Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-07-2022 12:19
Static task
static1
Behavioral task
behavioral1
Sample
Cryptded_protected.sfx.exe
Resource
win7-20220414-en
General
-
Target
Cryptded_protected.sfx.exe
-
Size
1.7MB
-
MD5
8a9c5b9db9e0bca2aa8155197462650c
-
SHA1
5d2422bff61c219a6f3d2974e99c310eab1657b5
-
SHA256
283906c670f0a64dbd5f3ce78354ef08071db8b728c3ee93f55195da68fd7d1c
-
SHA512
81b06cc10d7959dc15648ad255351c128ef097ce2f10bc3eb63dc19f93ceb4cceb9d1adb2e4e8a033818f1aebb6fc72193f5dc61ee74a77f482cb29cac8cebab
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/963884131157168128/l7y0A3as75Se94o7XMk4zXPVahSSRfUXKz2j0cONgRgga6ZiO0oAtr3nqCmT9TlwHPnJ
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
Cryptded_protected.exeUmbrella.flv.exeInsidious (2).exesvhost.exepid process 2340 Cryptded_protected.exe 4484 Umbrella.flv.exe 4536 Insidious (2).exe 3688 svhost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Umbrella.flv.exeCryptded_protected.sfx.exeCryptded_protected.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Umbrella.flv.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Cryptded_protected.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Cryptded_protected.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbf292fcc15f8937d92f60f5f6be68ce.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbf292fcc15f8937d92f60f5f6be68ce.exe svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbf292fcc15f8937d92f60f5f6be68ce = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbf292fcc15f8937d92f60f5f6be68ce = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .." svhost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 freegeoip.app 12 freegeoip.app -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
svhost.exedescription ioc process File created C:\autorun.inf svhost.exe File opened for modification C:\autorun.inf svhost.exe File created D:\autorun.inf svhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Cryptded_protected.exepid process 2340 Cryptded_protected.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Insidious (2).exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious (2).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious (2).exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1584 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
Cryptded_protected.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Cryptded_protected.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Cryptded_protected.exeInsidious (2).exepowershell.exesvhost.exepid process 2340 Cryptded_protected.exe 2340 Cryptded_protected.exe 4536 Insidious (2).exe 4536 Insidious (2).exe 4536 Insidious (2).exe 4536 Insidious (2).exe 4180 powershell.exe 4180 powershell.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe 3688 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 3688 svhost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
Insidious (2).exepowershell.exesvhost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4536 Insidious (2).exe Token: SeDebugPrivilege 4180 powershell.exe Token: SeDebugPrivilege 3688 svhost.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe Token: 33 3688 svhost.exe Token: SeIncBasePriorityPrivilege 3688 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Cryptded_protected.exepid process 2340 Cryptded_protected.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Cryptded_protected.sfx.exeCryptded_protected.exeUmbrella.flv.exesvhost.exedescription pid process target process PID 928 wrote to memory of 2340 928 Cryptded_protected.sfx.exe Cryptded_protected.exe PID 928 wrote to memory of 2340 928 Cryptded_protected.sfx.exe Cryptded_protected.exe PID 928 wrote to memory of 2340 928 Cryptded_protected.sfx.exe Cryptded_protected.exe PID 2340 wrote to memory of 4484 2340 Cryptded_protected.exe Umbrella.flv.exe PID 2340 wrote to memory of 4484 2340 Cryptded_protected.exe Umbrella.flv.exe PID 2340 wrote to memory of 4484 2340 Cryptded_protected.exe Umbrella.flv.exe PID 2340 wrote to memory of 4536 2340 Cryptded_protected.exe Insidious (2).exe PID 2340 wrote to memory of 4536 2340 Cryptded_protected.exe Insidious (2).exe PID 2340 wrote to memory of 4180 2340 Cryptded_protected.exe powershell.exe PID 2340 wrote to memory of 4180 2340 Cryptded_protected.exe powershell.exe PID 2340 wrote to memory of 4180 2340 Cryptded_protected.exe powershell.exe PID 4484 wrote to memory of 3688 4484 Umbrella.flv.exe svhost.exe PID 4484 wrote to memory of 3688 4484 Umbrella.flv.exe svhost.exe PID 4484 wrote to memory of 3688 4484 Umbrella.flv.exe svhost.exe PID 3688 wrote to memory of 2356 3688 svhost.exe netsh.exe PID 3688 wrote to memory of 2356 3688 svhost.exe netsh.exe PID 3688 wrote to memory of 2356 3688 svhost.exe netsh.exe PID 3688 wrote to memory of 1584 3688 svhost.exe taskkill.exe PID 3688 wrote to memory of 1584 3688 svhost.exe taskkill.exe PID 3688 wrote to memory of 1584 3688 svhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cryptded_protected.sfx.exe"C:\Users\Admin\AppData\Local\Temp\Cryptded_protected.sfx.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\Cryptded_protected.exe"C:\Users\Admin\AppData\Local\Temp\Cryptded_protected.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\Umbrella.flv.exe"C:\Users\Admin\AppData\Local\Temp\Umbrella.flv.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Roaming\svhost.exe"C:\Users\Admin\AppData\Roaming\svhost.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svhost.exe" "svhost.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:2356 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\Insidious (2).exe"C:\Users\Admin\AppData\Local\Temp\Insidious (2).exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\Cryptded_protected.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5fc24752914e03759c7cc97e560154868
SHA19790816345ee7f10a0336f4013864c565c75de89
SHA256a0de3c7f5026e72496e15c3fcb24947aa54e2d615bed91bc8f44fd07a2553b44
SHA5127a7082c640fbcb54a9247848dde589258a7182ff2284c166372465f5d7a76ab3ce89cc7d98bba9fab3a670957655e8fb0337cd7f836cc1f88ccfe6aa980f904e
-
Filesize
1.5MB
MD5fc24752914e03759c7cc97e560154868
SHA19790816345ee7f10a0336f4013864c565c75de89
SHA256a0de3c7f5026e72496e15c3fcb24947aa54e2d615bed91bc8f44fd07a2553b44
SHA5127a7082c640fbcb54a9247848dde589258a7182ff2284c166372465f5d7a76ab3ce89cc7d98bba9fab3a670957655e8fb0337cd7f836cc1f88ccfe6aa980f904e
-
Filesize
252KB
MD5d7595446b3398cd3f737047a2ea51e6b
SHA13149f2afed1ee0b7b64afcd0ddfe52b982c07983
SHA256a09ef6e960ea808cfd8d3031957e7d8213b03b8ce37e2cafe905d43965635975
SHA512dc95b3a9117f1e52e735b316a2828e649a904120c604505d071d70f5fdeba40396f1de8f39292e9651deeed6fcb2447026c63383491b080abb9416839bbcd00c
-
Filesize
252KB
MD5d7595446b3398cd3f737047a2ea51e6b
SHA13149f2afed1ee0b7b64afcd0ddfe52b982c07983
SHA256a09ef6e960ea808cfd8d3031957e7d8213b03b8ce37e2cafe905d43965635975
SHA512dc95b3a9117f1e52e735b316a2828e649a904120c604505d071d70f5fdeba40396f1de8f39292e9651deeed6fcb2447026c63383491b080abb9416839bbcd00c
-
Filesize
36KB
MD5e99f837607cb3c47ea0a29cf3e3243f5
SHA1c94b04439c4151bdd0482df65699c2e516b2eff2
SHA2564d92d5b42d93bfadff3454236d10a2ff63bb02dbe0332ea83db215df6ded55bb
SHA5126b7dbfb18395199ae3416d7aeaf18d4b0d3e1fc0168c09cf4f4ec95a7e451121dbf8ba1e4ed2a95ccdcbb56cf27502648308b7fb7a0e33272bdcb9f2aa55f853
-
Filesize
36KB
MD5e99f837607cb3c47ea0a29cf3e3243f5
SHA1c94b04439c4151bdd0482df65699c2e516b2eff2
SHA2564d92d5b42d93bfadff3454236d10a2ff63bb02dbe0332ea83db215df6ded55bb
SHA5126b7dbfb18395199ae3416d7aeaf18d4b0d3e1fc0168c09cf4f4ec95a7e451121dbf8ba1e4ed2a95ccdcbb56cf27502648308b7fb7a0e33272bdcb9f2aa55f853
-
Filesize
36KB
MD5e99f837607cb3c47ea0a29cf3e3243f5
SHA1c94b04439c4151bdd0482df65699c2e516b2eff2
SHA2564d92d5b42d93bfadff3454236d10a2ff63bb02dbe0332ea83db215df6ded55bb
SHA5126b7dbfb18395199ae3416d7aeaf18d4b0d3e1fc0168c09cf4f4ec95a7e451121dbf8ba1e4ed2a95ccdcbb56cf27502648308b7fb7a0e33272bdcb9f2aa55f853
-
Filesize
36KB
MD5e99f837607cb3c47ea0a29cf3e3243f5
SHA1c94b04439c4151bdd0482df65699c2e516b2eff2
SHA2564d92d5b42d93bfadff3454236d10a2ff63bb02dbe0332ea83db215df6ded55bb
SHA5126b7dbfb18395199ae3416d7aeaf18d4b0d3e1fc0168c09cf4f4ec95a7e451121dbf8ba1e4ed2a95ccdcbb56cf27502648308b7fb7a0e33272bdcb9f2aa55f853