Malware Analysis Report

2025-04-14 04:18

Sample ID 240609-jsmg1afh3w
Target bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99
SHA256 bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99

Threat Level: Likely malicious

The file bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99 was found to be: Likely malicious.

Malicious Activity Summary


Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-09 07:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 07:55

Reported

2024-06-09 07:58

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe

"C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat" "

C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE

"C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE

MD5 38be3a3a5b9e13d14e0b02bda895987d
SHA1 7c6feb666012e0468cebeffb45cd094161469cdf
SHA256 7875eb995e32a29d10e878f76fe2dab6da32e4042bb5d2f7f427673db3b82a91
SHA512 4b40050fd159fb79075b9a8ffaa47501444a3b88ed85c38f93f14927072df03c57c321bf1cec40cdd6196d0514ff71c4a4a32851e1f3a74e217b58262a8c1454

C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat

MD5 a335f477a541d2600481c71ee64c1f62
SHA1 b9fa6b64d0e5e36db9ec6162679d2df897515bc9
SHA256 0779a9432a71f02299e9078b58f512d9667949d4eb9ea60283daec64a6526bae
SHA512 918f74f1a80ae6b555f8831d23285aef514eaeb58deefa58b28f626bc980af2a88523d52f1ff40c238a9bdb577718535784a9e87610f92b13d6460b2b5dc520b

C:\Windows\System32\drivers\etc\hosts

MD5 6b0dd15ed54a35c29b0f2e58f30d89a9
SHA1 d3be5b9b0095c59799a166d2ff0346f45d914ff1
SHA256 0412e9ae87a345df6590192a6f975d0c50bdf35eb80ca793592018259fef67c6
SHA512 689b2453ba4b969baf7e5f7a3e5e03983dd4e617afe8df0ba5f743929ff55cbad7b08925a2d654c7c1e68dc721b41bb46abd9a127e55dede34c8b277c081cdf5

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 07:55

Reported

2024-06-09 07:58

Platform

win7-20240221-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
PID 2844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
PID 2844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
PID 2844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
PID 2844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
PID 2844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE
PID 2844 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe

"C:\Users\Admin\AppData\Local\Temp\bc69927fa7bc17a8b7bda5e8065baa748e12ceaed7df3c2117b7c4889fd51a99.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat" "

C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE

"C:\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\G34RSETT13.bat

MD5 a335f477a541d2600481c71ee64c1f62
SHA1 b9fa6b64d0e5e36db9ec6162679d2df897515bc9
SHA256 0779a9432a71f02299e9078b58f512d9667949d4eb9ea60283daec64a6526bae
SHA512 918f74f1a80ae6b555f8831d23285aef514eaeb58deefa58b28f626bc980af2a88523d52f1ff40c238a9bdb577718535784a9e87610f92b13d6460b2b5dc520b

\Users\Admin\AppData\Local\Temp\CracKingD0M_ULTRAIS0.EXE

MD5 38be3a3a5b9e13d14e0b02bda895987d
SHA1 7c6feb666012e0468cebeffb45cd094161469cdf
SHA256 7875eb995e32a29d10e878f76fe2dab6da32e4042bb5d2f7f427673db3b82a91
SHA512 4b40050fd159fb79075b9a8ffaa47501444a3b88ed85c38f93f14927072df03c57c321bf1cec40cdd6196d0514ff71c4a4a32851e1f3a74e217b58262a8c1454

C:\Windows\System32\drivers\etc\hosts

MD5 6a68a3264753e03ec3bd161b8698c29c
SHA1 873fb85de2dbe99c5ed7c37ba67f0f3d4057b0cf
SHA256 068147434b85749c3db5d635eab793f02e2a191c54d23504121171757d9f947a
SHA512 7e7a1eee3bf0be8029b25812ab79afde64893226390f9d41419d5aee10f63d9e4892ade0deb5572f439e097f8eeeadcf75d900083296b6e18aa4a5dc36fed310

C:\Windows\System32\drivers\etc\hosts

MD5 2b69d830e0d50950e710cdaf4b47888a
SHA1 3f803393171c96ec7dbd173dd78511ee4404e991
SHA256 2b91221ae2468bbe90070d5716242cefa0d4d8d407dbea6a4c736b83745f1ace
SHA512 e1c77a5819aaf7126e9b3163e0a25fb9ad5ee85773a9dd33c26c073e6683fa13b6ecf05e72134287d7fec94cffceaed0a84cd3c0d5dfca443a4faa0f602457d1

C:\Windows\System32\drivers\etc\hosts

MD5 ec771bfe6c0747127cc367fb8942b4f4
SHA1 3f1f4ae651a63d1f585d0416088fa45040bbc9f1
SHA256 a9e337bb4d2a233208e5274fdd243f9fa9889a578fd5a6884f745f34b0cd210e
SHA512 4f8a9b2431707fa2963ae96c4af60375b2a1347bf826121c351bc89fc74d8e36ff265f47631fe5b998e076f2969a89db6f41d7afda6cbec21cc10cd82899f5b0

C:\Windows\System32\drivers\etc\hosts

MD5 02d4c152f3f35a30eb87a864582565f8
SHA1 9564b2fc39530ebe90043539963d4e4a0ffbf9f2
SHA256 28baf3bb7d414ccfd62185f3deff6bd1ed28dddd855e5aa09d2a6bd2b1edb9c8
SHA512 484d4e103c1e2a8d326e5f2450455e69aa16bcf29f2061db421cebf1882115f0f8ff01fdf18ec2b96cf6ff28b18669a12fbdc80507cb3c9249c1e8b5015a85fe