147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
Size

4.1MB
MD5

19a9a5aa7b01ef16957e5a27ee67de2d
SHA1

9bc0a38a9bc2ad972b0cecdbd41beca922ca52a6
SHA256

147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39
SHA512

bf17be6fd5c1b48025ece53234634165ee4e30d6af2236ef35a1d9d2c899ac4369950fcc847e7ab25527fcd5f196e32a3019535bf7de7d8412b64976059d3d60
SSDEEP

1536:OKD0A2T3vLbsih9e8bTTpb/IgQmP9zKcTDB4w/UjlQ/dpKRq:352T3siXei5bcmP9JfUjW

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.7.143 Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Acrobat 5.x Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\QuickTime 6.x Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\ICUII 5.x.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 6.x Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\NetPumper 1.03 Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\LingoWare 3.0 Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Microangelo 5.x Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Unreal Tournament 2003 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Medal of Honor - Allied Assault Breakthrough Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Easy CD-DA Extractor 5.1 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Half-Life No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Lords of EverQuest No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Age of Wonders II - Shadow Magic Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2004 No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Splinter Cell No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Hitman III Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\MVP Baseball 2003 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NBA Live 2003 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Black & White 2 No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2004 No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\IL-2 Sturmovik - Forgotten Battles No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Train Simulator II No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Winamp 2.91 Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Download Accelerator Plus 5.3 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 5.5.x Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Knights of the Temple Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\EverQuest 2 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Madden NFL 2003 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity 4 Rush Hour No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2003 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2002 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake 3 No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Divx 5.x Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinZip 8.1 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior III No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Winamp 3.x Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SimCity IV No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\UltraEdit-32 10.x Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 4 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity 4 No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\WinZip 9.x Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Quake IV Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Dark Age of Camelot - Trials of Atlantis No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinRAR 3.11 Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Xenus Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Max Payne 2 - The Fall of Max Payne Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\UT 2003 No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Hitman II No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Silent Hill 3 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\mIRC 6.03 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\GeoWhere 2.11 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Dark Age of Camelot - Trials of Atlantis Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Microangelo 5.58 Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SimCity 4 Rush Hour Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.x Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Acrobat 5.x Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Lords of EverQuest No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File created	C:\Windows\SysWOW64\drivers32\Raven Shield No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Racing 2003 No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Elder Scrolls III - Tribunal No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Conflict - Desert Storm II - Back to Baghdad Serial Generator.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NCAA Football 2003 No-Cd Crack.exe	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2948	384	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe	90
PID 384 wrote to memory of 2948	384	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe	90
PID 384 wrote to memory of 2948	384	147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe	90

C:\Users\Admin\AppData\Local\Temp\147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe
"C:\Users\Admin\AppData\Local\Temp\147cdd423f9f36aea9c8d9f97884598b6ab49ae3de43edddc50b2123535e5f39.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
  2⤵
  PID:2948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\$$$$$.bat

Filesize
264B

MD5
620a2cfea05e93fd3cf8c336f44db512

SHA1
72248366cd3d3a61d4f8b298ffa13479a40ec240

SHA256
33f64ca458bfd223ac1e542db3d3288eeefd271dc0126d1d5f5d8b0abcd07cbc

SHA512
322f27714c9e6503e06a2167f1db02e1b15b8655d85644242aec578268c2d241adf27b96ffd44b3f6535ba7e1dec473e038dc4d911d5e341b60dede6da76dcff

Download Submit
memory/384-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/384-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/384-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download