Overview

overview

10

Static

static

10

CrackLauncher.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    24s
  • max time network
    26s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    23-01-2025 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CrackLauncher.exe

  • Size

    17.5MB

  • MD5

    186878f03c828104ae806baba96aeb97

  • SHA1

    1913e0299b2fc42f275b13cac435b78e3b6f37df

  • SHA256

    55268aba21741e673432fd0008b19725a32191a14212cff94440a2df4e0f92fe

  • SHA512

    b9e4c4109ea9386d394d72e6dfcf3d4a020ba2591844dfe114482e50d72613e6c7b32ec2c40606bc63c9185d8728c115587897ddb3379bc09cdf4b5ec8737ad8

  • SSDEEP

    393216:aquA/JFQOEKdqGdVgT7uOPXtWV0HVvvoP7cI/NG1CMkCCk3BrS:apMKOEKd9dK7uOPXtW8otAwMkCCuB2

Score
10/10
njratxwormagilenetdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

Ymniiz-29322.portmap.host:29322

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Njrat family
    njrat
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
      "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Users\Admin\AppData\Local\Temp\ego xworm.exe
        "C:\Users\Admin\AppData\Local\Temp\ego xworm.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ego xworm.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2464
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ego xworm.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3716
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1248
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1328
      • C:\Users\Admin\AppData\Local\Temp\ego SheetRat.exe
        "C:\Users\Admin\AppData\Local\Temp\ego SheetRat.exe"
        3⤵
        • Executes dropped EXE
        PID:4168
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\AppData\Local\Temp\Bunifu.Licensing.dll"
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Windows\SysWOW64\unregmp2.exe
        "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
          4⤵
          • Enumerates connected drives
          PID:664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 2476
        3⤵
        • Program crash
        PID:1796
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:4816
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3e8 0x328
    1⤵
      PID:4148
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4516 -ip 4516
      1⤵
        PID:4460

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        3eb3833f769dd890afc295b977eab4b4

        SHA1

        e857649b037939602c72ad003e5d3698695f436f

        SHA256

        c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

        SHA512

        c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
        Filesize

        64KB

        MD5

        987a07b978cfe12e4ce45e513ef86619

        SHA1

        22eec9a9b2e83ad33bedc59e3205f86590b7d40c

        SHA256

        f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

        SHA512

        39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
        Filesize

        1024KB

        MD5

        4ca724f569e5f125e3abdc52c9f35889

        SHA1

        1d9636c067fe66ddb339bb546ec6fc7ae2284c2d

        SHA256

        80a48a6d25d4821d603b94a915ffd1835d952f780826b1c5237b15c4bec676dc

        SHA512

        f92d65d8a35d8a11c7cdddb38894ce243925d3a46715de856284e8d6554bd6a44f3e0c40be17981fd0e6a27eba6e460fca4cf55e8360711f5de998c65229f4af

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
        Filesize

        498B

        MD5

        90be2701c8112bebc6bd58a7de19846e

        SHA1

        a95be407036982392e2e684fb9ff6602ecad6f1e

        SHA256

        644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

        SHA512

        d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
        Filesize

        9KB

        MD5

        5433eab10c6b5c6d55b7cbd302426a39

        SHA1

        c5b1604b3350dab290d081eecd5389a895c58de5

        SHA256

        23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

        SHA512

        207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
        Filesize

        9KB

        MD5

        7050d5ae8acfbe560fa11073fef8185d

        SHA1

        5bc38e77ff06785fe0aec5a345c4ccd15752560e

        SHA256

        cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

        SHA512

        a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        c67441dfa09f61bca500bb43407c56b8

        SHA1

        5a56cf7cbeb48c109e2128c31b681fac3959157b

        SHA256

        63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

        SHA512

        325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        2462b6c9c8b21edcc2279068b42e38ac

        SHA1

        850bd43acde0f6f91dccdf5dcf04e4ab7eec24e3

        SHA256

        6b295ac5010015b7e869fd817f59ae9dd3dce785231cf53be9f95defc9afb37c

        SHA512

        fe9347d98c4dbe0ea518ecd6968ba7b4282ce005a1792dd7f9945b785b249034f7969ae8743984d5fba39676a1632e28225ab41ab7124c16f8c15fc03fa140f4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        cfefc9e2ab078dc947fa55737ca3d57b

        SHA1

        5b05e50c1385b0d58353714a43abb3971e1c6fd4

        SHA256

        32fbc13021985664e2c4bcafbbd7c0e3a3e11eaa956418238c7390cdebe90d64

        SHA512

        c15d0cc940bd7bc334979ff7e22e1bba5b2cb24c3c4200ff359e70b4428fe0a84e83aca17752228fccf2001917eb422a9c6c692a4a6b0d7495da06f91ec26921

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Bunifu.Licensing.dll
        Filesize

        1.3MB

        MD5

        2b2740e0c34a46de31cf9da8a75d77cf

        SHA1

        242324f1112e6387cda41686291b6e9a415eeb8c

        SHA256

        a9be91cae167702885a5ca74273db779e3e391e2e604cc03779ed403c53ebe43

        SHA512

        605eb300b159e6ed2ee872b6ee378eed7dde6541000221fcd94d52057be91cb3c7dd65c7203f05e0718303b157b6fb941498b5e653501f97f0417d459da6bc40

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
        Filesize

        16.0MB

        MD5

        beaee64bd6a530d7a69b85ab1bf2a96e

        SHA1

        aafa8607eac3f3ac39d762920fe51e9b2a86eddb

        SHA256

        8d34437645bea72a222b0655712350a2f8cbd6c9cd8418ee7e04716a1af0adc6

        SHA512

        156e6a3e16c9fde1691a79afb054e2d872f95ef2ead55c5313e89ad2c799149e7c5656e04774e119cfd99de2afd1661cc60bcd43a16617aee3d78c81c2c5108b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cp3vcqse.1fl.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ego SheetRat.exe
        Filesize

        454KB

        MD5

        560e99b6c7ef0c8379c0eb822b69277a

        SHA1

        60a1a81afea807ad32443fb4079a1c7c7b2b219a

        SHA256

        3cee18da6757e751754d3060d9b907fb0c27dd749719aa28dfdeb0da5b436707

        SHA512

        6089200d80fdd3d64031e1fa3dcfc35afd33890fe7ce1a553459c0caa8b4e89cf80f4b14dc9a793a81df12aacf05b52a3e2a42fda89640558a894a17ce823a0b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ego xworm.exe
        Filesize

        84KB

        MD5

        bf5584cb45ea000cf117223bbecfadc3

        SHA1

        bef048a9b8cbc7710bc7fd804de278c1ec583a78

        SHA256

        2e640c3e94ce6f6a5166a4bbb86889ad8726d6252242a2847c745751da393f73

        SHA512

        ef5ea25241000edb1a313523d60839cbd1f9bff682159b80dcecec8678e6f0820db3bbc799e8ab522c6132f36dd4fc5bab99870facdb537bb8c8e4a908342637

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
        Filesize

        1KB

        MD5

        a3064daca97d28e4a2b48fe213fe03df

        SHA1

        2660461d3e248972b5e79b3f8f204b16e0d37f50

        SHA256

        0d4da3455aae008b2fbc46127ab7dbaba977b2b4d0ef78aee2044a75e2dd447a

        SHA512

        c3916b10e4b824fad929ba75686ef3c5782ff6e034dd308525b698ad61d4146a57b3f861086744fbe211e07697efa30f59b69ed1097bd3a9568952edadd7eef7

        Download Submit

      • memory/1172-49-0x0000000000170000-0x000000000018C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2464-53-0x000001F55C510000-0x000001F55C532000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4168-50-0x0000000000FD0000-0x0000000001048000-memory.dmp

        Filesize

        480KB

        Download

      • memory/4492-20-0x0000000000400000-0x0000000001592000-memory.dmp

        Filesize

        17.6MB

        Download

      • memory/4516-136-0x0000000007090000-0x00000000070A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4516-137-0x0000000007090000-0x00000000070A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4516-135-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4516-139-0x0000000007090000-0x00000000070A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4516-138-0x0000000007090000-0x00000000070A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4516-140-0x0000000007090000-0x00000000070A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4516-141-0x0000000007090000-0x00000000070A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4516-144-0x0000000007090000-0x00000000070A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4768-51-0x0000000000400000-0x000000000140A000-memory.dmp

        Filesize

        16.0MB

        Download