Malware Analysis Report

2024-10-16 06:27

Sample ID 210714-qt9tzqrscj
Target 574e9f8074520690b36e5169a331263b
SHA256 e10fa45aa8fff5891a60afb5f15c2a8b3827b425b59656a0dc114cb7dd8d419f
Tags
cryptone packer ta505
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e10fa45aa8fff5891a60afb5f15c2a8b3827b425b59656a0dc114cb7dd8d419f

Threat Level: Known bad

The file 574e9f8074520690b36e5169a331263b was found to be: Known bad.

Malicious Activity Summary

cryptone packer ta505

TA505

CryptOne packer

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-07-14 13:22

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-14 13:22

Reported

2021-07-14 13:25

Platform

win7v20210410

Max time kernel

3s

Max time network

41s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ 574e9f8074520690b36e5169a331263b .dll",#1

Signatures

TA505

ta505

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1652 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1652 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1652 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1652 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1652 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1652 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ 574e9f8074520690b36e5169a331263b .dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ 574e9f8074520690b36e5169a331263b .dll",#1

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 into-box.com udp

Files

memory/1980-59-0x0000000000000000-mapping.dmp

memory/1980-60-0x0000000075411000-0x0000000075413000-memory.dmp

memory/1980-62-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/1980-61-0x0000000000160000-0x000000000019C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-14 13:22

Reported

2021-07-14 13:24

Platform

win10v20210408

Max time kernel

35s

Max time network

135s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ 574e9f8074520690b36e5169a331263b .dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 808 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 808 wrote to memory of 1364 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ 574e9f8074520690b36e5169a331263b .dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ 574e9f8074520690b36e5169a331263b .dll",#1

Network

N/A

Files

memory/1364-114-0x0000000000000000-mapping.dmp

memory/1364-115-0x0000000000B20000-0x0000000000BAE000-memory.dmp

memory/1364-116-0x0000000000BF0000-0x0000000000C30000-memory.dmp