9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c

Analysis

max time kernel
133s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
Size

624KB
MD5

00fe6859088859a2676e8a02fe96d1e1
SHA1

bac454656f0e6472b115f91ce09badad87aed4f0
SHA256

9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c
SHA512

74b58c1ae6f003c10f6085b6d9095f88d4bc7e3b1dd0f239879cfa1c8306c5e64f947c803cf6e53cad2565d53073021a76ab16958a51f6c94e4c6de6e0e3a9a2
SSDEEP

1536:OKD0A2T3vLbsih9e8bTTpb/IgQmP9zKcTDB4w/UjlQ/dpKRq:352T3siXei5bcmP9JfUjW

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers32\QuickTime 6.x Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2002 No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.0 Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 5 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake III Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Train Simulator 2 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\NCAA Football 2004 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\FlashGet 1.x Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake 4 No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Rainbow Six 3 - Raven Shield No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Star Wars - Knights of the Old Republic No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\SWiSH 2.0 Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Lords of EverQuest Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Sniper Elite - Berlin 1943 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\RealOne Player 2.0 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity 4 No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Train Simulator 2 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 5.5.x Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.7.143 Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\FlashGet 1.3 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinAce 2.x Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Elder Scrolls III - Tribunal Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake IV No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GetRight 5.x Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Microangelo 5.58 Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NetPumper 1.03 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.4 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Direct Connect 1.x Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.8 Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.x Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\WinZip 8.0 Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 6.x Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\UT 2004 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 5.x Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2003 No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Civilization III - Conquest No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid III No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Quake 3 No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SWiSH 2.x Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.x Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.0 Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warlords IV - Heroes of Etheria Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Madden NFL 2004 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Flight Simulator - Century of Flight No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Lords of the Realm III Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Delta Force - Black Hawk Down Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Microangelo 5.58 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Lord of the Rings - War of the Ring No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NBA Live 2003 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Paint Shop Pro 9.x Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ACDSee 2.4.x Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Lord of the Rings - The Two Towers Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2003 No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Raven Shield Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Alpha Communicator 5.0 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\mIRC 6.03 Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Hex Workshop Hex Editor 4.1 Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Halo Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake IV Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\Praetorians Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File created	C:\Windows\SysWOW64\drivers32\ICUII 5.x.exe.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Praetorians No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Harry Potter - Quidditch World Cup No-Cd Crack.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Thunder 2003 Serial Generator.exe	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 1908	2928	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe	86
PID 2928 wrote to memory of 1908	2928	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe	86
PID 2928 wrote to memory of 1908	2928	9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe	86

C:\Users\Admin\AppData\Local\Temp\9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe
"C:\Users\Admin\AppData\Local\Temp\9962539f85fdf6379ad9d5324aa54aa8c9c55b74107370f5b41ac40460e4698c.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
  2⤵
  PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\$$$$$.bat

Filesize
264B

MD5
017c7fe72584f2513128a7b15f254eed

SHA1
8eea78f1dd454c492acc7438afbbad2a5617e67a

SHA256
701d005989e8cb0ad3256d7ac80af6c4ee05073fffcffd0fc88a780426c97d57

SHA512
b06bed18efd4c0366a5ea6dad83844a9a090501993733ec88ff034cc7f99678d68d6cbe9ea3457c874a9ec0e4920b556463892907abc69e4f36f12607c63e084

Download Submit
memory/1908-134-0x0000000000000000-mapping.dmp

Download
memory/2928-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download