c736478def3951cbc87555ec6e49c0d524bd0ab5f56c8f7a565b2041d101d1f1

General

Target

WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe
Size

812KB
MD5

8bcf3a361adba717214c18f123c59a28
SHA1

4ae8e67ff431839ebc815e4c7b05d8c1cc955932
SHA256

c736478def3951cbc87555ec6e49c0d524bd0ab5f56c8f7a565b2041d101d1f1
SHA512

975e78ca7c07e4e3ba151315dd8d4c41cca70ef9b5525cc293961db178d37bfaf47ecb857c66cd8b2cf4587e842827d62e76863c15bece6df94ac0a935f74caf
SSDEEP

24576:nJlh9bDuaI3UqH/98qgoamLnLaHBDQFblQ:nJqlVg1mLLaHOQ

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4944	crack.exe
4644	crack.exe
1064	crack.exe
4372	crack.exe
4396	crack.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe	crack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4944	crack.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
652	WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
652	WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe
652	WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 4944	652	WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe	92
PID 652 wrote to memory of 4944	652	WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe	92

C:\Users\Admin\AppData\Local\Temp\WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe
"C:\Users\Admin\AppData\Local\Temp\WiFi_Hacking_for_Beginners_Learn_Hacking_by_Hacking_WiFi_networks.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652
- C:\Users\Admin\Desktop\crack.exe
  "C:\Users\Admin\Desktop\crack.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious behavior: AddClipboardFormatListener
  PID:4944

C:\Users\Admin\Desktop\crack.exe
"C:\Users\Admin\Desktop\crack.exe"
1⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\Desktop\crack.exe
"C:\Users\Admin\Desktop\crack.exe"
1⤵
- Executes dropped EXE
PID:1064

C:\Users\Admin\Desktop\crack.exe
"C:\Users\Admin\Desktop\crack.exe"
1⤵
- Executes dropped EXE
PID:4372

C:\Users\Admin\Desktop\crack.exe
"C:\Users\Admin\Desktop\crack.exe"
1⤵
- Executes dropped EXE
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\crack.exe.log

Filesize
1KB

MD5
3982d6d16fd43ae609fd495bb33433a2

SHA1
6c33cd681fdfd9a844a3128602455a768e348765

SHA256
9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

SHA512
4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

Download Submit
C:\Users\Admin\Desktop\crack.exe

Filesize
18KB

MD5
a0a22ba1e62b67b91905665b86df33b3

SHA1
30f03b81aa46284e26ffb7de1f17ab4203c7fff6

SHA256
e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94

SHA512
39c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb

Download Submit
C:\Users\Admin\Desktop\crack.exe

Filesize
18KB

MD5
a0a22ba1e62b67b91905665b86df33b3

SHA1
30f03b81aa46284e26ffb7de1f17ab4203c7fff6

SHA256
e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94

SHA512
39c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb

Download Submit
C:\Users\Admin\Desktop\crack.exe

Filesize
18KB

MD5
a0a22ba1e62b67b91905665b86df33b3

SHA1
30f03b81aa46284e26ffb7de1f17ab4203c7fff6

SHA256
e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94

SHA512
39c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb

Download Submit
C:\Users\Admin\Desktop\crack.exe

Filesize
18KB

MD5
a0a22ba1e62b67b91905665b86df33b3

SHA1
30f03b81aa46284e26ffb7de1f17ab4203c7fff6

SHA256
e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94

SHA512
39c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb

Download Submit
C:\Users\Admin\Desktop\crack.exe

Filesize
18KB

MD5
a0a22ba1e62b67b91905665b86df33b3

SHA1
30f03b81aa46284e26ffb7de1f17ab4203c7fff6

SHA256
e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94

SHA512
39c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb

Download Submit
C:\Users\Admin\Desktop\crack.exe

Filesize
18KB

MD5
a0a22ba1e62b67b91905665b86df33b3

SHA1
30f03b81aa46284e26ffb7de1f17ab4203c7fff6

SHA256
e3cb33466bed760b23a24bd723b68ccb5da82ee350793f4cde7aa5ad53541b94

SHA512
39c530c36e2653847cc016354a7909a68e24f0830361b9ed6c4731819decf1b36bb73880d82bceec894fc0dc1f69461d4fd6782e6c8814032beda9e38dafc0bb

Download Submit
memory/1064-142-0x00007FF85FE90000-0x00007FF860951000-memory.dmp

Filesize
10.8MB

Download
memory/4372-144-0x00007FF85FE90000-0x00007FF860951000-memory.dmp

Filesize
10.8MB

Download
memory/4396-146-0x00007FF85FE90000-0x00007FF860951000-memory.dmp

Filesize
10.8MB

Download
memory/4644-138-0x00007FF85FE90000-0x00007FF860951000-memory.dmp

Filesize
10.8MB

Download
memory/4944-139-0x00007FF85FE90000-0x00007FF860951000-memory.dmp

Filesize
10.8MB

Download
memory/4944-132-0x0000000000000000-mapping.dmp

Download
memory/4944-136-0x00007FF85FE90000-0x00007FF860951000-memory.dmp

Filesize
10.8MB

Download
memory/4944-135-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing