83774db723e6f86c40cab8b24a0ab190b6a9a66944fd228d2f506ce322823d71

Analysis

max time kernel
139s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4d9a7ecb62498848ede283d5824386d0.exe
Size

459KB
MD5

4d9a7ecb62498848ede283d5824386d0
SHA1

79bae4fdcf6a81f728f8c87257cc267f5e11f451
SHA256

83774db723e6f86c40cab8b24a0ab190b6a9a66944fd228d2f506ce322823d71
SHA512

dc7ddd06187e33670fc7608ea10f01314744759ebd87691694c27af4a4191f55ef440d01510dbc60298877dd970a5359273ee5820faf5e23d267177768fd67b0
SSDEEP

1536:OKD0A2T3vLbsih9e8bTTpb/IgQmP9zKcTDB4w/UjlQ/dpKRq:352T3siXei5bcmP9JfUjW

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022cfe-7.dat	aspack_v212_v242

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	NEAS.4d9a7ecb62498848ede283d5824386d0.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers32\Thief 2 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Star Trek - Elite Force II Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warcraft III Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Civilization III - Conquest No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior III No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Age of Mythology - The Titans Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid 2 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Hitman 3 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Counter-Strike - Condition Zero Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GeoWhere 2.x Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Quake III No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 5.5.x Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Adobe Acrobat 5.x Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.x Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Need for Speed Underground No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Madden NFL 2004 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Harry Potter - Quidditch World Cup Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NASCAR Thunder 2003 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NBA Live 2004 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\The Sims Superstar Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Delta Force - Black Hawk Down Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NCAA Football 2003 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinZip 9.x Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Battlefield 1942 - The Road to Rome No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Knights of the Temple No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NCAA Football 2003 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Warcraft 3 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2002 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Splinter Cell No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\IL-2 Sturmovik - Forgotten Battles No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Railroad Tycoon III No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tiger Woods PGA TOUR 2003 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\NASCAR Racing 2003 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Easy CD-DA Extractor 5.x Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Hex Workshop Hex Editor 4.1 Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\mIRC 6.x Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Ad-aware 6.0 Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Quake 3 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Star Trek - Elite Force II Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\World War II - Frontline Command Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\PhotoShow 2.0 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\UltraEdit-32 10.00b Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Metal Gear Solid III No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Divx 5.x Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Warlords IV - Heroes of Etheria No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2003 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Need for Speed Underground Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\MVP Baseball 2003 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Star Wars - Knights of the Old Republic Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\NetPumper 1.03 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NCAA Football 2004 No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\WinRAR 3.12 Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\PhotoShow 2.x Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Network Cable e ADSL Speed 1.x Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\FlashFXP 1.4 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Civilization III - Conquest No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Warlords 4 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness 3 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.7.143 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\svchosts.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File created	C:\Windows\SysWOW64\drivers32\Counter-Strike - Condition Zero No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Grand Theft Auto - Vice City No-Cd Crack.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior 4 Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ZoneAlarm 3.8x Serial Generator.exe	NEAS.4d9a7ecb62498848ede283d5824386d0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4896	4352	NEAS.4d9a7ecb62498848ede283d5824386d0.exe	106
PID 4352 wrote to memory of 4896	4352	NEAS.4d9a7ecb62498848ede283d5824386d0.exe	106
PID 4352 wrote to memory of 4896	4352	NEAS.4d9a7ecb62498848ede283d5824386d0.exe	106

C:\Users\Admin\AppData\Local\Temp\NEAS.4d9a7ecb62498848ede283d5824386d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4d9a7ecb62498848ede283d5824386d0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\$$$$$.bat
  2⤵
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness No-Cd Crack.exe

Filesize
459KB

MD5
4d9a7ecb62498848ede283d5824386d0

SHA1
79bae4fdcf6a81f728f8c87257cc267f5e11f451

SHA256
83774db723e6f86c40cab8b24a0ab190b6a9a66944fd228d2f506ce322823d71

SHA512
dc7ddd06187e33670fc7608ea10f01314744759ebd87691694c27af4a4191f55ef440d01510dbc60298877dd970a5359273ee5820faf5e23d267177768fd67b0

Download Submit
\??\c:\$$$$$.bat

Filesize
210B

MD5
dc9d5efa6945f7ee9eb44a81692bf02b

SHA1
8c4aa7abc833dbc860b74c508ea61ea32376dfe5

SHA256
bee992943daf59ce0d3d1e53e3fea227ba58391b2ad4ea2df0935de3ef5f3c69

SHA512
9592f97f3c12d7c693eec870674223ca08fa05029f9f23bfd8d3317956042792a0a6a28b109c188daec2995c827ea9c3fc43a8c45a87fe710150d4d793cb7fa6

Download Submit
memory/4352-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4352-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4352-821-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads