Analysis
-
max time kernel
61s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
27-07-2022 14:36
Behavioral task
behavioral1
Sample
Setup-Crack-Key.exe
Resource
win7-20220718-en
General
-
Target
Setup-Crack-Key.exe
-
Size
394.8MB
-
MD5
16a270e38302409f5e21ff3199d4e072
-
SHA1
eb55332d66c1183139f442c44a2a650bc6ee62b5
-
SHA256
d469d7f395bc7c4c44d1340a299ccd03c39971587f09380fc433b5ea746a6137
-
SHA512
47063be4eda5123e7a7f4267d4f127cd9a461c12d74fb891b42578dca47fd02ddbe08047865b79c5317b4317a045346f4bfe92131402395af9766b27ca6b4305
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Setup-Crack-Key.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup-Crack-Key.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup-Crack-Key.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup-Crack-Key.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup-Crack-Key.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/240-55-0x0000000000D60000-0x000000000160C000-memory.dmp themida behavioral1/memory/240-56-0x0000000000D60000-0x000000000160C000-memory.dmp themida behavioral1/memory/240-57-0x0000000000D60000-0x000000000160C000-memory.dmp themida behavioral1/memory/240-58-0x0000000000D60000-0x000000000160C000-memory.dmp themida behavioral1/memory/240-59-0x0000000000D60000-0x000000000160C000-memory.dmp themida behavioral1/memory/240-60-0x0000000000D60000-0x000000000160C000-memory.dmp themida behavioral1/memory/240-61-0x0000000000D60000-0x000000000160C000-memory.dmp themida behavioral1/memory/240-62-0x0000000000D60000-0x000000000160C000-memory.dmp themida behavioral1/memory/240-64-0x0000000000D60000-0x000000000160C000-memory.dmp themida behavioral1/memory/240-84-0x0000000000D60000-0x000000000160C000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Setup-Crack-Key.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup-Crack-Key.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Setup-Crack-Key.exepid process 240 Setup-Crack-Key.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Setup-Crack-Key.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup-Crack-Key.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup-Crack-Key.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Setup-Crack-Key.exepid process 240 Setup-Crack-Key.exe 240 Setup-Crack-Key.exe 240 Setup-Crack-Key.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup-Crack-Key.exe"C:\Users\Admin\AppData\Local\Temp\Setup-Crack-Key.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-54-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/240-55-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-56-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-57-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-58-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-59-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-60-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-61-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-62-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-63-0x00000000779E0000-0x0000000077B60000-memory.dmpFilesize
1.5MB
-
memory/240-64-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-65-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/240-84-0x0000000000D60000-0x000000000160C000-memory.dmpFilesize
8.7MB
-
memory/240-85-0x00000000779E0000-0x0000000077B60000-memory.dmpFilesize
1.5MB