Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 07:55
Static task
static1
Behavioral task
behavioral1
Sample
bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe
Resource
win10v2004-20240426-en
General
-
Target
bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe
-
Size
4.9MB
-
MD5
edb15fae78e06173987f7e42ad8c5702
-
SHA1
f32094e4977d9ee90b397c99a15f317494e027c1
-
SHA256
bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99
-
SHA512
1fe2aa356b0d07d089351abd26d65cee3a502e3e2395f05cf32827332d86e0e175a2a2f93260775cc22496ce1690a11f98dd2bbae16004fdc08201af6523e909
-
SSDEEP
98304:HqkCqz0BYDzXMEGQ07//6U4CKwLR53TWML9qFHoDGfn:KkABYfXMVCU4QR587
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2624 CracKingD0M_ULTRAIS0.EXE -
Loads dropped DLL 3 IoCs
pid Process 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 2624 CracKingD0M_ULTRAIS0.EXE 2624 CracKingD0M_ULTRAIS0.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2624 CracKingD0M_ULTRAIS0.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2844 wrote to memory of 1652 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 28 PID 2844 wrote to memory of 1652 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 28 PID 2844 wrote to memory of 1652 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 28 PID 2844 wrote to memory of 1652 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 28 PID 2844 wrote to memory of 1652 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 28 PID 2844 wrote to memory of 1652 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 28 PID 2844 wrote to memory of 1652 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 28 PID 2844 wrote to memory of 2624 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 30 PID 2844 wrote to memory of 2624 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 30 PID 2844 wrote to memory of 2624 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 30 PID 2844 wrote to memory of 2624 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 30 PID 2844 wrote to memory of 2624 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 30 PID 2844 wrote to memory of 2624 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 30 PID 2844 wrote to memory of 2624 2844 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat" "2⤵
- Drops file in Drivers directory
PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE"C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5a335f477a541d2600481c71ee64c1f62
SHA1b9fa6b64d0e5e36db9ec6162679d2df897515bc9
SHA2560779a9432a71f02299e9078b58f512d9667949d4eb9ea60283daec64a6526bae
SHA512918f74f1a80ae6b555f8831d23285aef514eaeb58deefa58b28f626bc980af2a88523d52f1ff40c238a9bdb577718535784a9e87610f92b13d6460b2b5dc520b
-
Filesize
4KB
MD502d4c152f3f35a30eb87a864582565f8
SHA19564b2fc39530ebe90043539963d4e4a0ffbf9f2
SHA25628baf3bb7d414ccfd62185f3deff6bd1ed28dddd855e5aa09d2a6bd2b1edb9c8
SHA512484d4e103c1e2a8d326e5f2450455e69aa16bcf29f2061db421cebf1882115f0f8ff01fdf18ec2b96cf6ff28b18669a12fbdc80507cb3c9249c1e8b5015a85fe
-
Filesize
1KB
MD56a68a3264753e03ec3bd161b8698c29c
SHA1873fb85de2dbe99c5ed7c37ba67f0f3d4057b0cf
SHA256068147434b85749c3db5d635eab793f02e2a191c54d23504121171757d9f947a
SHA5127e7a1eee3bf0be8029b25812ab79afde64893226390f9d41419d5aee10f63d9e4892ade0deb5572f439e097f8eeeadcf75d900083296b6e18aa4a5dc36fed310
-
Filesize
1KB
MD52b69d830e0d50950e710cdaf4b47888a
SHA13f803393171c96ec7dbd173dd78511ee4404e991
SHA2562b91221ae2468bbe90070d5716242cefa0d4d8d407dbea6a4c736b83745f1ace
SHA512e1c77a5819aaf7126e9b3163e0a25fb9ad5ee85773a9dd33c26c073e6683fa13b6ecf05e72134287d7fec94cffceaed0a84cd3c0d5dfca443a4faa0f602457d1
-
Filesize
2KB
MD5ec771bfe6c0747127cc367fb8942b4f4
SHA13f1f4ae651a63d1f585d0416088fa45040bbc9f1
SHA256a9e337bb4d2a233208e5274fdd243f9fa9889a578fd5a6884f745f34b0cd210e
SHA5124f8a9b2431707fa2963ae96c4af60375b2a1347bf826121c351bc89fc74d8e36ff265f47631fe5b998e076f2969a89db6f41d7afda6cbec21cc10cd82899f5b0
-
Filesize
4.8MB
MD538be3a3a5b9e13d14e0b02bda895987d
SHA17c6feb666012e0468cebeffb45cd094161469cdf
SHA2567875eb995e32a29d10e878f76fe2dab6da32e4042bb5d2f7f427673db3b82a91
SHA5124b40050fd159fb79075b9a8ffaa47501444a3b88ed85c38f93f14927072df03c57c321bf1cec40cdd6196d0514ff71c4a4a32851e1f3a74e217b58262a8c1454