Analysis
-
max time kernel
43s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
03/10/2023, 12:37
General
-
Target
Mixed Cracking Pack Tools vol.3.exe
-
Size
762.9MB
-
MD5
9ce3bca935a2823e3290e4a51a52cb15
-
SHA1
2b515612ac972df47e43486c7dd7bf404c9ee183
-
SHA256
b170b77fda8a44f846d2f29ed66d7645511cb8e2343691b8d53e5a6f5c09a390
-
SHA512
5c1c18c919d3297585528d7bf870a88bc44858114d42ec6e41ac10fc1aaa442b12cdd402dac3ef5ed5e015218e67dd1eae5ac56ec61cf17cf26739f120b4ca3e
-
SSDEEP
49152:r4Lu2F3OzhVtsJNcPlVor4AvnQXHXlrCs0wjEUQr9+wW:r78ezhVfAf4HVrCs0EQ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Themida packer 20 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 51 IoCs
-
Suspicious use of SendNotifyMessage 50 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Mixed Cracking Pack Tools vol.3.exe"C:\Users\Admin\AppData\Local\Temp\Mixed Cracking Pack Tools vol.3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sco.0.bat" "2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\ProgramData\active\LZMYBCTLTD.exe"C:\ProgramData\active\LZMYBCTLTD.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LZMYBCTLTD" /tr C:\ProgramData\active\LZMYBCTLTD.exe /f4⤵
- Creates scheduled task(s)
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164.1MB
MD5c65fcc626dfae3faa2e53b84543638ba
SHA1072bbc8c983c77dc7032428f0efdc240f0b8b99e
SHA256cf83e603911285aeb7809c5b03c4a835f5ebf139d2c39855bf4d43c6323ca340
SHA512f7249740ddf0939542991d8410972009c6271ee0ca94d23b47025ef5c7b82d769ba49e8fa53228424f953288f084c95bcc606cd4b1e3612885defaa41abab785
-
Filesize
170.6MB
MD5ed150d3615fe66ec5f27f6ae616982d5
SHA12f1eb012f2769fd1b60f7013da54eaa2af08cde6
SHA25632451f9b02deb220cefd229cec631143c213469327d864e5a4c2a909e8f47643
SHA512ed1f91b09c91b8076bb33db885160a1829683478b9f1044b006692616f9d1fbe96e964cce259c83ec15e39972c265417545d1010c4213e89c631861368dfa231
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5219248a37ea5dbb52b966113498c4e26
SHA197aa0aab1ff92571c492267fa1e9ff7cfaabd585
SHA256b2ace6bfb4fb5f6fe2074d4f824cb1119efa039a1ef99b10eb1ffaae41933d8c
SHA5125b100e94a844311bb05a8a41ae71cffcaec2d9ecf8ecd38ef014b384fa610c066eaaa1ad27a4d10765120360e229b9fff4f31bbab95779ef26ffaf9ee2508c25
-
Filesize
18KB
MD5219248a37ea5dbb52b966113498c4e26
SHA197aa0aab1ff92571c492267fa1e9ff7cfaabd585
SHA256b2ace6bfb4fb5f6fe2074d4f824cb1119efa039a1ef99b10eb1ffaae41933d8c
SHA5125b100e94a844311bb05a8a41ae71cffcaec2d9ecf8ecd38ef014b384fa610c066eaaa1ad27a4d10765120360e229b9fff4f31bbab95779ef26ffaf9ee2508c25
-
Filesize
18KB
MD5eaab4c0cf3541f4b2b96f54b20c79358
SHA130b9d720b69472ac676bb690426f22ecef950f12
SHA2563da786e79e36fa4ec7bc97c8ff8300e1f04d7020b4a6eaf890a7ed7eab74cf2e
SHA51231373b4934a816519c33749a87aa06db53f8c481354e72afe6680e655bfcb081b0d370aca4ea963aa3846b4105c6e2a8b270c092c1b6fffddd331c4a063c2b61
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
174B
MD51a6312d8dd415ec5af7f41d402e3e0e3
SHA1090a3bcab72fcf539f8a5a6a99047f344f3c461c
SHA256a5d8729065b43594cabcae56d1ed85a91235b7582841bc9e53e80c88b02016fa
SHA5126fb46d47483e107f282352f78e0db571f54e7ad595cb0dd648b8fe9033eac500e54919abe4572d8f701a9d0f02f37331ff1d45277595483fbc06e1dc0a48b970
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
3.3MB
-
Filesize
68KB
-
Filesize
408KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
8KB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB