d612dca4a8fdbb3f559bec6e238183b4def59d16c9e6daa6bcd7ebc681788d78

General

Target

GC-Cracked.exe
Size

38.7MB
MD5

1dfb83bd1064ce3ea06668d695502adf
SHA1

909d179c2da984fd233ef1c80db3c8274b52e02b
SHA256

d612dca4a8fdbb3f559bec6e238183b4def59d16c9e6daa6bcd7ebc681788d78
SHA512

87af398a38226c30bde7ddf56196ad7075c271b70610f05858bc5e3c9e799d9185aef31dc331dec1b69248bf165fc098c1fe6cbf868c73d4173b34d333823632
SSDEEP

786432:KGzxfrl5B5Hxc5RVqe+K+jrqrWBA1y3z+pOMoDoBXuO0WCN/:KmNzbHIUKNrO0BXuB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2292	Random.exe
2436	gc.exe
2880	Random.exe
1180	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
2956	GC-Cracked.exe
2956	GC-Cracked.exe
2292	Random.exe
2880	Random.exe
296	Process not Found
1180	Process not Found

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001944e-60.dat	upx
behavioral1/memory/2880-62-0x000007FEF5560000-0x000007FEF5C25000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\eicar.com	gc.exe
File opened for modification	C:\Windows\System32\eicar.com	gc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2436	gc.exe
2436	gc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a000000012283-2.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

EICAR Anti-Malware test file 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019524-80.dat	eicar_test_file

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2436	gc.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2292	2956	GC-Cracked.exe	28
PID 2956 wrote to memory of 2292	2956	GC-Cracked.exe	28
PID 2956 wrote to memory of 2292	2956	GC-Cracked.exe	28
PID 2956 wrote to memory of 2292	2956	GC-Cracked.exe	28
PID 2956 wrote to memory of 2436	2956	GC-Cracked.exe	29
PID 2956 wrote to memory of 2436	2956	GC-Cracked.exe	29
PID 2956 wrote to memory of 2436	2956	GC-Cracked.exe	29
PID 2956 wrote to memory of 2436	2956	GC-Cracked.exe	29
PID 2292 wrote to memory of 2880	2292	Random.exe	31
PID 2292 wrote to memory of 2880	2292	Random.exe	31
PID 2292 wrote to memory of 2880	2292	Random.exe	31
PID 2436 wrote to memory of 2720	2436	gc.exe	35
PID 2436 wrote to memory of 2720	2436	gc.exe	35
PID 2436 wrote to memory of 2720	2436	gc.exe	35
PID 2436 wrote to memory of 1544	2436	gc.exe	36
PID 2436 wrote to memory of 1544	2436	gc.exe	36
PID 2436 wrote to memory of 1544	2436	gc.exe	36
PID 2436 wrote to memory of 1692	2436	gc.exe	37
PID 2436 wrote to memory of 1692	2436	gc.exe	37
PID 2436 wrote to memory of 1692	2436	gc.exe	37
PID 2436 wrote to memory of 1308	2436	gc.exe	38
PID 2436 wrote to memory of 1308	2436	gc.exe	38
PID 2436 wrote to memory of 1308	2436	gc.exe	38

C:\Users\Admin\AppData\Local\Temp\GC-Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\GC-Cracked.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\Random.exe
  "C:\Users\Admin\AppData\Local\Temp\Random.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\Random.exe
    "C:\Users\Admin\AppData\Local\Temp\Random.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2880
- C:\Users\Admin\AppData\Local\Temp\gc.exe
  "C:\Users\Admin\AppData\Local\Temp\gc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22922\python312.dll

Filesize
1.7MB

MD5
3e5a523e2b08424c39a53dcba0c4f335

SHA1
c6bafbf6501b62f23e0c2f4f68db822827babd76

SHA256
d6864c703deb033db0c5bd9962d88b1e2e6b39f942f44558385ae9a0aff7eac3

SHA512
74533088aee88b27d1cc94e56e70066109e05d6f1cfd3b4d647d16dc8a5977262f91e16dd875683c7e13dec0ed88d5febdd2058ca5ecc413e17934d782ade8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gc.exe

Filesize
27.9MB

MD5
e763a1fec822fbd77b99d43397e92661

SHA1
1bd59e61bbdd226357445a927a222afa5c06b347

SHA256
5e47cbd87cd87c776732724c6c64c7ee1d4454ee0e05dc09d75b46e13ef009a4

SHA512
61e48f175f2aeee0227505ae7fa4b71ff1265124826a47d1578509755d3933a0bc6e11bbbca6ce7b6d3fe55094b9ff9575dc807a1e65fed9aef5f5c5b282e013

Download Submit
C:\Users\Admin\AppData\Local\eicar.com

Filesize
68B

MD5
44d88612fea8a8f36de82e1278abb02f

SHA1
3395856ce81f2b7382dee72602f798b642f14140

SHA256
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

SHA512
cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

Download Submit
\Users\Admin\AppData\Local\Temp\Random.exe

Filesize
10.8MB

MD5
6d1350a0bf5967f1ba997dedffe269c3

SHA1
62c6acf6290d228cdaf6831a453843d48ff48bea

SHA256
b081ff18e10debb0c42c059e33b04cf04d9fdfe52b48be421552b48989f28463

SHA512
8468c3fb5c6f807354c2ad532214deac8b446c7b362d1c4eeb97d28a02954b8c8971ed5bd3bf76e58e892c13d72faf79365a5dee6c4b3948ed387b8c1280e037

Download Submit
memory/2436-66-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/2436-68-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/2436-64-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/2436-69-0x000000013F850000-0x000000014268F000-memory.dmp

Filesize
46.2MB

Download
memory/2880-62-0x000007FEF5560000-0x000007FEF5C25000-memory.dmp

Filesize
6.8MB

Download

Analysis

Sharing