2226a35aed8bc34d629b343d58f99133a701844915db6207bcdc619c96717037

General

Target

Crack_License_Key_Full.exe
Size

734.9MB
MD5

2a363a8b0813b483306caea96f498622
SHA1

42a2165360ec44cb24a7e7b44925e31e1e53f118
SHA256

f2e0109ae08de943890df32d768ec59ae0bc8ac7953ae87d61567b5ff2edce86
SHA512

52c2244824773e34816a941a069c81e49f7c217ff6d9f3af4e13a6a4222ab803aa02f3b1857e0696e288dce0f9c644dc9c745c20267d3e25efbd3e179a59b760
SSDEEP

98304:PbMJjxZQmPmceIv5pwv9R5f8wvj20cDOyu6suEeSlLER3kGv4XJy7WW8OWy3HvJp:+YIv5m/5fSxsuE6RqAdvz6DndfAvt

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	Crack_License_Key_Full.exe

Executes dropped EXE 1 IoCs

pid	Process
2496	Tomabuce.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2676	Crack_License_Key_Full.exe
2676	Crack_License_Key_Full.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Crack_License_Key_Full.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Crack_License_Key_Full.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2676	Crack_License_Key_Full.exe
2676	Crack_License_Key_Full.exe
2676	Crack_License_Key_Full.exe
2676	Crack_License_Key_Full.exe
2676	Crack_License_Key_Full.exe
2676	Crack_License_Key_Full.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 5020	2676	Crack_License_Key_Full.exe	91
PID 2676 wrote to memory of 5020	2676	Crack_License_Key_Full.exe	91
PID 2676 wrote to memory of 5020	2676	Crack_License_Key_Full.exe	91
PID 5020 wrote to memory of 5080	5020	cmd.exe	93
PID 5020 wrote to memory of 5080	5020	cmd.exe	93
PID 5020 wrote to memory of 5080	5020	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\Crack_License_Key_Full.exe
"C:\Users\Admin\AppData\Local\Temp\Crack_License_Key_Full.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Tomabuce.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Tomabuce.dat"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \Service\Data /tr """"C:\Users\Admin\AppData\Roaming\ServiceData\Tomabuce.exe""" """C:\Users\Admin\AppData\Roaming\ServiceData\Tomabuce.dat"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:5080

C:\Users\Admin\AppData\Roaming\ServiceData\Tomabuce.exe
C:\Users\Admin\AppData\Roaming\ServiceData\Tomabuce.exe "C:\Users\Admin\AppData\Roaming\ServiceData\Tomabuce.dat"
1⤵
- Executes dropped EXE
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ServiceData\Tomabuce.dat

Filesize
61KB

MD5
ff26eadebf9c2724747f1c4059a6add0

SHA1
f9819a938000e602538ab7ccd4ab8c40705e9f69

SHA256
58a93911f73ba5eaf8eb6db9e47d0b144628776145d9c9a071c0d2636b28fc0d

SHA512
82553bbcb4dbad22f7d353b8ed2d97f0f8a8ddfbc0454540dede3ebe607b85bce2bc9aa0de8aafca6a24614611bfb24e2eedc680b24c7ac35b8814e2b6ed7c29

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceData\Tomabuce.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
memory/2676-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2676-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2676-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads