5148d9fda60e23ece0181e5ab41aaf6f8572664825884e35f468e572358d072d

Analysis

max time kernel
124s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
Size

1022KB
MD5

a6eeb2b8c549e687e9cdad39206c6370
SHA1

da98d866884ebdb1dbf864a06726ab519d35a237
SHA256

5148d9fda60e23ece0181e5ab41aaf6f8572664825884e35f468e572358d072d
SHA512

5a8f684d214cfcc54eef0930c4650dff32bc035e81052902c2fecbb2b107d4646f91fbef4115561c3ac1707c240a6d0b21d03adbe405039a132a4800fd0a9bd6
SSDEEP

1536:OKD0A2T3vLbsih9e8bTTpb/IgQmP9zKcTDB4w/UjlQ/dpKRq:352T3siXei5bcmP9JfUjW

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000023263-6.dat	aspack_v212_v242

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.x Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Winamp 2.91 Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Grand Theft Auto - Vice City Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Shrek 2 No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.x Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\F1 2002 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Freedom - Soldiers of Liberty Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Command & Conquer Generals No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 6.x Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\NetPumper 1.03 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\FlashGet 1.x Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Easy CD-DA Extractor 5.x Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinAce 2.2 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.7.143 Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity IV Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\ICUII 5.7 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief II No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Easy CD-DA Extractor 5.x Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\IL-2 Sturmovik - Forgotten Battles No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\IconPackager 2.x Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Winamp 2.91 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Midtown Madness III No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior IV Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\ICUII 5.7 Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\EverQuest 2 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\PhotoShow 2.x Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinRAR 3.12 Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\KaZaA Speedup 3.03 Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Chrome No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\IconPackager 2.12 Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Train Simulator 2 No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\LingoWare 3.0 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Download Accelerator Plus 5.3 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior IV Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Metal Gear Solid 2 No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Racing 2003 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior V No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Paint Shop Pro 8.x Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GetRight 5.x Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Quake IV Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FlashFXP 1.x Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SimCity 4 Rush Hour Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\DAP Plus 5.3 Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.x Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\WindowBlinds 4.0 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Halo No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GeoWhere 2.11 Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\GetRight 5.x Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Train Simulator II No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Counter-Strike - Condition Zero Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\SimCity 4 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\World War II - Frontline Command No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Macromedia Flash MX 6.x Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\NASCAR Thunder 2004 No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Download Accelerator Plus 5.3 Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Soul Reaver III No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Hitman III No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Midtown Madness 3 No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\IconPackager 2.x Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FlashFXP 1.x Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Elder Scrolls III - Tribunal No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\DOOM 3 Serial Generator.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Rainbow Six 3 - Raven Shield No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
File created	C:\Windows\SysWOW64\drivers32\Lord of the Rings - The Two Towers No-Cd Crack.exe	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 648	3432	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe	92
PID 3432 wrote to memory of 648	3432	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe	92
PID 3432 wrote to memory of 648	3432	a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe	92

C:\Users\Admin\AppData\Local\Temp\a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a6eeb2b8c549e687e9cdad39206c6370exe_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
  2⤵
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness No-Cd Crack.exe

Filesize
1022KB

MD5
a6eeb2b8c549e687e9cdad39206c6370

SHA1
da98d866884ebdb1dbf864a06726ab519d35a237

SHA256
5148d9fda60e23ece0181e5ab41aaf6f8572664825884e35f468e572358d072d

SHA512
5a8f684d214cfcc54eef0930c4650dff32bc035e81052902c2fecbb2b107d4646f91fbef4115561c3ac1707c240a6d0b21d03adbe405039a132a4800fd0a9bd6

Download Submit
\??\c:\$$$$$.bat

Filesize
212B

MD5
5aef26b161387c0b7aed4771b9b72b89

SHA1
8f3538f4c5fffbda7786e3b4e569367cff4dd8cc

SHA256
11a3d3a96dd4815a91ef2fd9c8ec838bccd3a00208e48d911ae85038239dcaf6

SHA512
ff149dc5c63e6de8556a2afd5662709785a0defc1d8fc686511d466cf36e54a698392a863fc8e326b2b4b202e5e5c6dc6579ca54e17959aa8b66eb29c6862e16

Download Submit
memory/3432-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3432-477-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3432-821-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads