Overview

overview

8

Static

static

3

Etheral Pr...li.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    18s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Etheral Private cracked_Kali.exe

  • Size

    2.8MB

  • MD5

    b9d454512d56e4a373ac676390202d55

  • SHA1

    ce4a595f4cc1e07a8b0db0f54f68e7b7dae1c8f5

  • SHA256

    fad7dda2a454d54436b32e4baf5856cf0e6f15d5abe3eedb71e51a01c466405a

  • SHA512

    55055cce42fd8c751e11470a2e61ad657c2e393cc611883b0361d6f4c896283c682b0d5f2292bf7d52b8d3bb3f153af09327554cd19dc76454aba75f063ef576

  • SSDEEP

    24576:NifzMZkZzWXORiyDkH4BmUB9nlRvuGKFmLmyzD+7hoe+l3lhMdAvW4C30Wemex26:mekb9Bbn1Soe+lK5rF/iJ

Score
8/10
persistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Etheral Private cracked_Kali.exe
    "C:\Users\Admin\AppData\Local\Temp\Etheral Private cracked_Kali.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color 0b
      2⤵
        PID:3592
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Etheral Private cracked_Kali.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Etheral Private cracked_Kali.exe" MD5
          3⤵
            PID:832
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            3⤵
              PID:224
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              3⤵
                PID:1860
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Etheral Private cracked_Kali.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4924
              • C:\Windows\system32\certutil.exe
                certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Etheral Private cracked_Kali.exe" MD5
                3⤵
                  PID:3984
                • C:\Windows\system32\find.exe
                  find /i /v "md5"
                  3⤵
                    PID:1276
                  • C:\Windows\system32\find.exe
                    find /i /v "certutil"
                    3⤵
                      PID:4484
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c cls
                    2⤵
                      PID:4996
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\mp.exe C:\Users\dr.sys
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3116
                      • C:\Users\mp.exe
                        C:\Users\mp.exe C:\Users\dr.sys
                        3⤵
                        • Sets service image path in registry
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: LoadsDriver
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2616
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c cls
                      2⤵
                        PID:1272

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\mp.exe
                      Filesize

                      530KB

                      MD5

                      37be44c7e6a3adbe4cae43da42996d2b

                      SHA1

                      50599b2f8a255afe2b48079bbadf24bed4d0e513

                      SHA256

                      914fa2b0c09fd2fa535378bebcc7faf2b6093ed6a70d9215896620d6b55f7593

                      SHA512

                      3f9dab0ac49dd94578e63e1619a7f17a37967c1a9d569629581c5ca461224d6ac38f9ef54a7be8aacece9669c1746a811916edf8fdc759d653a43e9e36920fba

                      Download Submit

                    • C:\Users\symbols\8a7acf8a27881ad9887fc425cd6c5f95.pdb
                      Filesize

                      915KB

                      MD5

                      4b2287f71f2ecff41b8a8c9b67cf4b26

                      SHA1

                      82902a45fe76625de77528a82b165d57bf190613

                      SHA256

                      6c7ad0ffc2045a1050313ce327e4993e2bd4d6749a819440c352e501af097970

                      SHA512

                      d96ba4a52d45d3f844da4e5da1e94941aa0cee095ef4ca423e445d48cef5187f55518e3653beed1ee879e1aec61d4bf53eabc70d68737bb7d7579db229481861

                      Download Submit