9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a

Analysis

max time kernel
90s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 06:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
Size

864KB
MD5

56b829129dab2ccd25ab65f2f9cc19f0
SHA1

99de7ab4266a4cc71d60b52f43487f6aa8e29228
SHA256

9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a
SHA512

42144565c457c1d300cf7f139cbc2b0cfc561979b1a1db3dc55d67c4317f9659f8a79bd52b78929e5094dc2a759250198ebc3f673d30e4b2773529e022501aa7
SSDEEP

1536:OKD0A2T3vLbsih9e8bTTpb/IgQmP9zKcTDB4w/UjlQ/dpKRqm:352T3siXei5bcmP9JfUjWU

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid III Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Midtown Madness 2 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GetRight 6.x Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Alpha Communicator 5.0 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\DAP Plus 5.3 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Half-Life 2 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2002 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\GeoWhere 2.11 Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.0.6 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WS_FTP 5.x Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Microangelo 5.x Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tony Hawks Pro Skater 4 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\WinRAR 3.12 Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\NCAA Football 2003 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\PhotoShow 2.0 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2004 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lords of the Realm III Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Civilization III - Conquest Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinZip 9.x Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 5.x Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Commandos 3 - Destination Berlin No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Splinter Cell Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.x Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GeoWhere 2.x Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Age of Wonders II - Shadow Magic Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Thunder 2004 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Train Simulator II Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warlords IV - Heroes of Etheria Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 7.x Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Need for Speed Underground No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\ICUII 5.x.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior IV No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Download Accelerator Plus 5.3 Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Age of Mythology - The Titans Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Quake III Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Kings of War No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Thunder 2004 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Half-Life II No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2003 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness 2 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lord of the Rings - War of the Ring Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warlords 4 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief III No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 9.x Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Age of Wonders II - Shadow Magic No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Battlefield 1942 - Secret Weapons of World War II No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\GetRight 5.0 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Kings of War Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FlashFXP 1.x Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Star Wars Jedi Knight - Jedi Academy No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior 5 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Winamp 3.x Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Racing 2003 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief 2 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity 4 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 7.x Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Microangelo 6.x Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lord of the Rings - The Two Towers No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief 2 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.x Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ICUII 5.7 Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinRAR 3.11 Serial Generator.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\UT 2004 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
File created	C:\Windows\SysWOW64\drivers32\Silent Hill 3 No-Cd Crack.exe	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 3296	4024	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe	91
PID 4024 wrote to memory of 3296	4024	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe	91
PID 4024 wrote to memory of 3296	4024	9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe	91

C:\Users\Admin\AppData\Local\Temp\9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe
"C:\Users\Admin\AppData\Local\Temp\9298ef441e49fee8c1b28f899d83a8392a41a5f6a88c5db12cf17658e886cf5a.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
  2⤵
  PID:3296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\$$$$$.bat

Filesize
264B

MD5
26662d11e0b7940b2c5a2b3d4f7ff99b

SHA1
9c3ad791dc7119a8eecbee6d5931e0b6478c027b

SHA256
38f9ff1867d6f0f1e01a032ac1c5aeebc75d2480601c3d905f7bcc04e1da0460

SHA512
192af96863507bebe2ad767a6e773db433efa6f915d802e3a4eef819752e0dabdddfb3bd33c06d78c52dd849da75e19ccd8bce4962eb8e2ca71f88d2f305198c

Download Submit
memory/4024-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4024-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download