Analysis
-
max time kernel
12s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 13:59
Behavioral task
behavioral1
Sample
Kulo Crack.exe
Resource
win7-20240221-en
General
-
Target
Kulo Crack.exe
-
Size
3.8MB
-
MD5
c67c96ec69aba49e5798b60b78064a76
-
SHA1
ae2d3fde593c1d7abdf375857f07ed6040e97bf9
-
SHA256
a39b5594c05aa5701d27c79dd9cc783baa29834f42034c63e1329971d957d8b5
-
SHA512
d45bbfa95d9d1da377538387c0ae58e17d8a4302111f107c0a0772ba8a7353610a0eaa530c24324918d7889dad497ca465170631f380a3b82271be8218fe6169
-
SSDEEP
49152:AQDgok30ErC6qcXeDGqrHnsXLUWlEINye1OwnBWNhagAL7TjbM0YQRfsaH:AQU//rTarMAhSP
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-DM31UDC
-
gencode
hsUX4vmM8rqc
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Detects Eternity stealer 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\ASD.EXE eternity_stealer behavioral1/memory/2864-13-0x0000000000020000-0x0000000000106000-memory.dmp eternity_stealer behavioral1/memory/2904-27-0x0000000000400000-0x00000000007D6000-memory.dmp eternity_stealer -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 3 IoCs
Processes:
ASD.EXEKULO CRACKED.EXEdcd.exepid process 2864 ASD.EXE 3020 KULO CRACKED.EXE 2748 dcd.exe -
Loads dropped DLL 3 IoCs
Processes:
Kulo Crack.exepid process 2904 Kulo Crack.exe 2904 Kulo Crack.exe 2504 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
Kulo Crack.exeASD.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 2904 Kulo Crack.exe Token: SeSecurityPrivilege 2904 Kulo Crack.exe Token: SeTakeOwnershipPrivilege 2904 Kulo Crack.exe Token: SeLoadDriverPrivilege 2904 Kulo Crack.exe Token: SeSystemProfilePrivilege 2904 Kulo Crack.exe Token: SeSystemtimePrivilege 2904 Kulo Crack.exe Token: SeProfSingleProcessPrivilege 2904 Kulo Crack.exe Token: SeIncBasePriorityPrivilege 2904 Kulo Crack.exe Token: SeCreatePagefilePrivilege 2904 Kulo Crack.exe Token: SeBackupPrivilege 2904 Kulo Crack.exe Token: SeRestorePrivilege 2904 Kulo Crack.exe Token: SeShutdownPrivilege 2904 Kulo Crack.exe Token: SeDebugPrivilege 2904 Kulo Crack.exe Token: SeSystemEnvironmentPrivilege 2904 Kulo Crack.exe Token: SeChangeNotifyPrivilege 2904 Kulo Crack.exe Token: SeRemoteShutdownPrivilege 2904 Kulo Crack.exe Token: SeUndockPrivilege 2904 Kulo Crack.exe Token: SeManageVolumePrivilege 2904 Kulo Crack.exe Token: SeImpersonatePrivilege 2904 Kulo Crack.exe Token: SeCreateGlobalPrivilege 2904 Kulo Crack.exe Token: 33 2904 Kulo Crack.exe Token: 34 2904 Kulo Crack.exe Token: 35 2904 Kulo Crack.exe Token: SeDebugPrivilege 2864 ASD.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Kulo Crack.exepid process 2904 Kulo Crack.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Kulo Crack.exeASD.EXEdescription pid process target process PID 2904 wrote to memory of 2864 2904 Kulo Crack.exe ASD.EXE PID 2904 wrote to memory of 2864 2904 Kulo Crack.exe ASD.EXE PID 2904 wrote to memory of 2864 2904 Kulo Crack.exe ASD.EXE PID 2904 wrote to memory of 2864 2904 Kulo Crack.exe ASD.EXE PID 2904 wrote to memory of 3020 2904 Kulo Crack.exe KULO CRACKED.EXE PID 2904 wrote to memory of 3020 2904 Kulo Crack.exe KULO CRACKED.EXE PID 2904 wrote to memory of 3020 2904 Kulo Crack.exe KULO CRACKED.EXE PID 2904 wrote to memory of 3020 2904 Kulo Crack.exe KULO CRACKED.EXE PID 2864 wrote to memory of 2748 2864 ASD.EXE dcd.exe PID 2864 wrote to memory of 2748 2864 ASD.EXE dcd.exe PID 2864 wrote to memory of 2748 2864 ASD.EXE dcd.exe PID 2864 wrote to memory of 2748 2864 ASD.EXE dcd.exe PID 2864 wrote to memory of 2388 2864 ASD.EXE WerFault.exe PID 2864 wrote to memory of 2388 2864 ASD.EXE WerFault.exe PID 2864 wrote to memory of 2388 2864 ASD.EXE WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kulo Crack.exe"C:\Users\Admin\AppData\Local\Temp\Kulo Crack.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ASD.EXE"C:\Users\Admin\AppData\Local\Temp\ASD.EXE"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dcd.exe"C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""3⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2864 -s 15403⤵
-
C:\Users\Admin\AppData\Local\Temp\KULO CRACKED.EXE"C:\Users\Admin\AppData\Local\Temp\KULO CRACKED.EXE"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dcd.exeFilesize
227KB
MD5b5ac46e446cead89892628f30a253a06
SHA1f4ad1044a7f77a1b02155c3a355a1bb4177076ca
SHA256def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669
SHA512bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87
-
\Users\Admin\AppData\Local\Temp\ASD.EXEFilesize
885KB
MD540828c2fea99e6d82601e973b6219635
SHA1967ad61398e27cce7fe91392a7f2aca705915fe6
SHA256296df2c2bdb287be3bfb2e78c1984efa875c32351972feecd7252cd825328334
SHA5123825e24109fab2671f9aa28c93962bd6be4cecdfa8ead4254695d783bcdb177c131995dfbc377c3e81ed15ff925ed1e7e3dc118bf1dcb4101997650244827037
-
\Users\Admin\AppData\Local\Temp\KULO CRACKED.EXEFilesize
2.3MB
MD54c8e68e1dcf467c29bd1db499400b5eb
SHA1bc058901152dc725799dab88d9b91fe45cfee9cd
SHA256108c775a20a5c9b705a3a1c9ad1dc52bae5d98f6befc2db2497a82654806b847
SHA512c0c3227d11d713f3e4c2bd961123fae01e453671a9a93d6c248c62598d78136553af48d1e7a9e7695c7ac2b4e6c0d7b23f2b7ec9ebfc5456a9f1e6ef851ea05c
-
memory/2864-16-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2864-14-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2864-15-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2864-17-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2864-18-0x000000001AE70000-0x000000001AEF0000-memory.dmpFilesize
512KB
-
memory/2864-19-0x0000000000730000-0x000000000076E000-memory.dmpFilesize
248KB
-
memory/2864-20-0x000000001AE70000-0x000000001AEF0000-memory.dmpFilesize
512KB
-
memory/2864-13-0x0000000000020000-0x0000000000106000-memory.dmpFilesize
920KB
-
memory/2864-26-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/2904-0-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2904-27-0x0000000000400000-0x00000000007D6000-memory.dmpFilesize
3.8MB