Analysis Overview
SHA256
bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99
Threat Level: Likely malicious
The file bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 07:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 07:55
Reported
2024-06-09 07:58
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe
"C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat" "
C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
"C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
| MD5 | 38be3a3a5b9e13d14e0b02bda895987d |
| SHA1 | 7c6feb666012e0468cebeffb45cd094161469cdf |
| SHA256 | 7875eb995e32a29d10e878f76fe2dab6da32e4042bb5d2f7f427673db3b82a91 |
| SHA512 | 4b40050fd159fb79075b9a8ffaa47501444a3b88ed85c38f93f14927072df03c57c321bf1cec40cdd6196d0514ff71c4a4a32851e1f3a74e217b58262a8c1454 |
C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat
| MD5 | a335f477a541d2600481c71ee64c1f62 |
| SHA1 | b9fa6b64d0e5e36db9ec6162679d2df897515bc9 |
| SHA256 | 0779a9432a71f02299e9078b58f512d9667949d4eb9ea60283daec64a6526bae |
| SHA512 | 918f74f1a80ae6b555f8831d23285aef514eaeb58deefa58b28f626bc980af2a88523d52f1ff40c238a9bdb577718535784a9e87610f92b13d6460b2b5dc520b |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 6b0dd15ed54a35c29b0f2e58f30d89a9 |
| SHA1 | d3be5b9b0095c59799a166d2ff0346f45d914ff1 |
| SHA256 | 0412e9ae87a345df6590192a6f975d0c50bdf35eb80ca793592018259fef67c6 |
| SHA512 | 689b2453ba4b969baf7e5f7a3e5e03983dd4e617afe8df0ba5f743929ff55cbad7b08925a2d654c7c1e68dc721b41bb46abd9a127e55dede34c8b277c081cdf5 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 07:55
Reported
2024-06-09 07:58
Platform
win7-20240221-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe
"C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat" "
C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
"C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE"
Network
Files
C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat
| MD5 | a335f477a541d2600481c71ee64c1f62 |
| SHA1 | b9fa6b64d0e5e36db9ec6162679d2df897515bc9 |
| SHA256 | 0779a9432a71f02299e9078b58f512d9667949d4eb9ea60283daec64a6526bae |
| SHA512 | 918f74f1a80ae6b555f8831d23285aef514eaeb58deefa58b28f626bc980af2a88523d52f1ff40c238a9bdb577718535784a9e87610f92b13d6460b2b5dc520b |
\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
| MD5 | 38be3a3a5b9e13d14e0b02bda895987d |
| SHA1 | 7c6feb666012e0468cebeffb45cd094161469cdf |
| SHA256 | 7875eb995e32a29d10e878f76fe2dab6da32e4042bb5d2f7f427673db3b82a91 |
| SHA512 | 4b40050fd159fb79075b9a8ffaa47501444a3b88ed85c38f93f14927072df03c57c321bf1cec40cdd6196d0514ff71c4a4a32851e1f3a74e217b58262a8c1454 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 6a68a3264753e03ec3bd161b8698c29c |
| SHA1 | 873fb85de2dbe99c5ed7c37ba67f0f3d4057b0cf |
| SHA256 | 068147434b85749c3db5d635eab793f02e2a191c54d23504121171757d9f947a |
| SHA512 | 7e7a1eee3bf0be8029b25812ab79afde64893226390f9d41419d5aee10f63d9e4892ade0deb5572f439e097f8eeeadcf75d900083296b6e18aa4a5dc36fed310 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 2b69d830e0d50950e710cdaf4b47888a |
| SHA1 | 3f803393171c96ec7dbd173dd78511ee4404e991 |
| SHA256 | 2b91221ae2468bbe90070d5716242cefa0d4d8d407dbea6a4c736b83745f1ace |
| SHA512 | e1c77a5819aaf7126e9b3163e0a25fb9ad5ee85773a9dd33c26c073e6683fa13b6ecf05e72134287d7fec94cffceaed0a84cd3c0d5dfca443a4faa0f602457d1 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | ec771bfe6c0747127cc367fb8942b4f4 |
| SHA1 | 3f1f4ae651a63d1f585d0416088fa45040bbc9f1 |
| SHA256 | a9e337bb4d2a233208e5274fdd243f9fa9889a578fd5a6884f745f34b0cd210e |
| SHA512 | 4f8a9b2431707fa2963ae96c4af60375b2a1347bf826121c351bc89fc74d8e36ff265f47631fe5b998e076f2969a89db6f41d7afda6cbec21cc10cd82899f5b0 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 02d4c152f3f35a30eb87a864582565f8 |
| SHA1 | 9564b2fc39530ebe90043539963d4e4a0ffbf9f2 |
| SHA256 | 28baf3bb7d414ccfd62185f3deff6bd1ed28dddd855e5aa09d2a6bd2b1edb9c8 |
| SHA512 | 484d4e103c1e2a8d326e5f2450455e69aa16bcf29f2061db421cebf1882115f0f8ff01fdf18ec2b96cf6ff28b18669a12fbdc80507cb3c9249c1e8b5015a85fe |