Overview

overview

10

Static

static

10

VapeV4Cracked.exe

windows11-21h2-x64

7

Creal.pyc

windows11-21h2-x64

3

Analysis

  • max time kernel
    144s
  • max time network
    156s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-02-2024 17:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Creal.pyc

  • Size

    267KB

  • MD5

    1cb2bb24e94088c1c4dd68be1b49bcb9

  • SHA1

    81f036fb053b2c8d849180f02c61789218cbf3fc

  • SHA256

    e11c420ad1dba1dc19eb98775827ea5167ab830cdedc5e96fb9399ffe19810f7

  • SHA512

    765be637621e47df99d503a567352dbe1b797d09f0cb6d649da5d4d0fbd3577173f4390b1979b2f390f6535f09b843829ae6f579ab05374622f5bf52ff638809

  • SSDEEP

    3072:6g7MaNdUcd6rQ5Ap9ypIAXJzYmfiTNh3zDv80R4KTEI2EBqdb2w:SQUg605ApAzYmfiTNh3zDv8GT72EBE9

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Creal.pyc
    1⤵
    • Modifies registry class
    PID:5492
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5532
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\InvokeUndo.cmd" "
    1⤵
      PID:3856
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x0000000000000418
      1⤵
        PID:4824
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\InvokeUndo.cmd" "
        1⤵
          PID:4316
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:4780
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1472
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.0.1072262612\1895891099" -parentBuildID 20221007134813 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b36edce9-68e0-4193-ad3e-a2dfb2c19384} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 1856 1ba136f2858 gpu
              3⤵
                PID:4280
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.1.2004752393\465417412" -parentBuildID 20221007134813 -prefsHandle 2216 -prefMapHandle 2212 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f460e51e-d40e-415a-90fa-e0376031d02b} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 2228 1ba12e30758 socket
                3⤵
                  PID:5320
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.2.246081354\1382064302" -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 3028 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07cba675-64fc-44b8-9ba3-ff4015bc6783} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 3304 1ba13663a58 tab
                  3⤵
                    PID:1904
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.3.833844062\1060151172" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3624 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f395e304-3079-4b4f-8897-e3c62f6ea16b} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 3556 1ba15bf7e58 tab
                    3⤵
                      PID:2188
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.4.984340703\363109660" -childID 3 -isForBrowser -prefsHandle 4504 -prefMapHandle 4512 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43f66b49-a9f1-49b7-afc7-c74bd2de4ec1} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 4620 1ba1a0c1b58 tab
                      3⤵
                        PID:4644
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.5.1783106259\787349630" -childID 4 -isForBrowser -prefsHandle 5076 -prefMapHandle 5112 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b73f3669-0923-4cd0-bf48-0ffb380a3458} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 5064 1ba1a91e458 tab
                        3⤵
                          PID:5008
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.7.41560135\1974200951" -childID 6 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22769f99-a522-49eb-a0dd-a1b4e648692f} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 5444 1ba1a91fc58 tab
                          3⤵
                            PID:5936
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.6.1012393929\2098607350" -childID 5 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d8134a2-b491-4b7f-be6a-9492b92e043a} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 5260 1ba1a91ea58 tab
                            3⤵
                              PID:3852

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xyon95kp.default-release\cache2\entries\4832D199584363B876D3E7D57CA02A9B0F4D91CD
                          Filesize

                          13KB

                          MD5

                          ef8a78fce6bc9c1fb982b646d5cfd2ca

                          SHA1

                          f74c189070da0e9f5f22b5ad9eb085a9ae9eef0b

                          SHA256

                          c530b7ff18da7f06018a4c1bb594202a5d53433a74f54cea14c5f9facba6147c

                          SHA512

                          386f4cc685739c1fe39a15a7b49db04d6416fbb85d9b90e39f18ef1d719a5a30a3ffd0de7a0d8653422a18da17832adb8e79c53f02bd79b1b0d644a8a0e798e8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                          Filesize

                          442KB

                          MD5

                          85430baed3398695717b0263807cf97c

                          SHA1

                          fffbee923cea216f50fce5d54219a188a5100f41

                          SHA256

                          a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                          SHA512

                          06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                          Filesize

                          3.0MB

                          MD5

                          18e3a15352404e851991403386781bee

                          SHA1

                          7efbaa9ac0c9aba615f3d81f4039a4224cdac356

                          SHA256

                          97425d370a372defdc626e971a8ba5f2fa859df2dcd4e9d2097c43e5fbc8c7f1

                          SHA512

                          0c64b2448ff5ed286a1a7fd4e03c3634986da4bc3d36d92d8af0280d9a3373d427d0687a3cd2fc549b5389353a8bc80c49d800700d692a176f418ee81845280f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          2KB

                          MD5

                          927d30465593f01f2adf4702b7bc54f7

                          SHA1

                          5a695901dd391c6e5f6c01e14e569fd7ba8bb120

                          SHA256

                          056b4765c18ab9ab5a89ccdffe0193c85c1e541c6aa8505fcdd8d870084e7e35

                          SHA512

                          3b6b47d5fd0dc0e95e808c7763725ea9ea380ee0276b6a0c120a0e1871afe45b04da26866afa317236597f6fc54cb02a539fe6136c2b054ac0905689733fbf3b

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\datareporting\glean\pending_pings\30881d55-e4cd-4801-9569-6c5f8ff9fc86
                          Filesize

                          746B

                          MD5

                          d5256c03645b79e2eeab335e47b55783

                          SHA1

                          e05f60c0efb6d210828611208effc9f17698665e

                          SHA256

                          a6298861c3213dd23a1bb9da0d123187fc1578d6713196c6f87deea42f66a76b

                          SHA512

                          d6cf2065118032811bdf5f01331ed48801ed4ac7f78ce20d1ca91f04c8b4fa8d8559e5b0469ef41ce08971d3b9db722f882e64987ad737793a5d894253463e48

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\datareporting\glean\pending_pings\f8b4de3b-cf49-4c8b-8b51-e66e64857ce3
                          Filesize

                          11KB

                          MD5

                          4e8b454e2699e1ee91b8f52bc4676798

                          SHA1

                          f22e8d8dc5f1a87c96760a55f25a9bb85a08680d

                          SHA256

                          ee1ce1128701b0539dff1d6c4d78d9664f609c4b4749bf902ec8b8a441f9b1dc

                          SHA512

                          0eb6a1c696f2ee732358b3d8fd3148d76feb9ef7ec3229e5189bfe0b3484a54f120397fb8fdfb7a99e4039f3af27088ce731289a2a71150a1f0c675136e3758f

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                          Filesize

                          997KB

                          MD5

                          fe3355639648c417e8307c6d051e3e37

                          SHA1

                          f54602d4b4778da21bc97c7238fc66aa68c8ee34

                          SHA256

                          1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                          SHA512

                          8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                          Filesize

                          116B

                          MD5

                          3d33cdc0b3d281e67dd52e14435dd04f

                          SHA1

                          4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                          SHA256

                          f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                          SHA512

                          a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                          Filesize

                          479B

                          MD5

                          49ddb419d96dceb9069018535fb2e2fc

                          SHA1

                          62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                          SHA256

                          2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                          SHA512

                          48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                          Filesize

                          372B

                          MD5

                          8be33af717bb1b67fbd61c3f4b807e9e

                          SHA1

                          7cf17656d174d951957ff36810e874a134dd49e0

                          SHA256

                          e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                          SHA512

                          6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                          Filesize

                          2.7MB

                          MD5

                          3369fe2188be071054304c7f4042f769

                          SHA1

                          4891aa2633e324605c2a20a12bdfadb71dd7c451

                          SHA256

                          c3e60dc11c31d14c4fbf88b08eda9298391ecd03db3745b1fe5222a76c3573c7

                          SHA512

                          ee88f1063b63d4d8545dc42e5a5fe86a854e769d91c9ff4ea76e395e37738b13416078321a37098822259aebc214f5b89d1b60ad06d00881de2f56ade7708a7c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                          Filesize

                          1KB

                          MD5

                          688bed3676d2104e7f17ae1cd2c59404

                          SHA1

                          952b2cdf783ac72fcb98338723e9afd38d47ad8e

                          SHA256

                          33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                          SHA512

                          7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                          Filesize

                          1KB

                          MD5

                          937326fead5fd401f6cca9118bd9ade9

                          SHA1

                          4526a57d4ae14ed29b37632c72aef3c408189d91

                          SHA256

                          68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                          SHA512

                          b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\prefs-1.js
                          Filesize

                          7KB

                          MD5

                          a45a265192cc24edeedc80385067d5f8

                          SHA1

                          28770f07738a5f6af6eb0d21ea5816ce30b39bbe

                          SHA256

                          3c2722328912c7a3a1408373e83dd4a6a355102094a72322b788a9aca8f20ea8

                          SHA512

                          5ececf352889303306105f4c42cf7f3402d6e585843e877a82e904846f24a8787f724fdf69ef8d8fb8aa231924c33d3195f448ac492b20e8c5029d3b4a88c459

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          8992e5d72c94eaa2802fb61fec4e0dc4

                          SHA1

                          73a3bccd194aa6c824d81d002a768e97150de7c6

                          SHA256

                          9422ccec84616c9f3efe6c451144e0c0af2d3f95f393222108cffba31ae13d75

                          SHA512

                          6603318439ae596b882a2b26435320661dd81756829025cf2a4356c500e141dafd9320190b65fdebe80300d8482f4a61fe01c8e40221cd3860764edb5ddbb94a

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xyon95kp.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          04c3ae3f50ab573a9d1d2048714ed984

                          SHA1

                          261a9bd89f9d3ac178581d8eb3fc298fbff43b0a

                          SHA256

                          161739d2a3b0240a61596eb068b445c32547e09b8e3c33acff4f0b64e032dcca

                          SHA512

                          5bc23e54daf7f1294006a8d0f1dc05f71652828a4466aa2cf1b572fc0be09a0b4fa943e976af074853cef2d411d19e2ef91a1805038f3849ecf1a22ab50204df

                          Download Submit