Analysis
-
max time kernel
150s -
max time network
314s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04-12-2024 12:03
General
-
Target
xxSMTPxx/Private Cracker/xxSMTPxx.exe
-
Size
4.6MB
-
MD5
9088655d2558fc34338e8b06e98cd403
-
SHA1
cfeb0f3d288ead6c9fd0aaa4e05dd53127696c22
-
SHA256
3e44ce378be97fc687a392f97abfe6ee0f9e4b1c15d88347668d7c384f7024ac
-
SHA512
49a8cccf8a8801c946fba88a0e6a68f19443dc5e5e01f9d0d09e6bc9cf9bc41932c939e975d63167adb6e73b62f2235fe3dd07dafbb6220467427eacede268a0
-
SSDEEP
98304:il9Goe+rmZQHPN6zkioyxx8zhSGw0g61nWYK6wgPI3:ils9+ro+N9DSTmnWYK6wYI
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 2 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\xxSMTPxx\Private Cracker\xxSMTPxx.exe"C:\Users\Admin\AppData\Local\Temp\xxSMTPxx\Private Cracker\xxSMTPxx.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypt.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypt.exe2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypt.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AXIMTR~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AXIMTR~1.EXE2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
4.4MB
MD5b2d1a96a8acfb533024134a5c4a00415
SHA192b344a2fbba4fa4ab867dbaeba3c665049b58c0
SHA2563302d8e800fd5eedff91f8bd33ec2d2eec39a15a8e6ab6fa66d5e6ca9579a94c
SHA512d6b5983fbfc020c1682a553ba7bb661bcc5f0a66a2357922a5e41b82db3a8eb1499abaa0bae759a52bef70697da35f2ae4b3274f5ce50a1264c6d17072e5a2ad
-
Filesize
5.9MB
MD5ce884d815d7f0ae4aacdeea75d719bd4
SHA18b4909fa0a3a6165939828efcd32cf710100c2f2
SHA256f4b08e6a81b7ff4d6517ce9b0facd78857ff41f4e6a1ef725616cb5341522f82
SHA512f8ec9ba7430b57f9792b434878f1f85ec8c2fb28b0f0ea0e6eed0c35419e6ec3332b86802c4b0c2efd8007b03d0caa20c6d1bf49532932a6659edea7b5d6ad56
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
116KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
760KB
-
Filesize
208KB
-
Filesize
2.8MB
-
Filesize
1.3MB
-
Filesize
688KB
-
Filesize
172KB
-
Filesize
1.6MB
-
Filesize
384KB
-
Filesize
7.2MB
-
Filesize
628KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
996KB
-
Filesize
1.3MB
-
Filesize
1.7MB
-
Filesize
204KB
-
Filesize
968KB
-
Filesize
3.4MB
-
Filesize
688KB
-
Filesize
52KB
-
Filesize
1.1MB
-
Filesize
140KB
-
Filesize
40KB
-
Filesize
424KB
-
Filesize
1.9MB
-
Filesize
1.2MB
-
Filesize
428KB
-
Filesize
820KB
-
Filesize
816KB
-
Filesize
116KB
-
Filesize
92KB
-
Filesize
32KB
-
Filesize
632KB
-
Filesize
524KB
-
Filesize
72KB
-
Filesize
692KB
-
Filesize
176KB
-
Filesize
7.6MB
-
Filesize
176KB
-
Filesize
3.3MB
-
Filesize
620KB
-
Filesize
632KB
-
Filesize
1.0MB
-
Filesize
136KB
-
Filesize
1024KB
-
Filesize
1.2MB
-
Filesize
1.7MB
-
Filesize
236KB
-
Filesize
2.6MB
-
Filesize
156KB
-
Filesize
340KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB