Analysis
-
max time kernel
35s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
23-06-2023 22:56
General
-
Target
Netflix Tools PACK/Netflix Tools PACK/Netflix GC Generator By SpaceXVIII/Netflix GC Cracked.to.exe
-
Size
172KB
-
MD5
076027fae13f9b886d78ebe466fa5973
-
SHA1
572b825dddc610eaeddf82df24472430cbe357ff
-
SHA256
c167494125ef849dad5077bc98d9a66ef013eb6e92770b9ce0c968515cf8644a
-
SHA512
2ef97b7d1e3b70f380f664ee5ab8b09233eff18aeb1ab23a2115e9fddbba499bd43008aa7719ebf27935aaeabb598b27e88c7bb23805f6406861065ed575c004
-
SSDEEP
3072:z4lsvEjP4AvO7LUhLacDaXhDXzsAw/yZ:z6s+DeX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Netflix GC Cracked.to.exe"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Netflix GC Cracked.to.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\Launcher.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\IMF\Windows Services.exe"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\IMF\Secure System Shell.exe"C:\Windows\IMF\Secure System Shell.exe"4⤵
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\GC.exe"C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\Netflix Tools PACK\Netflix GC Generator By SpaceXVIII\Gen\GC.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cracked.to/SpaceXVIII3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xe4,0x104,0x7ff9f65f46f8,0x7ff9f65f4708,0x7ff9f65f47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1853607529233670984,622167129225036164,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:14⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD509932bc072dfd2591f537c31e7f7c5bc
SHA15992d292629688f3b98db35a6274f9b9ef8baef1
SHA25641de587416d72dd9c2e27745572592deb76b2646b7c6491a6041019662a10c32
SHA5120141ddf09fbef149d342e48c3fc98231a707b9d95f52e65c530e3a7d7f4172a68bd15c270eb44759063b528a938a14ab19c5ff400c6f7092aff793d8a93e1a47
-
Filesize
152B
MD5218e449501e9bc2755a9758e17de9cde
SHA1b29d3810fddc119b996275825d0d6b6bfe00129f
SHA2566d27f9bfbdbb874d2e62a7e5276ff2405fefb4971374b6b593aaf0e408b15c86
SHA5125d0fa1934bfe03f54332134d07aad59044b05510c38b2ebd98f963867f2efc1e52aaca23e26925b395e7b5a6ae1a0c95c98d51050c909ae6a2d78ddc8f02cf68
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD58460db432a6d863a6846e379064b4def
SHA1d779f0eec861a9419974ea7e79466b282ca5fb1f
SHA2564fe10d06463c8a680c4048dbbec4d127e785ad31a24aeb466309fa1e429cf122
SHA5122003262bb341f823c133e77f0eb3a1d29915da4903cdc18361344051ce28ca171974b4ace46e8644b57db7742b98d59aebf252e70991584640b69dd83570c1c1
-
Filesize
5KB
MD57f2c89788f5d86c1b5afae06b3087bda
SHA1ff9443ccd26e98585abf59956b52be839f525139
SHA25626fabf9abceff81111ff2ef1fdc3fa564fba688d6bc83609dc8558b61edb623d
SHA5127a30e7f5d6325c1e0abb749dc3692c849e5877de1fb13925fac6664a29596a6a1b857015da0eadc58d5fb9e3d83c91bd2a234be0d96a3ecaef752e0d470d5a96
-
Filesize
24KB
MD506031cccee6e1ce17966c1b80f33d9ef
SHA18bde290327d41dc22ce2fa24bac69f4e849af953
SHA2563f5e917be6bfc9311f21bd4a8e702938814a3da67c1220db142cc94976fa4c90
SHA5121a8875afb7f567c16a1ea01318bd97a06dcffd7470fb80f154dbdc57487c1a50ab21127e8af433f2fb0b1e753813b24d789a4fdfd9992267ff75ef0b15fc7322
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
9KB
MD59e0984d5da7cc1d108493c72eaf59519
SHA16c90837191631ff7526d55d755744112b0d7f903
SHA256a9e0e81345947ff98dd455293e3d772a36e9c93637ab8511b730d9ad78bf4712
SHA51217054340ed1e56d6e0b92f2f41e452ef6a254f7a192b0f8c2039a68b27912796160148241166c7c1978311f6a3747c16d9c47cd3647631a5bb5c70e7582ba466
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
144KB
MD5ec70c6f4dc443c5ab2b91d64ae04fa8e
SHA143eb3b3289782fced204f0b4e3edad2ba1b085b7
SHA256276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d
SHA5126217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584
-
Filesize
144KB
MD5ec70c6f4dc443c5ab2b91d64ae04fa8e
SHA143eb3b3289782fced204f0b4e3edad2ba1b085b7
SHA256276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d
SHA5126217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584
-
Filesize
144KB
MD5ec70c6f4dc443c5ab2b91d64ae04fa8e
SHA143eb3b3289782fced204f0b4e3edad2ba1b085b7
SHA256276f1bfc6256f4c1ddd544d5a556d299ebddcf200a64ee7c9c3edef686df727d
SHA5126217c232edbcf60ae1337120aa9b51956e06f591c660fd720b02fe8abf01923dd4dca28f69ece88c12c705a4c3a392d0cbb6f4f6c6759306123db141ed05d584
-
Filesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
Filesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
Filesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
Filesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53
-
Filesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53
-
Filesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
600KB
-
Filesize
216KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
192KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
344KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
504KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
328KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
112KB