Overview

overview

7

Static

static

crack.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    12s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    28-12-2022 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    crack.exe

  • Size

    20.2MB

  • MD5

    32fe5f3e8e4387d1517716eaa2a7d29e

  • SHA1

    06064674f8b101effdac8c2e90cea3a5fe024822

  • SHA256

    b45af27832565b2f5c3e782e95ce0c1385858b0523e78168f44162c547b387c2

  • SHA512

    2997e2acd001a7185378b638c23656fd2d0a09f21b73eb57ed7962fd19122e1d8d3b671ba6af48ef54ce1544d356c895decf982c2a8a91fd3f36eb1e5253e47d

  • SSDEEP

    393216:i9Pg/wSdRF9BrpqG8tcDmpEsjaC9PM1KkkgxMuXRbDCaRzFcvMNvOrgNm2ZgS:kgNvd+7pLfrSyaBF2MNvOsNmXS

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\crack.exe
    "C:\Users\Admin\AppData\Local\Temp\crack.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "AdobeGCInvoker-1.0"
      2⤵
        PID:2056
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Adobe Acrobat Update Task"
        2⤵
          PID:4848
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im armsvc.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:956
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im AGSService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1352
        • C:\Windows\SysWOW64\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im AGMService.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1144
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" config AdobeARMservice start= disabled
          2⤵
          • Launches sc.exe
          PID:1496
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" config AGSService start= disabled
          2⤵
          • Launches sc.exe
          PID:3576
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" config AGMService start= disabled
          2⤵
          • Launches sc.exe
          PID:1268
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c FOR /f "tokens=2*" %i IN ('REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath') DO IF EXIST %j (REN "%j\acrodistdll.dll" "acrodistdll.dll.bak")
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5044
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4312
            • C:\Windows\SysWOW64\reg.exe
              REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
              4⤵
                PID:4820
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c FOR /f "tokens=2*" %i IN ('REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath') DO IF EXIST %j (COPY /y "C:\Users\Admin\AppData\Local\Temp\Acrobat Temp\acrodistdll.dll" "%j\acrodistdll.dll")
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4544
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1704
              • C:\Windows\SysWOW64\reg.exe
                REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
                4⤵
                  PID:848
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c FOR /f "tokens=2*" %i IN ('REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath') DO IF EXIST %j (REN "%j\acrotray.exe" "acrotray.exe.bak")
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:904
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2608
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
                  4⤵
                    PID:1008
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c FOR /f "tokens=2*" %i IN ('REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath') DO IF EXIST %j (COPY /y "C:\Users\Admin\AppData\Local\Temp\Acrobat Temp\acrotray.exe" "%j\acrotray.exe")
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3724
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4048
                  • C:\Windows\SysWOW64\reg.exe
                    REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
                    4⤵
                      PID:2228
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c FOR /f "tokens=2*" %i IN ('REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath') DO IF EXIST %j (REN "%j\Acrobat.dll" "Acrobat.dll.bak")
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2156
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
                    3⤵
                      PID:4148
                      • C:\Windows\SysWOW64\reg.exe
                        REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
                        4⤵
                          PID:2412
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c FOR /f "tokens=2*" %i IN ('REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath') DO IF EXIST %j (COPY /y "C:\Users\Admin\AppData\Local\Temp\Acrobat Temp\Acrobat.dll" "%j\Acrobat.dll")
                      2⤵
                        PID:3820
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
                          3⤵
                            PID:1692
                            • C:\Windows\SysWOW64\reg.exe
                              REG QUERY "HKLM\SOFTWARE\Adobe\Acrobat Distiller\DC" /v InstallPath
                              4⤵
                                PID:60

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads