113aa0dbeb0b9887dc0e462565b967517e520fb6cb7256ab00298f5610c57148

Analysis

max time kernel
134s
max time network
145s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
25/02/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crack.exe
Size

10.3MB
MD5

35edb0779e02ec906ba08da6115eeae7
SHA1

c662f58d8421c854b30da34c6e0ddc37783cb953
SHA256

22646544be869e18d9b35687a6592c3ea1ac0d423badc40cb6059388b1bf362c
SHA512

82e2fe81587b40e96b4fef23819037809d94c1f0f11393c8b91387a0dbaa70c368498707cd7a66ba71056352af90619d1204db7067f7daa47060ee5c8eee889b
SSDEEP

98304:QqMT8fPVdo+hZ9ZWI3Blm+AgMnOZ0EVmCs9rhcw3M//OfYts2SsJXkn7IG/HPidx:cs1BlLjZ0EVmCs9rhlSm0siJdeJ

Score

8^/10

persistence themida

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	crack.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3856-1-0x00007FF698F00000-0x00007FF69A3B4000-memory.dmp	themida
behavioral2/memory/3856-9-0x00007FF698F00000-0x00007FF69A3B4000-memory.dmp	themida

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3856	crack.exe
3856	crack.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3856	crack.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3856	crack.exe

C:\Users\Admin\AppData\Local\Temp\crack.exe
"C:\Users\Admin\AppData\Local\Temp\crack.exe"
1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3856-1-0x00007FF698F00000-0x00007FF69A3B4000-memory.dmp

Filesize
20.7MB

Download
memory/3856-9-0x00007FF698F00000-0x00007FF69A3B4000-memory.dmp

Filesize
20.7MB

Download