596db0b26451c60e2e618dd98f126e3932e238baa0432867203f83df27debd03

General

Target

r7flexpatcher.exe
Size

41KB
MD5

211679d0bf22b11671c9c8278072400f
SHA1

46767069ff081ae73fda2217a63b7b4f0c91e64a
SHA256

56c6f8cabe41895e7793fa4bd9936ea424e2e63459571f717a8d66cb808cdd96
SHA512

8e16bc0e1153996e56704ffae2c611ee43aa591fdcdad0c5bbca41cda41b19fe3c0e4ea720a19fe6bca6545c32622d9eabf9d618f96f2601e74d6e916cd3fa48
SSDEEP

768:eKk1kCV2sBbH4vVuLG544uB/RUNeM9bKqpmzCHNV:ulWw+44uB69bhmAV

Score

5^/10

defense_evasion privilege_escalation

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

r7flexcrack.exe

pid process

2908 r7flexcrack.exe
2908 r7flexcrack.exe
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
defense_evasion privilege_escalation

Create Process with Token
T1134.002

Processes:

r7flexcrack.exe

pid process

2908 r7flexcrack.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

r7flexpatcher.exer7flexcrack.exe

pid process

2400 r7flexpatcher.exe
2908 r7flexcrack.exe

pid	process
2908	r7flexcrack.exe
2908	r7flexcrack.exe

pid	process
2908	r7flexcrack.exe

pid	process
2400	r7flexpatcher.exe
2908	r7flexcrack.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

r7flexpatcher.exe

description	pid	process
Token: SeDebugPrivilege	2400	r7flexpatcher.exe
Token: SeLoadDriverPrivilege	2400	r7flexpatcher.exe
Token: SeCreateGlobalPrivilege	2400	r7flexpatcher.exe
Token: SeLockMemoryPrivilege	2400	r7flexpatcher.exe
Token: 33	2400	r7flexpatcher.exe
Token: SeSecurityPrivilege	2400	r7flexpatcher.exe
Token: SeTakeOwnershipPrivilege	2400	r7flexpatcher.exe
Token: SeManageVolumePrivilege	2400	r7flexpatcher.exe
Token: SeBackupPrivilege	2400	r7flexpatcher.exe
Token: SeCreatePagefilePrivilege	2400	r7flexpatcher.exe
Token: SeShutdownPrivilege	2400	r7flexpatcher.exe
Token: SeRestorePrivilege	2400	r7flexpatcher.exe
Token: 33	2400	r7flexpatcher.exe
Token: SeIncBasePriorityPrivilege	2400	r7flexpatcher.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

r7flexpatcher.exer7flexcrack.execmd.exe

description	pid	process	target process
PID 2400 wrote to memory of 2908	2400	r7flexpatcher.exe	r7flexcrack.exe
PID 2400 wrote to memory of 2908	2400	r7flexpatcher.exe	r7flexcrack.exe
PID 2400 wrote to memory of 2908	2400	r7flexpatcher.exe	r7flexcrack.exe
PID 2400 wrote to memory of 2908	2400	r7flexpatcher.exe	r7flexcrack.exe
PID 2400 wrote to memory of 2908	2400	r7flexpatcher.exe	r7flexcrack.exe
PID 2400 wrote to memory of 2908	2400	r7flexpatcher.exe	r7flexcrack.exe
PID 2908 wrote to memory of 2928	2908	r7flexcrack.exe	cmd.exe
PID 2908 wrote to memory of 2928	2908	r7flexcrack.exe	cmd.exe
PID 2908 wrote to memory of 2928	2908	r7flexcrack.exe	cmd.exe
PID 2908 wrote to memory of 2808	2908	r7flexcrack.exe	cmd.exe
PID 2908 wrote to memory of 2808	2908	r7flexcrack.exe	cmd.exe
PID 2908 wrote to memory of 2808	2908	r7flexcrack.exe	cmd.exe
PID 2908 wrote to memory of 1448	2908	r7flexcrack.exe	cmd.exe
PID 2908 wrote to memory of 1448	2908	r7flexcrack.exe	cmd.exe
PID 2908 wrote to memory of 1448	2908	r7flexcrack.exe	cmd.exe
PID 1448 wrote to memory of 2764	1448	cmd.exe	certutil.exe
PID 1448 wrote to memory of 2764	1448	cmd.exe	certutil.exe
PID 1448 wrote to memory of 2764	1448	cmd.exe	certutil.exe
PID 1448 wrote to memory of 2800	1448	cmd.exe	find.exe
PID 1448 wrote to memory of 2800	1448	cmd.exe	find.exe
PID 1448 wrote to memory of 2800	1448	cmd.exe	find.exe
PID 1448 wrote to memory of 2672	1448	cmd.exe	find.exe
PID 1448 wrote to memory of 2672	1448	cmd.exe	find.exe
PID 1448 wrote to memory of 2672	1448	cmd.exe	find.exe
PID 2908 wrote to memory of 2700	2908	r7flexcrack.exe	WerFault.exe
PID 2908 wrote to memory of 2700	2908	r7flexcrack.exe	WerFault.exe
PID 2908 wrote to memory of 2700	2908	r7flexcrack.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\r7flexpatcher.exe
"C:\Users\Admin\AppData\Local\Temp\r7flexpatcher.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe
  "C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe" runas
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Access Token Manipulation: Create Process with Token
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\r7flexcrack.exe" MD5
      4⤵
      PID:2764
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2800
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2672
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2908 -s 560
    3⤵
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Defense Evasion

Access Token Manipulation

1

T1134

Create Process with Token

1

T1134.002

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cheat Engine\{A1AA8D76-79BC-4800-B07B-01C933085165}\Addresses.TMP

Filesize
31B

MD5
b921c2e17824ffc45aa8bb56cb2d4be2

SHA1
95bc4a300e8c41961596f0f855ef4f7f197004b5

SHA256
f6eeb225b81582b59ed25c45390136eae740d9449278a21ec939fd0e7b039e08

SHA512
38cd07b5906753756f568810027f025f823c9c49ac44e75a4b8a632619e40f7a3e8809808becbcf015df530a2d3e99aa0663d91e4b0f632681e257959dd4baff

Download Submit
memory/2908-0-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

Filesize
8KB

Download
memory/2908-2-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

Filesize
8KB

Download
memory/2908-4-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

Filesize
8KB

Download
memory/2908-5-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2908-7-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2908-9-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

Filesize
8KB

Download
memory/2908-12-0x000000013F0B0000-0x000000014291A000-memory.dmp

Filesize
56.4MB

Download

Analysis

Sharing