Analysis

  • max time kernel
    91s
  • max time network
    71s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17/11/2024, 15:12

General

  • Target

    crak/KeyAuthEmulator.exe

  • Size

    135KB

  • MD5

    cf78d5995312872c075ae9772a14a5a2

  • SHA1

    1de6c53b6acad6140567693f0fff7379826477a5

  • SHA256

    71fede3d07f8b24d08e15748abcd95abcfe48e21a5a71f0c96d6bf752c12252c

  • SHA512

    d4ca332800195a3a1c0dbe7c1669d91e23f5ad68c491589c8168b0040114fb761672778c39f092e8909133a1027e25e836f3951e17cffbc20e5fe5e271b0d845

  • SSDEEP

    3072:WjK4UGDHXrQ8hy7qgpHulWD9ZvZ5Pf3Ca10xuZ04ntfOCFhBuO:WjK4TDUqgpqWDLZ5H+xuZ04RFhA

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables taskbar notifications via registry modification
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\crak\KeyAuthEmulator.exe
    "C:\Users\Admin\AppData\Local\Temp\crak\KeyAuthEmulator.exe"
    1⤵
      PID:4612
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4552
      • C:\Users\Admin\AppData\Local\Temp\Loader.exe
        "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
        1⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Event Triggered Execution: Image File Execution Options Injection
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:772

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/772-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

              Filesize

              4KB

            • memory/772-1-0x0000000000C90000-0x0000000000D8C000-memory.dmp

              Filesize

              1008KB

            • memory/772-2-0x0000000007CD0000-0x0000000007E56000-memory.dmp

              Filesize

              1.5MB

            • memory/772-3-0x000000000B550000-0x000000000BAF6000-memory.dmp

              Filesize

              5.6MB

            • memory/772-4-0x0000000074D50000-0x0000000075501000-memory.dmp

              Filesize

              7.7MB

            • memory/772-5-0x000000000B120000-0x000000000B1B2000-memory.dmp

              Filesize

              584KB

            • memory/772-6-0x00000000017B0000-0x00000000017C2000-memory.dmp

              Filesize

              72KB

            • memory/772-7-0x0000000005820000-0x000000000582A000-memory.dmp

              Filesize

              40KB

            • memory/772-8-0x0000000074D50000-0x0000000075501000-memory.dmp

              Filesize

              7.7MB

            • memory/772-9-0x00000000095C0000-0x0000000009672000-memory.dmp

              Filesize

              712KB

            • memory/772-10-0x0000000009980000-0x00000000099A2000-memory.dmp

              Filesize

              136KB

            • memory/772-11-0x00000000099B0000-0x0000000009D07000-memory.dmp

              Filesize

              3.3MB

            • memory/772-13-0x0000000009D70000-0x0000000009DAC000-memory.dmp

              Filesize

              240KB

            • memory/772-14-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

              Filesize

              4KB

            • memory/772-15-0x0000000074D50000-0x0000000075501000-memory.dmp

              Filesize

              7.7MB

            • memory/772-16-0x0000000074D50000-0x0000000075501000-memory.dmp

              Filesize

              7.7MB

            • memory/772-18-0x000000000A820000-0x000000000AA34000-memory.dmp

              Filesize

              2.1MB

            • memory/772-19-0x0000000074D50000-0x0000000075501000-memory.dmp

              Filesize

              7.7MB

            • memory/772-20-0x0000000074D50000-0x0000000075501000-memory.dmp

              Filesize

              7.7MB

            • memory/772-21-0x0000000074D50000-0x0000000075501000-memory.dmp

              Filesize

              7.7MB

            • memory/772-22-0x0000000074D50000-0x0000000075501000-memory.dmp

              Filesize

              7.7MB