defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa

Analysis

max time kernel
150s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 15:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa.exe
Size

94KB
MD5

1532642cfbbdc83113103e7ba8648d60
SHA1

5265c113624dfdf493b90755676b43e88ef5dba1
SHA256

defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa
SHA512

151fd57a10e5aacc12139bcf769e3218d05220ab926d0c91373b6f0c355cd99ab89fe5dd7f5d555e027255e6cb23c9ce826b6a63c1741b1b289376afab4d55a9
SSDEEP

1536:Muna95xsfR7SO3I9URXcgloB9fKGA7jWC45g3ASR3Uc1uof:Mua95SfR94GxcgaM7j74afEkrf

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1976	Crac.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
816	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
1608	defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	Crac.exe
Token: 33	1976	Crac.exe
Token: SeIncBasePriorityPrivilege	1976	Crac.exe
Token: 33	1976	Crac.exe
Token: SeIncBasePriorityPrivilege	1976	Crac.exe
Token: 33	1976	Crac.exe
Token: SeIncBasePriorityPrivilege	1976	Crac.exe
Token: 33	1976	Crac.exe
Token: SeIncBasePriorityPrivilege	1976	Crac.exe
Token: 33	1976	Crac.exe
Token: SeIncBasePriorityPrivilege	1976	Crac.exe
Token: 33	1976	Crac.exe
Token: SeIncBasePriorityPrivilege	1976	Crac.exe
Token: 33	1976	Crac.exe
Token: SeIncBasePriorityPrivilege	1976	Crac.exe
Token: 33	1976	Crac.exe
Token: SeIncBasePriorityPrivilege	1976	Crac.exe
Token: 33	1976	Crac.exe
Token: SeIncBasePriorityPrivilege	1976	Crac.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1976	1608	defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa.exe	26
PID 1608 wrote to memory of 1976	1608	defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa.exe	26
PID 1608 wrote to memory of 1976	1608	defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa.exe	26
PID 1608 wrote to memory of 1976	1608	defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa.exe	26
PID 1976 wrote to memory of 816	1976	Crac.exe	27
PID 1976 wrote to memory of 816	1976	Crac.exe	27
PID 1976 wrote to memory of 816	1976	Crac.exe	27
PID 1976 wrote to memory of 816	1976	Crac.exe	27

C:\Users\Admin\AppData\Local\Temp\defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa.exe
"C:\Users\Admin\AppData\Local\Temp\defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\Crac.exe
  "C:\Users\Admin\AppData\Local\Temp\Crac.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Crac.exe" "Crac.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crac.exe

Filesize
94KB

MD5
1532642cfbbdc83113103e7ba8648d60

SHA1
5265c113624dfdf493b90755676b43e88ef5dba1

SHA256
defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa

SHA512
151fd57a10e5aacc12139bcf769e3218d05220ab926d0c91373b6f0c355cd99ab89fe5dd7f5d555e027255e6cb23c9ce826b6a63c1741b1b289376afab4d55a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crac.exe

Filesize
94KB

MD5
1532642cfbbdc83113103e7ba8648d60

SHA1
5265c113624dfdf493b90755676b43e88ef5dba1

SHA256
defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa

SHA512
151fd57a10e5aacc12139bcf769e3218d05220ab926d0c91373b6f0c355cd99ab89fe5dd7f5d555e027255e6cb23c9ce826b6a63c1741b1b289376afab4d55a9

Download Submit
\Users\Admin\AppData\Local\Temp\Crac.exe

Filesize
94KB

MD5
1532642cfbbdc83113103e7ba8648d60

SHA1
5265c113624dfdf493b90755676b43e88ef5dba1

SHA256
defc2be5b09b2c7d97542ee949a45e8d6dd9f825b520b94b7072c232fd019faa

SHA512
151fd57a10e5aacc12139bcf769e3218d05220ab926d0c91373b6f0c355cd99ab89fe5dd7f5d555e027255e6cb23c9ce826b6a63c1741b1b289376afab4d55a9

Download Submit
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1608-55-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-61-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-62-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1976-65-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download