Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
25-03-2023 15:29
General
-
Target
Crack.exe
-
Size
880KB
-
MD5
e299ac0fd27e67160225400bdd27366f
-
SHA1
65011c91a7fbae82f4a6f3c81ff396b96f84359c
-
SHA256
cb2758f0f595a4fd22411088590a3bb671834342e73b86c4ef9d863d28eec8ed
-
SHA512
f4f4e4554b4391b50977948dbc7c1eb2c837fdb2f321665e406af90dba9ba4b2c4a851406ca13cb321c363602f24b963633c5153329f5e292f4a076e2cb98b46
-
SSDEEP
6144:LQuiA1RTz/cYja2ieb5YbF5R+Jn8xH97r7F71d43wUmDm:nz/9ja2ieFYp5R+I7BY
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crack.exe"C:\Users\Admin\AppData\Local\Temp\Crack.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Crack.exe"C:\Users\Admin\AppData\Local\Temp\Crack.exe" -h2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1708 -ip 17081⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\db.datFilesize
557KB
MD5df7b932ab62e929e3da95470914c10f3
SHA1a63097f937fbe5cde36ab3b1530d5df0fb250fb5
SHA256655a93928167bd8c84bc8dd6810c96cdd2e66a800197065ddb77bd30b2afef45
SHA5127f24316896ce45ee7d3544c1920967ff9e3bb31020100a333b96b19d3ef421f9d6496b87248812ca7be288febf8fe7f7272652893df6f8756ac53d49d40b3d92
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6
-
C:\Users\Admin\AppData\Local\Temp\db.dllFilesize
52KB
MD51b20e998d058e813dfc515867d31124f
SHA1c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f
SHA25624a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00
SHA51279849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6