3a6b7d6a34b1805b024f95fdcdc8fc13cc80ce13958b8ba913791963d346d1c4

Analysis

max time kernel
41s
max time network
36s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-11-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RazDva cracked.exe
Size

32.8MB
MD5

fb56d088113ea58e5f40469287356245
SHA1

27332eb7c906ce2782d551c9e61c97710aa962a6
SHA256

df47c1f0868c73e0fad25c9b84eeebeb8ee105b4cfed7d38fabbabcb08cd3557
SHA512

a22102d201f06789d2b796ad6e3745f7c090ef69f04bbc639fc242b3e86c2180a2fb13a14b07cff846905b9a894c9207986159bd508301f626d11661bed54bc0
SSDEEP

393216:uQx7oo/fgwxFhVMcq9yG1CPwDv3uFhwwz/1rU2lvzCDOEmXbZduSsAR:u7O9z/xbZsSs

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 13 IoCs

Processes:

RazDva cracked.exe

pid	process
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe
4696	RazDva cracked.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

14 pastebin.com
16 pastebin.com
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

wmic.exe

pid process

3244 wmic.exe
3244 wmic.exe
3244 wmic.exe
3244 wmic.exe

flow	ioc
14	pastebin.com
16	pastebin.com

pid	process
3244	wmic.exe
3244	wmic.exe
3244	wmic.exe
3244	wmic.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3244	wmic.exe
Token: SeSecurityPrivilege	3244	wmic.exe
Token: SeTakeOwnershipPrivilege	3244	wmic.exe
Token: SeLoadDriverPrivilege	3244	wmic.exe
Token: SeSystemProfilePrivilege	3244	wmic.exe
Token: SeSystemtimePrivilege	3244	wmic.exe
Token: SeProfSingleProcessPrivilege	3244	wmic.exe
Token: SeIncBasePriorityPrivilege	3244	wmic.exe
Token: SeCreatePagefilePrivilege	3244	wmic.exe
Token: SeBackupPrivilege	3244	wmic.exe
Token: SeRestorePrivilege	3244	wmic.exe
Token: SeShutdownPrivilege	3244	wmic.exe
Token: SeDebugPrivilege	3244	wmic.exe
Token: SeSystemEnvironmentPrivilege	3244	wmic.exe
Token: SeRemoteShutdownPrivilege	3244	wmic.exe
Token: SeUndockPrivilege	3244	wmic.exe
Token: SeManageVolumePrivilege	3244	wmic.exe
Token: 33	3244	wmic.exe
Token: 34	3244	wmic.exe
Token: 35	3244	wmic.exe
Token: 36	3244	wmic.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

RazDva cracked.exe

description	pid	process	target process
PID 4696 wrote to memory of 3244	4696	RazDva cracked.exe	wmic.exe
PID 4696 wrote to memory of 3244	4696	RazDva cracked.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\RazDva cracked.exe
"C:\Users\Admin\AppData\Local\Temp\RazDva cracked.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\System32\Wbem\wmic.exe
  wmic context
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evbC729.tmp

Filesize
1KB

MD5
01516bb0c55531b03c685bd5a9ae9b50

SHA1
57b6a0979bf7ef2603ea83b649ad9534fea6735d

SHA256
5c5ec6441d083ea482aa4571ec6b77e0201114817ccc5c3fabd45865b2fd09ca

SHA512
3c21dab3a2a6a19010a60a6f4776accd07d62e3160cc5a11ab108d1c5f68937ca0a4893103b28cf6941dd509f716621c19a2158f251246cefbfc5f37f012de1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbC8D0.tmp

Filesize
1KB

MD5
b24e1a4e95ef8cd7522899420063b1f3

SHA1
ae1586aba28b089fa62edb4f607039e79137559e

SHA256
65a87347e5c4f633f542ac66a3e3c1a220666523aa4aa13d4dd0842595b47711

SHA512
b128b8161e9024dfe40ad22482957ece534dd97264a99965d6621b72d25b934bb49e7f78fa1b4c7077aa2d36efd2e05e3f6b57b1968857d857a087cf2c1e1ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbC900.tmp

Filesize
1KB

MD5
8125213434a7fa4365ece498c0cbb0d0

SHA1
ecd681da190b037f40c45f41cc1a45a27ef88a9f

SHA256
da8e1584e52135fbe21409fbe151cc07ef809fd355165789005518141cabaef1

SHA512
8920512167338b24d0f0204548023408bbefc8ed3b14770b86f0950c7a8d824712e71574bd79500f3fd9aace152dd52e813f5fec483825adb4aece2320a8fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbC911.tmp

Filesize
1KB

MD5
306bcd01c56a9f1d113558976005e36e

SHA1
4ab14a010b7431714bd0ca6a3f4697e94244bcd8

SHA256
2f2d8739e9a2f2820467c3ddab6aef1ffb202e10b799a7beac80d96e1825c196

SHA512
41be5f0ded36827e65f04ab649e2888b12136f8961e409e9b1d5be2155136135575e45c53e34908d47ad0d23cebddedc4cb87a28da0fde0f0eefb1ed8f98b93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbC96F.tmp

Filesize
1KB

MD5
4f07c2730e386198993706e584ae13bb

SHA1
baa5a3d2b4a7e64e64d16a747479f50f82794769

SHA256
160039ee2a3c99537aac9c7fa4bfca15992b4cd7320fd4c0923c4320e1c0854d

SHA512
5cd98ea6d5c287bf8881e987837f2d5582c946a95cf7b567bae162f3149c2111c941344c9d65372c8c538624cf2d18f3105747b7bb87d8b55fedcf9d8b27fe67

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbC980.tmp

Filesize
1KB

MD5
f1896ef7aee144783b7373b1fbfe84dc

SHA1
d44cb7ea88565c2b52da4cca341ec46a883f145b

SHA256
d77dfc7484173d988f89e6019813471677d720d03cf9ebc874d298a85a5db9a1

SHA512
5c769a17833fea3c15355a3425a50d8233eecb630f77bb08ede736bb354cd5ababefa3562f1a4123d10773526f5c9937d4f350d4c6be65ff314c20c4bfdc662d

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbC991.tmp

Filesize
1KB

MD5
cc65884232212f2c3f3614c5d9eda3d9

SHA1
2c6070d18879af7afd02f257937cdfb34f7d95ef

SHA256
8ec8f8de6f0790a0175e8bf7492a44789db0d04605939858ed2fb9a6100b6063

SHA512
95824fbc64b6e73be5465509751a69fceca108a785228726daef59a624d2c2b1b1a0d508732fc038ea87362d0de885b0e6c5c448fb6dc54107d79ef4d3c2291e

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbCA5D.tmp

Filesize
1KB

MD5
1e12bf3399c40eda4ae11a7f6add7cae

SHA1
85d59bfef68a352ced14ed9ddadfad94a109a916

SHA256
30f047d878b133e21d8f3d4f7afb697d2424a3fb925c62027d7c683c5a3918e6

SHA512
a6498914ed1fb7961a0f775b7f1d4b1c5beabbe2115bb1df7fdd8ce7b2868f8ccb0ed92688d704c46d3371bc6d19dc9b0442cbc1772a9bfd0dd856d229a4bb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbCA7D.tmp

Filesize
1KB

MD5
073de173d28dcc84d3078365eebe868f

SHA1
71d29f7ad67d5376445583d4990617335568c7cb

SHA256
6c3b3e438d52092093db739ab1b5eedb4e6f8daa768f07ef9c6c1aa2c030e2a9

SHA512
6119d1f1ad2870635570029711b5e68b4403e4bad039d68ae5f8a8174b7f9764d70399c14854f9566c3b6e83debd75ed746920dc7b4cfafbc7313f6f169e0b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbCACC.tmp

Filesize
1KB

MD5
493495b594ec4f632df45ecc82f3ee85

SHA1
0f7425707cfe33d2188c2c8a7631ec14c7c4b546

SHA256
f47e0c322b9332d81344b4fea298e34e9f94ccefaf234fedb3b7a0d8cde222ca

SHA512
38aa4340a5acdbc02fc6bde8aef7b1579a5659c74b44041cfb9e75af082078168517146743bd071ef22a6f222f56474b0e7960f94a018a903147f7c678791e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbCADD.tmp

Filesize
1KB

MD5
4b2f6dea46202a81b8026d1130a767c7

SHA1
9ad50a3fddda4a694ed287338c5670e0f28a2a55

SHA256
01dd7cade5ba3683a79d1eb10642982d7112f88b6fbbb3b771909fd9dc67a997

SHA512
34813cb21627b764b1a8cbe43378c77ab4358f610c81bfdf16f3049f46185464d1b202655694f1b259ffb90dd9d9581a700dc360d2db1352d79675be0231dbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbCB2C.tmp

Filesize
1KB

MD5
6afb259e5fbc9f83e5311e58a08459f3

SHA1
220d80d55f8b98fe820be842d006b4bc4c4582f4

SHA256
a562159c5701ed8f7dd55a4c90d25ecb35e63727360752359ac45075d9a57208

SHA512
f4f5c4c9f2cacb1bc46d93db8c3cdd489992f23cdf944241546dbbea8764695a6af13c42d2b20d3fe2fabab6be3f90e5f128c8532da600873ef7bb8602a25129

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbCB5C.tmp

Filesize
1KB

MD5
c4cdf664be7ad4aca3d83fc5d121d2f8

SHA1
852cbce51eeb843d9875602d980bb33aaf55c54c

SHA256
0d3b01d19045712a6c41e272f1973ec4fea54118a289653ed51bcacfdecb4ce5

SHA512
62617d3306677d03dba7b9f47d944a5d30ef83231b3db173b58cd15689ad64de91407f2364849d2f2de7aa9fc38c26c43c4344f9496ea2e518c4ec49565a8430

Download Submit
memory/4696-79-0x00000000053C0000-0x00000000053D8000-memory.dmp

Filesize
96KB

Download
memory/4696-57-0x0000000003FE0000-0x0000000003FF6000-memory.dmp

Filesize
88KB

Download
memory/4696-31-0x0000000003BB0000-0x0000000003BD7000-memory.dmp

Filesize
156KB

Download
memory/4696-20-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-35-0x0000000003BE0000-0x0000000003F28000-memory.dmp

Filesize
3.3MB

Download
memory/4696-61-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-66-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-68-0x0000000003BB0000-0x0000000003BD7000-memory.dmp

Filesize
156KB

Download
memory/4696-73-0x00000000051F0000-0x0000000005203000-memory.dmp

Filesize
76KB

Download
memory/4696-19-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-87-0x00000000053F0000-0x000000000541A000-memory.dmp

Filesize
168KB

Download
memory/4696-16-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-93-0x0000000005530000-0x0000000005644000-memory.dmp

Filesize
1.1MB

Download
memory/4696-91-0x0000000005530000-0x0000000005644000-memory.dmp

Filesize
1.1MB

Download
memory/4696-4-0x0000000180000000-0x000000018046C000-memory.dmp

Filesize
4.4MB

Download
memory/4696-85-0x00000000053F0000-0x000000000541A000-memory.dmp

Filesize
168KB

Download
memory/4696-15-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-81-0x00000000053C0000-0x00000000053D8000-memory.dmp

Filesize
96KB

Download
memory/4696-0-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/4696-11-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-71-0x00000000051F0000-0x0000000005203000-memory.dmp

Filesize
76KB

Download
memory/4696-12-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-67-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-65-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-13-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-63-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-59-0x0000000003FE0000-0x0000000003FF6000-memory.dmp

Filesize
88KB

Download
memory/4696-28-0x0000000003BB0000-0x0000000003BD7000-memory.dmp

Filesize
156KB

Download
memory/4696-14-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-51-0x0000000003F30000-0x0000000003FDC000-memory.dmp

Filesize
688KB

Download
memory/4696-46-0x0000000003F30000-0x0000000003FDC000-memory.dmp

Filesize
688KB

Download
memory/4696-10-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-40-0x0000000003BE0000-0x0000000003F28000-memory.dmp

Filesize
3.3MB

Download
memory/4696-9-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-25-0x0000000000670000-0x000000000067F000-memory.dmp

Filesize
60KB

Download
memory/4696-97-0x0000000003BE0000-0x0000000003F28000-memory.dmp

Filesize
3.3MB

Download
memory/4696-1-0x00007FFDADE2D000-0x00007FFDADE2E000-memory.dmp

Filesize
4KB

Download
memory/4696-98-0x0000000003F30000-0x0000000003FDC000-memory.dmp

Filesize
688KB

Download
memory/4696-23-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-105-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-104-0x00000000056A0000-0x00000000056A8000-memory.dmp

Filesize
32KB

Download
memory/4696-106-0x0000000180000000-0x000000018046C000-memory.dmp

Filesize
4.4MB

Download
memory/4696-103-0x0000000005530000-0x0000000005644000-memory.dmp

Filesize
1.1MB

Download
memory/4696-102-0x00000000053F0000-0x000000000541A000-memory.dmp

Filesize
168KB

Download
memory/4696-101-0x00000000053C0000-0x00000000053D8000-memory.dmp

Filesize
96KB

Download
memory/4696-100-0x0000000005260000-0x0000000005269000-memory.dmp

Filesize
36KB

Download
memory/4696-99-0x0000000003FE0000-0x0000000003FF6000-memory.dmp

Filesize
88KB

Download
memory/4696-22-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-18-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-17-0x00007FFDADD90000-0x00007FFDADF88000-memory.dmp

Filesize
2.0MB

Download
memory/4696-108-0x00000000051F0000-0x0000000005203000-memory.dmp

Filesize
76KB

Download
memory/4696-107-0x0000000004080000-0x000000000408A000-memory.dmp

Filesize
40KB

Download
memory/4696-109-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/4696-112-0x0000000003BB0000-0x0000000003BD7000-memory.dmp

Filesize
156KB

Download