518865bd78c66ddbe8bd26c847df27de42a663ac5f586f14ab1b544dfbff5b11

Resubmissions

02/03/2025, 13:47

250302-q3zcwawny4 10

02/03/2025, 13:43

250302-q1ln1awsez 7

Analysis

max time kernel
26s
max time network
53s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/03/2025, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CapCut crack Activator 2024.exe
Size

808.7MB
MD5

ed8a0f681c3af7dac3c57db1517e0c3b
SHA1

41d8615bdd9ecfc665c1063f89a65f7dde6bcd28
SHA256

518865bd78c66ddbe8bd26c847df27de42a663ac5f586f14ab1b544dfbff5b11
SHA512

7ee156228893f60ae492aa448cfe66d621373b10545c4ebc231a3dc23065804534392f7f7db7747a75cd2bec421a4007fa2fd2a3bc88872bee797075bf454d13
SSDEEP

393216:irOxtq4lv9TZuL3JEEfXy1o/gmLaUXfwuCPOql1:thliZEMC1oYmLwPO2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2768	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
2036	hwmonitor.exe

Loads dropped DLL 12 IoCs

pid	Process
2360	CapCut crack Activator 2024.exe
2768	CapCut crack Activator 2024.tmp
2768	CapCut crack Activator 2024.tmp
2712	CapCut crack Activator 2024.exe
2576	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1120	2036	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hwmonitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CapCut crack Activator 2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CapCut crack Activator 2024.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CapCut crack Activator 2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CapCut crack Activator 2024.tmp

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2576	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
2576	CapCut crack Activator 2024.tmp
2036	hwmonitor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2576	CapCut crack Activator 2024.tmp

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2768	2360	CapCut crack Activator 2024.exe	30
PID 2360 wrote to memory of 2768	2360	CapCut crack Activator 2024.exe	30
PID 2360 wrote to memory of 2768	2360	CapCut crack Activator 2024.exe	30
PID 2360 wrote to memory of 2768	2360	CapCut crack Activator 2024.exe	30
PID 2360 wrote to memory of 2768	2360	CapCut crack Activator 2024.exe	30
PID 2360 wrote to memory of 2768	2360	CapCut crack Activator 2024.exe	30
PID 2360 wrote to memory of 2768	2360	CapCut crack Activator 2024.exe	30
PID 2768 wrote to memory of 2712	2768	CapCut crack Activator 2024.tmp	31
PID 2768 wrote to memory of 2712	2768	CapCut crack Activator 2024.tmp	31
PID 2768 wrote to memory of 2712	2768	CapCut crack Activator 2024.tmp	31
PID 2768 wrote to memory of 2712	2768	CapCut crack Activator 2024.tmp	31
PID 2712 wrote to memory of 2576	2712	CapCut crack Activator 2024.exe	32
PID 2712 wrote to memory of 2576	2712	CapCut crack Activator 2024.exe	32
PID 2712 wrote to memory of 2576	2712	CapCut crack Activator 2024.exe	32
PID 2712 wrote to memory of 2576	2712	CapCut crack Activator 2024.exe	32
PID 2712 wrote to memory of 2576	2712	CapCut crack Activator 2024.exe	32
PID 2712 wrote to memory of 2576	2712	CapCut crack Activator 2024.exe	32
PID 2712 wrote to memory of 2576	2712	CapCut crack Activator 2024.exe	32
PID 2576 wrote to memory of 2036	2576	CapCut crack Activator 2024.tmp	33
PID 2576 wrote to memory of 2036	2576	CapCut crack Activator 2024.tmp	33
PID 2576 wrote to memory of 2036	2576	CapCut crack Activator 2024.tmp	33
PID 2576 wrote to memory of 2036	2576	CapCut crack Activator 2024.tmp	33
PID 2576 wrote to memory of 2036	2576	CapCut crack Activator 2024.tmp	33
PID 2576 wrote to memory of 2036	2576	CapCut crack Activator 2024.tmp	33
PID 2576 wrote to memory of 2036	2576	CapCut crack Activator 2024.tmp	33
PID 2036 wrote to memory of 1120	2036	hwmonitor.exe	34
PID 2036 wrote to memory of 1120	2036	hwmonitor.exe	34
PID 2036 wrote to memory of 1120	2036	hwmonitor.exe	34
PID 2036 wrote to memory of 1120	2036	hwmonitor.exe	34

C:\Users\Admin\AppData\Local\Temp\CapCut crack Activator 2024.exe
"C:\Users\Admin\AppData\Local\Temp\CapCut crack Activator 2024.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\is-10LD9.tmp\CapCut crack Activator 2024.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-10LD9.tmp\CapCut crack Activator 2024.tmp" /SL5="$60150,17133306,886272,C:\Users\Admin\AppData\Local\Temp\CapCut crack Activator 2024.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\CapCut crack Activator 2024.exe
    "C:\Users\Admin\AppData\Local\Temp\CapCut crack Activator 2024.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\is-0KR5A.tmp\CapCut crack Activator 2024.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0KR5A.tmp\CapCut crack Activator 2024.tmp" /SL5="$70150,17133306,886272,C:\Users\Admin\AppData\Local\Temp\CapCut crack Activator 2024.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Users\Admin\AppData\Roaming\{718BA32F-C68F-412C-9D9B-5C5EE49E57A5}\hwmonitor.exe
        
        "C:\Users\Admin\AppData\Roaming\{718BA32F-C68F-412C-9D9B-5C5EE49E57A5}\hwmonitor.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 132
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0KR5A.tmp\CapCut crack Activator 2024.tmp

Filesize
3.0MB

MD5
0638cde862842d9d159bbb68552dd50d

SHA1
923c56e5285b7ad01ee8b036228cabd0c64b2828

SHA256
bb2bc79c278e232bd4d14981ce092ab2ed678d751f4a45e2dc6ce2c947519b35

SHA512
88238829dd5ee921a516cf5187e7be4001bf4d5b10cd530b4cb0cb58cd1658ae47745497ad06eadc8f167bdc02fa23f45e25f4d22feb01fc4d44564f44bfd937

Download Submit
\Users\Admin\AppData\Local\Temp\is-4NI49.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-4NI49.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/2036-126-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2036-117-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/2360-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2360-24-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2360-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2576-38-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/2576-114-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/2712-37-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2712-116-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2712-20-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2768-8-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/2768-22-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download