Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2025, 05:54
Static task
static1
Behavioral task
behavioral1
Sample
GTCCrackingToolV2.0.exe
Resource
win10ltsc2021-20250314-en
Behavioral task
behavioral2
Sample
GTCCrackingToolV2.0.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
GTCCrackingToolV2.0.exe
Resource
win10v2004-20250313-en
General
-
Target
GTCCrackingToolV2.0.exe
-
Size
9.5MB
-
MD5
4790b00f8d08c3123a93a6bb0581f496
-
SHA1
46810574ef29fad1f4591524b000fb385009f804
-
SHA256
e9e3295ae8cd8261e5d9a200e25da5fe01b0126d170af749892ff52c3af58e2b
-
SHA512
181641a00853d0fe070ad88046c60ee592e78f9e3282a5623862156a91f00fc48a716315762737b6794f3a07ecbd0069a84f2162ff86b967617537a43698ea70
-
SSDEEP
196608:8ug/f7c2fOpS6qL0QPaNEfJYNYihp5cYughj3gXDJMIOaV:jgnI2fwqL0QlfJHihp5cYtJwXDq0
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation GTCCrackingToolV2.0.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral3/memory/3248-6-0x00000151AFD10000-0x00000151AFE90000-memory.dmp agile_net behavioral3/files/0x00070000000241d9-10.dat agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 3248 GTCCrackingToolV2.0.exe 3248 GTCCrackingToolV2.0.exe 3248 GTCCrackingToolV2.0.exe 3248 GTCCrackingToolV2.0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer GTCCrackingToolV2.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion GTCCrackingToolV2.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS GTCCrackingToolV2.0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3248 GTCCrackingToolV2.0.exe Token: SeDebugPrivilege 2156 taskmgr.exe Token: SeSystemProfilePrivilege 2156 taskmgr.exe Token: SeCreateGlobalPrivilege 2156 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe 2156 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3248 wrote to memory of 2020 3248 GTCCrackingToolV2.0.exe 93 PID 3248 wrote to memory of 2020 3248 GTCCrackingToolV2.0.exe 93 PID 2020 wrote to memory of 2344 2020 cmd.exe 95 PID 2020 wrote to memory of 2344 2020 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\GTCCrackingToolV2.0.exe"C:\Users\Admin\AppData\Local\Temp\GTCCrackingToolV2.0.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1A751740.dll" /A:H2⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:2344
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
709KB
MD5149873da1bd6963a6bffbcf17e9b972e
SHA13e89ca39e34903c06c9203a1cf77dcdfcb8456f9
SHA2563a0f152b273a8dfb6d44b032ba74d835f10fa019aa65427d6c9ab7b5989a995f
SHA5129252355ab21e08d490968d33b395afee01229e37e32f654434258fd513bf8e86c2dd6cbfc99a85a3683a8ad13613c91eb8e787931f05f28192c8b94922f0894d