d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95

Analysis

max time kernel
110s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2022 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
Size

703KB
MD5

059df1d51ea0aee112dcfc05f1f14956
SHA1

dafafcfd314ea59c3ff5e3c0c2a0633a7ab6e03e
SHA256

d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95
SHA512

a5650496a5ee64a26acbefe4bfd3dda470a4bc080af94d663b97acc7979ee4dffacf3e8f4f6feff75edca709f1833916069fc8574264998623f9c7fb83d17a8d
SSDEEP

1536:OKD0A2T3vLbsih9e8bTTpb/IgQmP9zKcTDB4w/UjlQ/dpKRqm:352T3siXei5bcmP9JfUjWU

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers32\Silent Hill III Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 9.x Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 5.5.x Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior III Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Shrek II No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Macromedia Flash MX 6.x Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 9.x Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SimCity IV No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 5 No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\UT 2004 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Splinter Cell Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Adobe Acrobat 5.x Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Conflict - Desert Storm II - Back to Baghdad Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\WinRAR 3.12 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Train Simulator II Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Shrek 2 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Download Manager 3.15 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FlashGet 1.x Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Battlefield 1942 - Secret Weapons of World War II No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Thief II Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\F1 2002 No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SimCity IV Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior III No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Train Simulator II No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warcraft III - The Frozen Throne Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Metal Gear Solid III Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Acrobat 5.x Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Train Simulator II No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Enemy Territory Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Hitman 2 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\WinAce 2.x Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Hitman 2 No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.0 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Direct Connect 1.x Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Battlefield 1942 - The Road to Rome No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Hex Workshop Hex Editor 4.1 Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\WS_FTP 5.x Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 8.x Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lord of the Rings - War of the Ring No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Paint Shop Pro 8.x Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Need for Speed Underground Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\FireStarter Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\MVP Baseball 2003 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Quake 4 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warcraft III No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2002 No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Easy CD-DA Extractor 5.1 Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 8.x Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Elder Scrolls III - Tribunal No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Download Accelerator Plus 5.3 Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Hitman III Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinRAR 3.11 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Warcraft III - The Frozen Throne No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Thief 2 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warcraft 3 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Thief III Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief III No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.4 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Medal of Honor - Allied Assault Breakthrough No-Cd Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Unreal Tournament 2003 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lords of EverQuest Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File created	C:\Windows\SysWOW64\drivers32\Warcraft 3 Serial Generator.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.0 Crack.exe	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 804	1684	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe	85
PID 1684 wrote to memory of 804	1684	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe	85
PID 1684 wrote to memory of 804	1684	d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe	85

C:\Users\Admin\AppData\Local\Temp\d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe
"C:\Users\Admin\AppData\Local\Temp\d17dca782e1133f8cc73cbbf1728a8cffd817799ae6aa3e69322a33653d36f95.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
  2⤵
  PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\$$$$$.bat

Filesize
264B

MD5
db8cad47406fc511b9fba5a842f8a3ec

SHA1
b208a66658ecfd75eb0d0c57dab0738256617143

SHA256
30bea5ff0276e5c5e6d5aa4cf4ba9c7b85671513db5e70275136c76228865d32

SHA512
502f89dde3f911a13cd5c3a6f372363959f00cb55d0608c0d448130c78f28424ea0fc0a1d60ac4baad729426d21f22cfaaa068baba56d4084bd10689caeaf09e

Download Submit
memory/804-134-0x0000000000000000-mapping.dmp

Download
memory/1684-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1684-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1684-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download