
\Users\Admin\AppData\Local\Temp\EBFile_3.exeMD5
fde2f12ea09556a7d28e4d10a80c0e88
SHA19c44959deda54054be62d00fc1bd8254efcf4f69
SHA25653509887881cb405ddb046fb70dcaa55c7e8f02b23799384dbfb7b97cc898968
SHA512c7832129ec62fd788394a5622b95b4536e1e3cac3938572a85c9b5deb17da13ac86166f322aab83a4baed97a990e2323e84dca3f518931897970da039e343cee
-
\Users\Admin\AppData\Roaming\Windows Update.exeMD5
6a669de1d724cc4874c42ae535ca892d
SHA1de905655fd632fff874bc907726e9b9a16886ea9
SHA2565d45d76577ec4d7429bab8dbfa6f5ff52d947a5c7c6f9ff373456e0c3703e454
SHA51223ed610d8a5803934a2a35de40fbd3e55a91d89b436812e0bb8cc692e8d10ce5a9e10e63267084461b13d50a5eeac5ed45df67950e164654e6ba8de859921708
-
memory/748-35-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/852-14-0x0000000000000000-mapping.dmp
-
memory/852-17-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmpFilesize
9.9MB
-
memory/852-23-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/908-25-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/908-10-0x0000000000000000-mapping.dmp
-
memory/908-19-0x00000000708D0000-0x0000000070FBE000-memory.dmpFilesize
6.9MB
-
memory/1372-33-0x0000000000442628-mapping.dmp
-
memory/1372-32-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1372-34-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1508-40-0x0000000000000000-mapping.dmp
-
memory/1560-7-0x0000000000000000-mapping.dmp
-
memory/1568-39-0x0000000000000000-mapping.dmp
-
memory/1580-3-0x0000000000000000-mapping.dmp
-
memory/1624-45-0x0000000000000000-mapping.dmp
-
memory/1652-43-0x0000000002580000-0x0000000002584000-memory.dmpFilesize
16KB
-
memory/1652-37-0x0000000000000000-mapping.dmp
-
memory/1844-22-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1844-21-0x0000000000411654-mapping.dmp
-
memory/1844-20-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2032-42-0x0000000000000000-mapping.dmp
-
memory/2032-28-0x0000000000000000-mapping.dmp
-
memory/2032-46-0x0000000002640000-0x0000000002644000-memory.dmpFilesize
16KB