agenttesla | 74d59d15069a4a1e6f0c349651873f0b88dd303b8a60c7c86af3c3a8df02ec23

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luxury Crypter_18.8.1.1_Cracked.exe
Size

8.4MB
MD5

07edd8c858453717b12394320db59f01
SHA1

4270f53f550adc6d2e6faa3e7a8a43bcce5aacb6
SHA256

74d59d15069a4a1e6f0c349651873f0b88dd303b8a60c7c86af3c3a8df02ec23
SHA512

2a91abd03d84cca78c8b2c79c207f59d59f7ff42a3ebc7617f0053eb4e4cd20674e5233b189f753a70c74e4a1628c5a5f32d6ce0a15ed1625c57f07a0cb60574
SSDEEP

196608:Lcw//95tuLGbGAOeqpowuu3+ukbeQn4vAWQHOL:Aw//FuL09OenO7kbebAr

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/2300-4-0x0000000006D70000-0x0000000006F82000-memory.dmp	family_agenttesla

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Luxury Crypter_18.8.1.1_Cracked.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Luxury Crypter_18.8.1.1_Cracked.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luxury Crypter_18.8.1.1_Cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Luxury Crypter_18.8.1.1_Cracked.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Luxury Crypter_18.8.1.1_Cracked.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Luxury Crypter_18.8.1.1_Cracked.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "4"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Luxury Crypter_18.8.1.1_Cracked.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	Luxury Crypter_18.8.1.1_Cracked.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Luxury Crypter_18.8.1.1_Cracked.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2300	Luxury Crypter_18.8.1.1_Cracked.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	Luxury Crypter_18.8.1.1_Cracked.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2300	Luxury Crypter_18.8.1.1_Cracked.exe
2300	Luxury Crypter_18.8.1.1_Cracked.exe
2300	Luxury Crypter_18.8.1.1_Cracked.exe
2300	Luxury Crypter_18.8.1.1_Cracked.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2596	2300	Luxury Crypter_18.8.1.1_Cracked.exe	33
PID 2300 wrote to memory of 2596	2300	Luxury Crypter_18.8.1.1_Cracked.exe	33
PID 2300 wrote to memory of 2596	2300	Luxury Crypter_18.8.1.1_Cracked.exe	33
PID 2300 wrote to memory of 2596	2300	Luxury Crypter_18.8.1.1_Cracked.exe	33
PID 2596 wrote to memory of 2484	2596	csc.exe	35
PID 2596 wrote to memory of 2484	2596	csc.exe	35
PID 2596 wrote to memory of 2484	2596	csc.exe	35
PID 2596 wrote to memory of 2484	2596	csc.exe	35
PID 2300 wrote to memory of 1264	2300	Luxury Crypter_18.8.1.1_Cracked.exe	36
PID 2300 wrote to memory of 1264	2300	Luxury Crypter_18.8.1.1_Cracked.exe	36
PID 2300 wrote to memory of 1264	2300	Luxury Crypter_18.8.1.1_Cracked.exe	36
PID 2300 wrote to memory of 1264	2300	Luxury Crypter_18.8.1.1_Cracked.exe	36

C:\Users\Admin\AppData\Local\Temp\Luxury Crypter_18.8.1.1_Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter_18.8.1.1_Cracked.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c1m32qwa\c1m32qwa.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBE7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F146D5734894F7EAFC5E4FED965024.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c ILMerge /target:winexe /out:C:\Users\Admin\AppData\Local\Temp\yZSM.exe C:\Users\Admin\AppData\Local\Temp\JmNeK C:\Users\Admin\AppData\Local\Temp\Luxury.dll /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.30319
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:1084

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JmNeK

Filesize
1.3MB

MD5
bea699f05f2015457e725ccd4f71af37

SHA1
647665acc1dbbd7271cf4555c64386b49b73cf66

SHA256
a15594c21272046a92ce0425f1dae1813896b3d0e7c768d4945f0e0e4b9083e1

SHA512
9eb9eed6a6404a665061c01fecd5aed33526f58d72c6138a970eafe96675cf0a779bbbba68a2e992c85980c2e7dc7c95365f2e6383d0813aa4eaa3ef5dc39368

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBE7.tmp

Filesize
2KB

MD5
a1f49bae9a44d07203abc7fb86ca8b63

SHA1
47e358ece29720cba12b72dc679e41c9f61c99f6

SHA256
7233d998281af15c20cde7c3598290ff9cc33d3520260910723515f19832f3b7

SHA512
ae4206cc8d09af805ab50eda48eaf447a27f00ff549a8a92a35aee2151461df23d30bb57c0b69b9d326755b59ed7a9ea30b49a944bab90cc5f7a202096cb8709

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1F146D5734894F7EAFC5E4FED965024.TMP

Filesize
1KB

MD5
a77630e81777df615665f38201e6ba91

SHA1
55c7643a826301d662240c6a5047cf6249ce1d30

SHA256
84038274e443a29877dcd517a9978edf8089355ff63403d776471e342f841cc4

SHA512
7f57b0e96a1294a9b50a9b68c73524e961678973dcdf2e53ea99487c3e48328dfc490a03cff96c3277f5cd239eca6e7232a9d6b15d7091f9f212b2221b2558f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\Luxury.dll

Filesize
177KB

MD5
d1bc71bce98aa4f7dcf4c59eae2b3307

SHA1
865723f5a2cbd475618cc0674d281c806f8eb9d4

SHA256
7bc49e595e3d5611c62a040fc6be5129c78e8db02a79e30a0261883d2c3c06a3

SHA512
6a48a2874db8ec0cd492fd59fa834a3456146cf08fb497ea2de8678467c07a110d45f8a8d469e568f1278e6280d310acbe75a339c2b5162b8a9d2618118414cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1m32qwa\c1m32qwa.0.cs

Filesize
656KB

MD5
40b4c37898ab1e44ff7cae705308f164

SHA1
14807527712d0709d2c92e9efb168ab83a6d63e9

SHA256
ced8dea335faa8a156aecb0bae1c197890333e832c86b469541cd5f20011f03c

SHA512
3bc0eaa15dd7178777b42ecc01cebf747ba0e012221c5f68085a560edad5c10398dae09211a4af34728131a859dc3294e55e9b94259bd37dbb04774203301f33

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1m32qwa\c1m32qwa.cmdline

Filesize
474B

MD5
bdb6742f335da40721fd3a6eb5aa8024

SHA1
2a796b9e7cda8b80dd49346ab49c3518d345923c

SHA256
a42806f907f5227017d44869321ace7e58af4a98a10feebbac97b613e71506fc

SHA512
84340736d5803780dad13f1575b208aaf73f22545d2d5df7eeeed9998db78168b6ce1d359fe2d12a0d91c8cd5b08f79a1a990df6a2e772a61a3a2006a94286f9

Download Submit
memory/2300-11-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2300-14-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-8-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-9-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2300-12-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-13-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-7-0x00000000075B0000-0x00000000075D6000-memory.dmp

Filesize
152KB

Download
memory/2300-15-0x000000000A640000-0x000000000A642000-memory.dmp

Filesize
8KB

Download
memory/2300-16-0x00000000080B0000-0x0000000008104000-memory.dmp

Filesize
336KB

Download
memory/2300-6-0x00000000011D0000-0x00000000011DA000-memory.dmp

Filesize
40KB

Download
memory/2300-5-0x0000000005460000-0x00000000054C2000-memory.dmp

Filesize
392KB

Download
memory/2300-4-0x0000000006D70000-0x0000000006F82000-memory.dmp

Filesize
2.1MB

Download
memory/2300-3-0x0000000006750000-0x0000000006D74000-memory.dmp

Filesize
6.1MB

Download
memory/2300-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-1-0x00000000002D0000-0x0000000000B40000-memory.dmp

Filesize
8.4MB

Download