Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 14:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
howl cracked/VMProtectSDK64.dll
Resource
win7-20240708-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
howl cracked/VMProtectSDK64.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral3
Sample
howl cracked/backend.dll
Resource
win7-20240704-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral4
Sample
howl cracked/backend.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
howl cracked/build patch.exe
Resource
win7-20240705-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral6
Sample
howl cracked/build patch.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
howl cracked/build patch.exe
-
Size
1.4MB
-
MD5
12e377b3790dfe601181b1d20f47c3e3
-
SHA1
ea56f83370eea618df26837524454bf8487c9976
-
SHA256
86e0c4a3ad1c88d1bc22efa39311b80de428291d40f89a43cfc199a563b9be3f
-
SHA512
f6f3deb097a751341937f1f944e74a84c3b96aca7892ade01e50da854fc5d5ad3727f4c1ea4dbf1c881ab9a7007f6fcd51c7a5d87fa11a965367371613ca3107
-
SSDEEP
24576:wzJnIwl1Hsf2BZ9JnMKKQZiXDeOPaW4C30Wemex2ze+9SpPLn7J0:wNdsf2dJnMQ0mPe
Score
8/10
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\3bPyvSRylJUVsSZr\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\3bPyvSRylJUVsSZr" build patch.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5020 build patch.exe 5020 build patch.exe 5020 build patch.exe 5020 build patch.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5020 build patch.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeLoadDriverPrivilege 5020 build patch.exe Token: SeDebugPrivilege 4932 taskmgr.exe Token: SeSystemProfilePrivilege 4932 taskmgr.exe Token: SeCreateGlobalPrivilege 4932 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5020 wrote to memory of 4808 5020 build patch.exe 85 PID 5020 wrote to memory of 4808 5020 build patch.exe 85 PID 5020 wrote to memory of 3388 5020 build patch.exe 86 PID 5020 wrote to memory of 3388 5020 build patch.exe 86 PID 3388 wrote to memory of 4072 3388 cmd.exe 87 PID 3388 wrote to memory of 4072 3388 cmd.exe 87 PID 3388 wrote to memory of 4428 3388 cmd.exe 88 PID 3388 wrote to memory of 4428 3388 cmd.exe 88 PID 3388 wrote to memory of 1284 3388 cmd.exe 89 PID 3388 wrote to memory of 1284 3388 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\howl cracked\build patch.exe"C:\Users\Admin\AppData\Local\Temp\howl cracked\build patch.exe"1⤵
- Sets service image path in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color f2⤵PID:4808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\howl cracked\build patch.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\howl cracked\build patch.exe" MD53⤵PID:4072
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4428
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:1284
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4932