289df940c28b79a4a7df36df211beb87fec948bd2e1096192564902e196a5499

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExitLag-Crack-2024/ExitLag-Main/.metadata
Size

305B
MD5

e6784095dc1a554cacf0bb934434b3a6
SHA1

4c4c7363d9cf6d84a41909cce9d3743762e5945d
SHA256

5143a6fb213dd024294edc05ac1782c19be8dddab0c57d63ba7e5b5f8e5b69cd
SHA512

9ed40291778a162a6e102c44569adc5588024ca82446bbe717cc5b2db004f2da0a78f10cecfd3bcccf1346dffc38b5d422f3c2bea0c2895221c5cb2b0d96047e

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\metadata_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.metadata	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\metadata_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\metadata_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\metadata_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\.metadata\ = "metadata_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\metadata_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000_CLASSES\metadata_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1464	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1464	AcroRd32.exe
1464	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2648	1996	cmd.exe	29
PID 1996 wrote to memory of 2648	1996	cmd.exe	29
PID 1996 wrote to memory of 2648	1996	cmd.exe	29
PID 2648 wrote to memory of 1464	2648	rundll32.exe	30
PID 2648 wrote to memory of 1464	2648	rundll32.exe	30
PID 2648 wrote to memory of 1464	2648	rundll32.exe	30
PID 2648 wrote to memory of 1464	2648	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ExitLag-Crack-2024\ExitLag-Main\.metadata
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\ExitLag-Crack-2024\ExitLag-Main\.metadata
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ExitLag-Crack-2024\ExitLag-Main\.metadata"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2c653e0c4068dd672beb6364360d3a30

SHA1
705b42f06495f343a436e5c504f7a72c0a5c94e8

SHA256
7a3d00e0cbe7d5965e1063a90f4b1fdaeb4439695b9672cea7b26ba1a33a769a

SHA512
30a11eb9883df258504a9ec25783023084082069350f30f687fe249d4206758cd4a01506adff1eee4af36c93932841c78959bfc536dfe9f974a790fcd527f3a2

Download Submit