7d52402f16b59ecba6ddb533b5b023730f5bf2a06b307dffab8645344085e22b

General

Target

Luxury+Shield+Cracked+By+@Vidhayakji786.exe
Size

7.6MB
MD5

1117ddb074d8f71058637a7dd16fa36e
SHA1

ecb5fd94837008ed88d3f911e952b5ad3b7022b3
SHA256

7d52402f16b59ecba6ddb533b5b023730f5bf2a06b307dffab8645344085e22b
SHA512

12f1993b1470c2d6a3830a467f679e97479fe384a2c8bc540f6aa99c262276c7616b44a8cb60f4ac1330a3f6e3a6073e696a72a4b4a1ade17862db02d0bf0125
SSDEEP

196608:baFVnyDTbyYIbX5YGVCurV7hPNCgCe+aE:uFByzwiRQCw+9

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5016	Luxury+Shield+Cracked+By+@Vidhayakji786.exe
5016	Luxury+Shield+Cracked+By+@Vidhayakji786.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4032	5016	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luxury+Shield+Cracked+By+@Vidhayakji786.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	Luxury+Shield+Cracked+By+@Vidhayakji786.exe
Token: SeDebugPrivilege	1844	taskmgr.exe
Token: SeSystemProfilePrivilege	1844	taskmgr.exe
Token: SeCreateGlobalPrivilege	1844	taskmgr.exe
Token: 33	1844	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1844	taskmgr.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe
1844	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5016	Luxury+Shield+Cracked+By+@Vidhayakji786.exe

C:\Users\Admin\AppData\Local\Temp\Luxury+Shield+Cracked+By+@Vidhayakji786.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury+Shield+Cracked+By+@Vidhayakji786.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1032
  2⤵
  - Program crash
  PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5016 -ip 5016
1⤵
PID:4448

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1844-15-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/1844-6-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/1844-12-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/1844-13-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/1844-7-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/1844-14-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/1844-16-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/1844-8-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/1844-17-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/1844-18-0x0000024D17020000-0x0000024D17021000-memory.dmp

Filesize
4KB

Download
memory/5016-4-0x0000000000370000-0x00000000016C2000-memory.dmp

Filesize
19.3MB

Download
memory/5016-1-0x000000007F410000-0x000000007F7E1000-memory.dmp

Filesize
3.8MB

Download
memory/5016-0-0x0000000000370000-0x00000000016C2000-memory.dmp

Filesize
19.3MB

Download
memory/5016-5-0x000000007F410000-0x000000007F7E1000-memory.dmp

Filesize
3.8MB

Download
memory/5016-3-0x0000000000370000-0x00000000016C2000-memory.dmp

Filesize
19.3MB

Download
memory/5016-2-0x000000007473E000-0x000000007473F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing