Analysis

  • max time kernel
    71s
  • max time network
    73s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:36

Errors

Reason
Machine shutdown

General

  • Target

    license key.exe

  • Size

    270KB

  • MD5

    dff38f5dfdeff1e73debef355c4ac13e

  • SHA1

    d9d8fbbde16aee63d22805d3a573de65f7486ef8

  • SHA256

    c57040c2af2735aed3f84dbe838f6e142ad80631f50811c0b265bf0a5e3af91d

  • SHA512

    6a7970027a7259fb244e4d79bbbfaeb3041508e25b24a40d1c6bef497ad412a6086463f343e84d9b6b32043f8752f99165aa56e5ca15a87a5c16cb04c549de94

  • SSDEEP

    3072:1KJZx3+tGqTsnACpvmEhgwqvJ+Bsl94FnUDhcYprbAMc:1KrxiyLvmWVXGl6VYpgMc

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\license key.exe
    "C:\Users\Admin\AppData\Local\Temp\license key.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\Product Key\sr60.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" "http://lnk.direct/wCG"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2800
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown -r -f -t 70 -c "Thank You"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\SysWOW64\schtasks.exe
        SchTasks /Delete /TN "you to" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2776
      • C:\Windows\SysWOW64\schtasks.exe
        SchTasks /Delete /TN "sys" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:484
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1252
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2284

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Product Key\sr60.bat

        Filesize

        186B

        MD5

        a237f4f7be96fdce95118fcf5d7fe080

        SHA1

        911c0e2a7261e0a1367bb5fc56a7d52ab0ee2098

        SHA256

        ce12798c00c5b667ece26470daba3fb0a0d85b7fd890b5fa4abcb7d097208a00

        SHA512

        18e95ff038b72e743606d499d58872b3a31822b275d1f9b8c8debbaa1cf9cb8200e1c996936d14574cec464b6b9db459c992ac2ecb4472f8e47b4d5f4421f4a0

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

        Filesize

        914B

        MD5

        e4a68ac854ac5242460afd72481b2a44

        SHA1

        df3c24f9bfd666761b268073fe06d1cc8d4f82a4

        SHA256

        cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

        SHA512

        5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

        Filesize

        252B

        MD5

        80cd6f1e8bce5ce2876435fc2cad92bc

        SHA1

        c1a83bddc97078fdce4e5e4c287e6b437d42bae1

        SHA256

        98c869ee303dccf1cf141b0d7bd57a295eae699ed83757fcabec8df2be88d1e9

        SHA512

        f61decb1ff2b3e0be4b1b2d4e0b15853684a7c8460ad425062ee2b0453e94000c5b0518512339be269c87ba087bd6625931581281bbc40357fedd47b441f9657

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        2b7a1e2b1b8f612b7b80b32926f8b20a

        SHA1

        0939c2d0259f0688a41e28cebb682ef4246de8ce

        SHA256

        7e196ea5296ffcd5d3b9a0782dfc80cd06a39b0092019f2df3554227d04695e7

        SHA512

        db0761b6d5f762cdc9d3bab6a0e3f75c8e59572f597e9598c7990f5e798d9bf004ffe5757cf36a054a52cff80c6b8a6e1cbc07dc83520e6ab56eec9a7b7ed53d

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        205b0fea381b6e07ecea23800c0522d9

        SHA1

        68166de04513459557ab4bbb6158f392b556ea56

        SHA256

        5c3a805ab2fc2d8f456bdad6e7d0e89522a6ff88653fa0de029c7b27c66389f9

        SHA512

        dff96236a11479fc8f829adc469eb81806d9ce127a43e83581162a5babfa51ba32e46890eb44a9239eed59db07b1fea6e35478325782e6876b15f9eaeb2f915e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        f087a7252acef527a68818f47fd62d06

        SHA1

        18f6962ea6c242c12459ece441ece29c34e3ca49

        SHA256

        538753c16144bf19a26cd9b50856010020059e056dde630e7f7139d3b903b8e9

        SHA512

        68be84735234eedb16534c2ccd2af425c048c647a917df640e4b48e960dee62cf84b6c1dde11788a061b6cc66069319e1f841413f06c429adb3e39f6224cc747

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        a6c68f9a707b642c13e57ad92629070c

        SHA1

        f9d149bf2b1de33439467935a208ffe91ea56866

        SHA256

        c985b406440153dd92a34ffeadc643dea0a1cb811b5e3aff294652a13c0f2205

        SHA512

        45f8b870cfc07992cd7e2e86b502805dded40f1d48709e27fbe657831fc383d56136befe5397698ed1b73ebb9b23b9e3dd5af62df1f316c9f59578d8bcca5ea7

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        b1c3b4439cf56b7c8b446af176d6754a

        SHA1

        98d026dbd5de8fe29f0d19643d3ee8165f6a1f14

        SHA256

        ffa690ddf29f482befbacd4d056f500ff0bad3d2e5fdc9170af37519a5a36944

        SHA512

        bfb4bc0b960e73ff1a9603d197aa0492402dd8c30015f84a22990b606feaef4b39e1b48b45701e1b9c04253d4e6e3cb1a7275c3bb520718960d2c01a8c35b9b6

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        feb155de6da4af109bd65417dd3af75e

        SHA1

        4a434c796b67c32b224625b8bfae3c408ff2dc10

        SHA256

        76164b634b376b3755f04d8ce5d20b059d6a4f7567344be6a05a6652a3b39824

        SHA512

        c26ccc2d6025b175e9dda0df34ab273146043307859cc082173b863c8d107bc6262d6a14b217fef83dd06679a5cdeec5f6f22d28443cad00ea0607e5cc48aa90

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        87176d118ffa50164c6703aa7041dbcc

        SHA1

        5d5f52aac6315f417e766caa574b9d1141bd0598

        SHA256

        9e59ecc3a3c0fa30b0f32cd1e43d6d7894e9c41b075a7d7d96df4871c08c8ea4

        SHA512

        54f4e2b2b6733e23ceacd8feff485894f6368b79e5a4b6ea0b3d4d4d6986183feccea4cab8f2778494614c316d6fc1bd3fca7227deb6455d4e2f787915c76908

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        ad4e5ec7077d25a73712676851b9c7c4

        SHA1

        d90613ec9531ffcfa6c4f18a1a7ceb8724b408df

        SHA256

        9d72433501c7b4bccdff68145132762642b3f2e895303e9fb8a43a6598ce585b

        SHA512

        7d9d1ee086f2121db5901dd5814b659bdc1cb919cce3cdb9fe238fcf2b5c56533d5dcd28642af27f92a8d0226f2df1a5390679a8fa8e746446f0726fa70b7e22

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        c3e317f120bc43bb99f11afe38b143ef

        SHA1

        4c5fedee2bea88928600b5eaa208ccf5ad59545b

        SHA256

        ff2a1327dd0d0e87667beffec8b922ad6dc4f4bf717dfeb57acec9dc81b74faf

        SHA512

        5d23a949b4edd3a10366e43fc0f76c5e4f2a492f96565e2931a67219b28cf1b6ab65e0fe5fabbd5ee05c908eab5dc5980eb80fef6aa0f4e20513a8cfb260754b

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        2b2d7d668f3e3e594f426c386c1f7cd7

        SHA1

        5f8b1cd4f549331b07e4e5046876f7f3a04f91e3

        SHA256

        c5624dfa844ecb9ceb4edd6c965431fc859a1a422cab6fc3c4e8bd59f32e6b96

        SHA512

        261a350a80c42ff64923798bcb5bde5a539327b940b5a90a2931dfe7ddc279c454c965ca53b4278f9d837d34d17e85d1d16626ce40a08596ba33218d56ad697d

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        071aaee5c9b4a568b970cdadda1caeee

        SHA1

        f6d24c9ef3d2cc4db81a25b4aed66808ea58b9c8

        SHA256

        959f4679360ce6f8240823686393e29b1c5d173796e769cfb661f346e053d962

        SHA512

        b41fdd39216eb85b13b4ba49ac03d16a21789fa145c937c046c9ffe829faad585216ee8de3b3be488c833a1da09fa48405896a85a9bb343c1a2a1e51b973b45e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        64208b0181076de1f209d5c25dcd6000

        SHA1

        7c586c81cb7f68a1f2a5999eac4d6e2edb95861a

        SHA256

        65245d46db33566971075b490590a9bcdbaa9ae87ddc023ea6bf10924eb9a94c

        SHA512

        3ab292714b3051c2d08f1ba84ac15f6990eb94a465da719444e768f3656ff87aa0f81e469d44519e71bcf36d309e3592c4f9fbbead865d93d8253911d9db2513

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        1b534d46aa5fa328e283f88eba26dc05

        SHA1

        9e9aa4499c741b9a9317aa14a32a6cf8a9a214a4

        SHA256

        b620fee90eba853fe56510ea1fcf822c2ce7eb7e3fcd1b52ed1bdc025edf5703

        SHA512

        33be8e7db39ae1ceb3f916dbd38b2c349240f86706effb7c9768179b8da6377a9e06d6af2fc6a85443b3e5cdcd2b5aa1d99ac4cfb397e557570d09fe209f0fef

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        74cf90be856273486e51f966b15fcb86

        SHA1

        64cfac9da5eef959e8d65abaec7c6a47f716cc6a

        SHA256

        f7de3fda2bb64493b415c7e9a7d90b4d3bb8a25a88a0bb0e5393955dbe6442f6

        SHA512

        243198febacdf28a15f3bf4be63b85d49214b07f152be1b2892669c72e6d609daf385b438bf3d129ba4197748008c394f6cbe149046a471c90cdaba8889ae206

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        57703577df331c3a8db54e0331730354

        SHA1

        214fbb1548a4199532f1cb4cf423cbd55779f6a8

        SHA256

        13d8c0edc396819d6742b8b7ed8890ad8fd2fe7b5988ccb5eb785dfbd5251d77

        SHA512

        d991bae7ac2426d2aad3977a216647dca676d4ed2467b1466fd5727d9404605a2754b60dbc62b5089a80c259159f796ba9e637180582355ba339e2c04ef96410

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        7f03bbe1bdf2528873ec06ca448d10b1

        SHA1

        e666bed0fa6e87b3d91f10ce6b6a2c62459aab78

        SHA256

        3019c3a190537f51e5c3eda64baeed4ca14f957d37cf16a60e4db3271c863e72

        SHA512

        13c7957c79ec105dbddb98d0f2ff7560832f52eb23ca3ad30c233e6fcf09a91852d64e2983a77838f9cf52a18abba667171ac4dc82f36c4ccdeba335d0aefa0c

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        10b4ada081f3ecf10e4f5469563c13e1

        SHA1

        21162187c469359f9faa1791bae32cb279a8c753

        SHA256

        31553457e7381267d362e96d9fc5de8f069dadbd50737ec191c90e539ef509f8

        SHA512

        5bdc844a39104a5fa4170f5a6dc67b7037171d8837a7b2383c2dad1b66864c7c54e51f6c5f92da7c2aef4afcee7ec541470d2d8605c508b3409c0079ed567a91

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        c77c93535f64beb5f115e1977a05ee62

        SHA1

        efe59160b167a21aa17018f3068d772b1ba67b60

        SHA256

        6b36cd758c0feb7c2e99ab24edd3504b09937bf6a888004754cea0bcb056a6ce

        SHA512

        2435ff187cbb3ae9ceecc3ab2aa69565ce40b0e09e539c3f85f208b084eb983ddcaef2466f8aa5e0339b9b54c98945fcd30c57f319314fd77118283bdd8149fe

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        342B

        MD5

        94a2b47c2a35292faa589ec73a932b52

        SHA1

        624b8e7866456ab34766100576a56f98bd925e58

        SHA256

        48ccc1fc75bc19681b8b85834a0bee51ca10328f61342ed329f18f5d3713f850

        SHA512

        2268a5c5208b4e0c53b2395df98c4951613a2948281d118ca6b4a49e6281b3e6a670cc16448dac182b14763620ff2503d1f95a3132362c61cea714ac6d99d3a3

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        242B

        MD5

        bc8a588fba640c292c2f2581b85fd7be

        SHA1

        d2433bff6dadc76f64acef8361f667b215d79e77

        SHA256

        96de57b3469fa1f8fe9785ce66cf894d31b08be372cc5fbf5d24215984643498

        SHA512

        d215c418a78669dd9f578c79c84ed86dd956370866e4aa4fdbd2b651b98bb191f3d8cc97b83a448eb566e34542bdb0d14d9ac4d6ad8ab78ed9d513ad17d97823

      • C:\Users\Admin\AppData\Local\Temp\CabFE6E.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\TarFE6F.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • memory/540-52-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB