6f4aad43a20cd9ec0ddeb500ad05be2381c2f630d4ceee8a52790d00508485a3

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21cf7492c749388a4bebe5143d70a151.exe
Size

241KB
MD5

21cf7492c749388a4bebe5143d70a151
SHA1

0ac3068b3e2359fcbcf4273bad8547f22adfaf40
SHA256

6f4aad43a20cd9ec0ddeb500ad05be2381c2f630d4ceee8a52790d00508485a3
SHA512

16c58813d3114a62f0125298ee56b3411da68a7478088865b17952509e06404cde825a9478c8f3774bfef127d86e26b76eee81d6fb241a7e35a19750adb38929
SSDEEP

1536:OKD0A2T3vLbsih9e8bTTpb/IgQmP9zKcTDB4w/UjlQ/dpKRqm:352T3siXei5bcmP9JfUjWU

Score

7^/10

aspackv2 persistence

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000016c9c-5.dat	aspack_v212_v242

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\SvcHosts32 = "C:\\Windows\\system32\\svchosts.exe"	21cf7492c749388a4bebe5143d70a151.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers32\MechWarrior V Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Paint Shop Pro 9.x Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\QuickTime 6.x Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Railroad Tycoon III Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Divx 5.x Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\PhotoShow 2.x Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 5.x Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Internet Turbo 2003 5.4 Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Adobe Acrobat 5.x Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\GetRight 6.x Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\F1 2002 Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Lord of the Rings - War of the Ring Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Tony Hawks Pro Skater 4 Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 9.x Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\MechWarrior IV No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Return to Castle Wolfenstein Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Commandos 3 - Destination Berlin No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\World War II - Frontline Command Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Winamp 3.x Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Quake IV No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Neverwinter Nights - Shadows of Undrentide No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Thief III Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2002 No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\PhotoShow 2.x Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Soul Reaver 3 Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\DOOM 3 Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Warcraft III No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\DOOM 3 No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\UltraEdit-32 10.x Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Star Wars - Knights of the Old Republic Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Star Wars Jedi Knight - Jedi Academy Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\NHL 2002 Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\EverQuest 2 No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\MVP Baseball 2003 Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Lord of the Rings - War of the Ring No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Shrek 2 No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\MusicMatch Jukebox 8.0 Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\NHL 2003 No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Nero Burning ROM 5.5.x Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Metal Gear Solid 3 Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SWiSH 2.x Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\SWiSH 2.0 Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\NetPumper 1.03 Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Knights of the Temple No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Soul Reaver 3 Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\FIFA Soccer 2003 No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Soul Reaver III No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Train Simulator II Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\UltraEdit-32 10.00b Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 6.x Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\KaZaA Speedup 3.03 Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Ulead PhotoImpact 9.x Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Dark Age of Camelot - Trials of Atlantis No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Ulead GIF Animator 6.x Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\ICUII 5.x.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\SWiSH 2.x Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\IL-2 Sturmovik - Forgotten Battles Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Midtown Madness III No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Age of Mythology - The Titans Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Need for Speed Underground Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Trinity Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\Halo No-Cd Crack.exe	21cf7492c749388a4bebe5143d70a151.exe
File created	C:\Windows\SysWOW64\drivers32\Hex Workshop Hex Editor 4.1 Serial Generator.exe	21cf7492c749388a4bebe5143d70a151.exe
File opened for modification	C:\Windows\SysWOW64\drivers32\FlashGet 1.3 Crack.exe	21cf7492c749388a4bebe5143d70a151.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2668	1896	21cf7492c749388a4bebe5143d70a151.exe	28
PID 1896 wrote to memory of 2668	1896	21cf7492c749388a4bebe5143d70a151.exe	28
PID 1896 wrote to memory of 2668	1896	21cf7492c749388a4bebe5143d70a151.exe	28
PID 1896 wrote to memory of 2668	1896	21cf7492c749388a4bebe5143d70a151.exe	28

C:\Users\Admin\AppData\Local\Temp\21cf7492c749388a4bebe5143d70a151.exe
"C:\Users\Admin\AppData\Local\Temp\21cf7492c749388a4bebe5143d70a151.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\$$$$$.bat
  2⤵
  - Deletes itself
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$$$$$.bat

Filesize
200B

MD5
68b6723229652a77c161f516cbc56ab8

SHA1
fc6babdd0b6926f868645c216f04ac62d1552735

SHA256
62bb11ab4f4eed03deafd8d1a951382b381f30502163613b3492a93673c76598

SHA512
94ca933f74613a97488755056055baf4381e60db9dac822b1c4b439166de31ace3f4d3ee5648538eb93a0473bbca1e40448d7d02ec2c925a3876a7edd661adb5

Download Submit
C:\Windows\SysWOW64\drivers32\Tomb Raider - The Angel of Darkness No-Cd Crack.exe

Filesize
241KB

MD5
21cf7492c749388a4bebe5143d70a151

SHA1
0ac3068b3e2359fcbcf4273bad8547f22adfaf40

SHA256
6f4aad43a20cd9ec0ddeb500ad05be2381c2f630d4ceee8a52790d00508485a3

SHA512
16c58813d3114a62f0125298ee56b3411da68a7478088865b17952509e06404cde825a9478c8f3774bfef127d86e26b76eee81d6fb241a7e35a19750adb38929

Download Submit
memory/1896-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1896-707-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1896-826-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads