ab6bcb02b7eeeb3312b92a7ccea718693fc9187829ed2a36d5784d3468ee6b8d

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

executecracked (1).exe
Size

704KB
MD5

cdc6a3db2a6a1a5b75e00938653c3196
SHA1

fc61e85f45a85c5111b17b343d8f7796218b3c60
SHA256

ab6bcb02b7eeeb3312b92a7ccea718693fc9187829ed2a36d5784d3468ee6b8d
SHA512

12af74d1507c1c1800baf06d69cb91f81da08d56c5fe3e13158b0ae23858c0a7bb2cc952700fcdef0f8395a1429a47a4bcd61954795a5e70ecd9a9bbd9e21eeb
SSDEEP

12288:PLYw8nX5leqa0xwc63kME558pBzR8QtZSi7:z4X5Aqrq3kMW5yBvy

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 5 IoCs

evasion

pid	Process
4864	taskkill.exe
2248	taskkill.exe
1424	taskkill.exe
2948	taskkill.exe
4060	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2064	reg.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1172	2124	executecracked (1).exe	99
PID 2124 wrote to memory of 1172	2124	executecracked (1).exe	99
PID 1172 wrote to memory of 4864	1172	cmd.exe	100
PID 1172 wrote to memory of 4864	1172	cmd.exe	100
PID 2124 wrote to memory of 112	2124	executecracked (1).exe	101
PID 2124 wrote to memory of 112	2124	executecracked (1).exe	101
PID 112 wrote to memory of 2248	112	cmd.exe	102
PID 112 wrote to memory of 2248	112	cmd.exe	102
PID 2124 wrote to memory of 4112	2124	executecracked (1).exe	104
PID 2124 wrote to memory of 4112	2124	executecracked (1).exe	104
PID 4112 wrote to memory of 1424	4112	cmd.exe	105
PID 4112 wrote to memory of 1424	4112	cmd.exe	105
PID 2124 wrote to memory of 2012	2124	executecracked (1).exe	107
PID 2124 wrote to memory of 2012	2124	executecracked (1).exe	107
PID 2012 wrote to memory of 2948	2012	cmd.exe	108
PID 2012 wrote to memory of 2948	2012	cmd.exe	108
PID 2124 wrote to memory of 4556	2124	executecracked (1).exe	110
PID 2124 wrote to memory of 4556	2124	executecracked (1).exe	110
PID 4556 wrote to memory of 4060	4556	cmd.exe	111
PID 4556 wrote to memory of 4060	4556	cmd.exe	111
PID 2124 wrote to memory of 4828	2124	executecracked (1).exe	113
PID 2124 wrote to memory of 4828	2124	executecracked (1).exe	113
PID 4828 wrote to memory of 2064	4828	cmd.exe	114
PID 4828 wrote to memory of 2064	4828	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\executecracked (1).exe
"C:\Users\Admin\AppData\Local\Temp\executecracked (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Restrictions /v HideMachine /t REG_DWORD /d 1 /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\reg.exe
    reg add HKLM\SYSTEM\CurrentControlSet\Control\WMI\Restrictions /v HideMachine /t REG_DWORD /d 1 /F
    3⤵
    - Modifies registry key
    PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4076,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4328 /prefetch:8
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...