b29261ac573e45ba0978d0be4c42e9505d0b77053d3101a11d32128f674ae7ad

Resubmissions

10-06-2024 23:35

240610-3k54xsvflf 7

10-06-2024 23:22

240610-3cm85svgmk 7

Analysis

max time kernel
1200s
max time network
1202s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CyberGhost-VPN-Crack_mWG8uTgAlP.zip
Size

5.6MB
MD5

23059fed8f2977763f5db5d9a7ca83d0
SHA1

0836e4bffe5fb80f63a8b2c4bac5069c2722f491
SHA256

b29261ac573e45ba0978d0be4c42e9505d0b77053d3101a11d32128f674ae7ad
SHA512

a2ad0956c61660b27e55c8d0b91c7fc87d3a58789ebda4ee824bd8447cb781dc3e54056a2015fc19a389b5bdcbb936695ef8a8702af5600ca612e12ac3c79cbe
SSDEEP

98304:kBQrZOL2VBygqqN57D7O4jcA9pUMlQnDmiAAZgpFCk5oYgrAdHMUrRy3vXdTe4:kyrgaVBygqqN5Tr9pUJ2AaK2IARMEifb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1836	CyberGhost-VPN-Crack_mWG8uTgAlP.exe
3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp
1196	passion32.exe

Loads dropped DLL 1 IoCs

pid	Process
3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 28 IoCs

pid	pid_target	Process	procid_target
1704	1196	WerFault.exe	111
3748	1196	WerFault.exe	111
1380	1196	WerFault.exe	111
4900	1196	WerFault.exe	111
3844	1196	WerFault.exe	111
4616	1196	WerFault.exe	111
2844	1196	WerFault.exe	111
4448	1196	WerFault.exe	111
3488	1196	WerFault.exe	111
708	1196	WerFault.exe	111
3184	1196	WerFault.exe	111
4360	1196	WerFault.exe	111
1368	1196	WerFault.exe	111
4516	1196	WerFault.exe	111
1692	1196	WerFault.exe	111
2928	1196	WerFault.exe	111
2204	1196	WerFault.exe	111
4812	1196	WerFault.exe	111
5116	1196	WerFault.exe	111
1820	1196	WerFault.exe	111
4516	1196	WerFault.exe	111
2980	1196	WerFault.exe	111
1496	1196	WerFault.exe	111
2400	1196	WerFault.exe	111
4612	1196	WerFault.exe	111
868	1196	WerFault.exe	111
3436	1196	WerFault.exe	111
3116	1196	WerFault.exe	111

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp
3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp
1196	passion32.exe
1196	passion32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1568	7zG.exe
Token: 35	1568	7zG.exe
Token: SeSecurityPrivilege	1568	7zG.exe
Token: SeSecurityPrivilege	1568	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1568	7zG.exe
3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 3840	1836	CyberGhost-VPN-Crack_mWG8uTgAlP.exe	109
PID 1836 wrote to memory of 3840	1836	CyberGhost-VPN-Crack_mWG8uTgAlP.exe	109
PID 1836 wrote to memory of 3840	1836	CyberGhost-VPN-Crack_mWG8uTgAlP.exe	109
PID 3840 wrote to memory of 4924	3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp	110
PID 3840 wrote to memory of 4924	3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp	110
PID 3840 wrote to memory of 4924	3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp	110
PID 3840 wrote to memory of 1196	3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp	111
PID 3840 wrote to memory of 1196	3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp	111
PID 3840 wrote to memory of 1196	3840	CyberGhost-VPN-Crack_mWG8uTgAlP.tmp	111

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\CyberGhost-VPN-Crack_mWG8uTgAlP.zip
1⤵
PID:1236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:4448

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\CyberGhost-VPN-Crack_mWG8uTgAlP\" -spe -an -ai#7zMap25472:142:7zEvent19434
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1568

C:\Users\Admin\AppData\Local\Temp\CyberGhost-VPN-Crack_mWG8uTgAlP\CyberGhost-VPN-Crack_mWG8uTgAlP.exe
"C:\Users\Admin\AppData\Local\Temp\CyberGhost-VPN-Crack_mWG8uTgAlP\CyberGhost-VPN-Crack_mWG8uTgAlP.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\is-182O6.tmp\CyberGhost-VPN-Crack_mWG8uTgAlP.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-182O6.tmp\CyberGhost-VPN-Crack_mWG8uTgAlP.tmp" /SL5="$50298,5599109,56832,C:\Users\Admin\AppData\Local\Temp\CyberGhost-VPN-Crack_mWG8uTgAlP\CyberGhost-VPN-Crack_mWG8uTgAlP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "Passion_6102"
    3⤵
    PID:4924
- - C:\Users\Admin\AppData\Local\Passion\passion32.exe
    "C:\Users\Admin\AppData\Local\Passion\passion32.exe" 33b0fe57ead94886b8fddaf447173081
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 888
      4⤵
      Program crash
      PID:1704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 900
      4⤵
      Program crash
      PID:3748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 956
      4⤵
      Program crash
      PID:1380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 980
      4⤵
      Program crash
      PID:4900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1256
      4⤵
      Program crash
      PID:3844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1272
      4⤵
      Program crash
      PID:4616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1324
      4⤵
      Program crash
      PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1308
      4⤵
      Program crash
      PID:4448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1344
      4⤵
      Program crash
      PID:3488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1000
      4⤵
      Program crash
      PID:708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1012
      4⤵
      Program crash
      PID:3184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1312
      4⤵
      Program crash
      PID:4360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1304
      4⤵
      Program crash
      PID:1368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 992
      4⤵
      Program crash
      PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1368
      4⤵
      Program crash
      PID:1692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1376
      4⤵
      Program crash
      PID:2928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1276
      4⤵
      Program crash
      PID:2204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 976
      4⤵
      Program crash
      PID:4812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1408
      4⤵
      Program crash
      PID:5116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1216
      4⤵
      Program crash
      PID:1820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1028
      4⤵
      Program crash
      PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1428
      4⤵
      Program crash
      PID:2980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1404
      4⤵
      Program crash
      PID:1496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1424
      4⤵
      Program crash
      PID:2400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1388
      4⤵
      Program crash
      PID:4612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1408
      4⤵
      Program crash
      PID:868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1032
      4⤵
      Program crash
      PID:3436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1392
      4⤵
      Program crash
      PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1196 -ip 1196
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1196 -ip 1196
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1196 -ip 1196
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1196 -ip 1196
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1196 -ip 1196
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1196 -ip 1196
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1196 -ip 1196
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1196 -ip 1196
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1196 -ip 1196
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1196 -ip 1196
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1196 -ip 1196
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1196 -ip 1196
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1196 -ip 1196
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1196 -ip 1196
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1196 -ip 1196
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1196 -ip 1196
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1196 -ip 1196
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1196 -ip 1196
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1196 -ip 1196
1⤵
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1196 -ip 1196
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1196 -ip 1196
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1196 -ip 1196
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1196 -ip 1196
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1196 -ip 1196
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1196 -ip 1196
1⤵
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1196 -ip 1196
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1196 -ip 1196
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1196 -ip 1196
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Passion\passion32.exe

Filesize
3.9MB

MD5
e9204a64fe0a819f7ffc0267d3c2061b

SHA1
e667de9be231fe3d63ee5d7fcd824da5b1d211ae

SHA256
53eea7303b5beb7863431dcfc8af84baa40511625ef58f9891540055bdc74283

SHA512
9652ad6781558b7f525ba17c6c2cc868fd16cfa6772ae1f03a8e398a469ef864a626883dfc585464a6127e56f524386b2d183bc9299fc80dc3bb18444c391d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\CyberGhost-VPN-Crack_mWG8uTgAlP\CyberGhost-VPN-Crack_mWG8uTgAlP.exe

Filesize
5.6MB

MD5
9b4c85945e411d62c12049aa3379a772

SHA1
159b79d8da67eed91a7bce169d4454624d55ba18

SHA256
3d6aad0baca821ee45ed104ae5fce1faad69bc4eea3c7c9d9fd3edea3aa57b8a

SHA512
1055206cfa669ee01d943413c9359d4ad875a7e762393d5e56cb4c134e65a371cb5a8e45deb9aa35493bf510a0ef084c6d36b776ad8108f6d5dca65d94ad73f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-182O6.tmp\CyberGhost-VPN-Crack_mWG8uTgAlP.tmp

Filesize
694KB

MD5
24821fbb86a16c230a7073128ec09c42

SHA1
c0e36eacccae638da83ad1587ca3d4df4fa6558f

SHA256
e775e1905fdc27bfc4cb08a8fecf98e745b902920350556d366f36497114aeb8

SHA512
4836a09c0adf4929be7bb9ecfdad24d90ba2f8b650b1a2d99526d48a79aeb281709bbd47a852a8f8c20089a9a693ed42a693d0aba28c1add3a11433d63d36792

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O6FM0.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1196-75-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/1196-76-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/1196-79-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/1196-82-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/1836-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1836-77-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3840-78-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download