ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
Size

381KB
MD5

a3a770df8f0560ccd32fe23164b1dd60
SHA1

be8d00e7e2ecda1a3aa7be34eb14294d91c8678c
SHA256

ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a
SHA512

1291cdfad78657789ed2bf99f6cb852e52e2a238c898bae67e7f9e7c69175514e4ae2cf8c21f56fc5ee6e61c3cb38197f99e919049b2bcde00569f33c097186c
SSDEEP

1536:OKD0A2T3vLbsih9e8bTTpb/IgQmP9zKcTDB4w/UjlQ/dpKRq:352T3siXei5bcmP9JfUjW

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.x Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Star Wars Jedi Knight - Jedi Academy No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.8 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\SolSuite 2003 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinZip 9.x Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Divx 5.x Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\SWiSH 2.0 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Commandos 3 - Destination Berlin No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\WinZip 8.0 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Praetorians Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\PhotoShow 2.0 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinAce 2.2 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake III Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 6.x Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Microangelo 5.x Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 5 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid 2 No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Thief III No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Warlords IV - Heroes of Etheria Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Thief 2 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Elder Scrolls III - Tribunal No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Warlords 4 No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\IconPackager 2.x Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.0.6 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Star Trek - Elite Force II Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\UT 2004 No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Microangelo 6.x Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Unreal Tournament 2004 No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior V No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warcraft III - The Frozen Throne Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warlords IV - Heroes of Etheria Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Photoshop 8.x Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.7.143 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Commandos 3 - Destination Berlin Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NCAA Football 2004 No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Paint Shop Pro 9.x Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Etherlords II Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Half-Life 2 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.x Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 3 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Madden NFL 2004 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2003 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\KaZaA Speedup 3.03 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Sniper Elite - Berlin 1943 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2002 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Rainbow Six 3 - Raven Shield No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.8x Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Harry Potter - Quidditch World Cup No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Acrobat 5.x Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Easy CD-DA Extractor 5.x Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\SnagIt 6.2.2 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Grand Theft Auto - Vice City No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.x Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SnagIt 6.2.2 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Winamp 2.91 Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GeoWhere 2.x Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Raven Shield No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Star Trek - Elite Force II No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Hex Workshop Hex Editor 4.1 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File created	C:\Windows\SysWOW64\drivers32\Divx 5.x Serial Generator.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\DOOM 3 No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Thunder 2003 No-Cd Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.0 Crack.exe	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4352	4596	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe	90
PID 4596 wrote to memory of 4352	4596	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe	90
PID 4596 wrote to memory of 4352	4596	ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe	90

C:\Users\Admin\AppData\Local\Temp\ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe
"C:\Users\Admin\AppData\Local\Temp\ffbaaf3d34ec05c9108c3444a1245599112ee70f527c3174899f133f5f5a325a.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
  2⤵
  PID:4352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\$$$$$.bat

Filesize
264B

MD5
99b05fa70b73c485866412f6ef455955

SHA1
e28005daeebf3725b93a747ca41d56497d28ad36

SHA256
7db52cadb0c785a41c37a5ee9e780770ae3496b06440210d9195211b0484320d

SHA512
af1614cab6aa11e18c4cfb6fa110861ecc4d7f83484e7bf9f9f74ecd51941f6266bfec52339594a3c3fdd5bd3cab157bfdcbb666bf0bf54257872732511fc882

Download Submit
memory/4596-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4596-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download