7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

Analysis

max time kernel
151s
max time network
54s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe
Size

1011KB
MD5

59c9b7c6507bc718780b46e6a01839c0
SHA1

58f6056de40c28956e7dc36913915b1b6f597e21
SHA256

7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7
SHA512

6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a
SSDEEP

24576:WGeByAZpyq8OawmaLn52tgxDvjQ9tFwScqaKP:heBdZpyyLnnxDvjQFpLrP

Score

9^/10

cryptone packer persistence

Malware Config

Signatures

CryptOne packer 11 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jcldkb4888erinhjmjqqob.exe	cryptone
\Users\Admin\AppData\Local\Temp\jcldkb4888erinhjmjqqob.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\jcldkb4888erinhjmjqqob.exe	cryptone
\??\c:\users\admin\appdata\local\temp\jcldkb4888erinhjmjqqob.exe	cryptone
\Users\Admin\AppData\Local\frzrmhyqz.exe	cryptone
\Users\Admin\AppData\Local\frzrmhyqz.exe	cryptone
C:\Users\Admin\AppData\Local\frzrmhyqz.exe	cryptone
\??\c:\users\admin\appdata\local\frzrmhyqz.exe	cryptone
\Users\Admin\AppData\Local\hkmkelryw.exe	cryptone
\Users\Admin\AppData\Local\hkmkelryw.exe	cryptone
C:\Users\Admin\AppData\Local\hkmkelryw.exe	cryptone

Executes dropped EXE 3 IoCs

Processes:

jcldkb4888erinhjmjqqob.exefrzrmhyqz.exehkmkelryw.exe

pid process

2620 jcldkb4888erinhjmjqqob.exe
3804 frzrmhyqz.exe
2360 hkmkelryw.exe

pid	process
2620	jcldkb4888erinhjmjqqob.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe

Loads dropped DLL 6 IoCs

Processes:

7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exejcldkb4888erinhjmjqqob.exefrzrmhyqz.exe

pid	process
1220	7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe
1220	7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe
2620	jcldkb4888erinhjmjqqob.exe
2620	jcldkb4888erinhjmjqqob.exe
3804	frzrmhyqz.exe
3804	frzrmhyqz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jcldkb4888erinhjmjqqob.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Telephony IP CardSpace DNS Security = "C:\\Users\\Admin\\AppData\\Local\\frzrmhyqz.exe"	jcldkb4888erinhjmjqqob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

frzrmhyqz.exehkmkelryw.exe

pid	process
3804	frzrmhyqz.exe
3804	frzrmhyqz.exe
3804	frzrmhyqz.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe
3804	frzrmhyqz.exe
2360	hkmkelryw.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exejcldkb4888erinhjmjqqob.exefrzrmhyqz.exe

description	pid	process	target process
PID 1220 wrote to memory of 2620	1220	7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe	jcldkb4888erinhjmjqqob.exe
PID 1220 wrote to memory of 2620	1220	7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe	jcldkb4888erinhjmjqqob.exe
PID 1220 wrote to memory of 2620	1220	7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe	jcldkb4888erinhjmjqqob.exe
PID 1220 wrote to memory of 2620	1220	7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe	jcldkb4888erinhjmjqqob.exe
PID 2620 wrote to memory of 3804	2620	jcldkb4888erinhjmjqqob.exe	frzrmhyqz.exe
PID 2620 wrote to memory of 3804	2620	jcldkb4888erinhjmjqqob.exe	frzrmhyqz.exe
PID 2620 wrote to memory of 3804	2620	jcldkb4888erinhjmjqqob.exe	frzrmhyqz.exe
PID 2620 wrote to memory of 3804	2620	jcldkb4888erinhjmjqqob.exe	frzrmhyqz.exe
PID 3804 wrote to memory of 2360	3804	frzrmhyqz.exe	hkmkelryw.exe
PID 3804 wrote to memory of 2360	3804	frzrmhyqz.exe	hkmkelryw.exe
PID 3804 wrote to memory of 2360	3804	frzrmhyqz.exe	hkmkelryw.exe
PID 3804 wrote to memory of 2360	3804	frzrmhyqz.exe	hkmkelryw.exe

C:\Users\Admin\AppData\Local\Temp\7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe
"C:\Users\Admin\AppData\Local\Temp\7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\jcldkb4888erinhjmjqqob.exe
"C:\Users\Admin\AppData\Local\Temp\jcldkb4888erinhjmjqqob.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\frzrmhyqz.exe
"C:\Users\Admin\AppData\Local\frzrmhyqz.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3804

C:\Users\Admin\AppData\Local\hkmkelryw.exe
WATCHDOGPROC "c:\users\admin\appdata\local\frzrmhyqz.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jcldkb4888erinhjmjqqob.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
C:\Users\Admin\AppData\Local\frzrmhyqz.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
C:\Users\Admin\AppData\Local\hkmkelryw.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\etc
Filesize
10B

MD5
34d315fe1eeb3cb7b697559c67117622

SHA1
dfbe195cd969ef930ea4a6550373108841e2ef45

SHA256
fe49605d50c801f8620cd759c34bd56500ccfb2642868290a53a1a34f2485530

SHA512
f1fe211b0cb77204f3898ea921c65d55957e595690e8a3b23c9c7c815d9f76cc8b513809fb7f8c33b18fbcc1af3a093158b9423efa07c188be61f31cf4511d51

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\rng
Filesize
4B

MD5
3bf81e2bf6dc61706efb9a6dadc5793a

SHA1
bf1bbfb3b5aaddbc5065b8440ea616d84fad8ff2

SHA256
961ae28829f0b1cfbd073eff070ac5ea8994618c0e84fab4764367464a14b854

SHA512
354f74cb52f314226a6021c5745799d05a0c8ba21246c9717b8ce211193603c4704b72332f80576d15b14d76c8f772cd5b6fa7a10acb60fab67411573f732b1c

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\tst
Filesize
10B

MD5
bdd59441ea086de6aa5fdd626116a95d

SHA1
567f98e4d269a7ebf3bc7f255857e1f6dd435273

SHA256
652501c96221f778bdef647c8c5f0353dd658079e84e93817bec0afe422fdce2

SHA512
b757f699214abdcbbc1f50b4ba7cb2faf30ef6d9916920cf6ef396a76f24a986341cd5743e17d530b3e1d80d8103dc8d3c48ad1ba670c0f7fd8e512cb0710a46

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\tst
Filesize
10B

MD5
bdd59441ea086de6aa5fdd626116a95d

SHA1
567f98e4d269a7ebf3bc7f255857e1f6dd435273

SHA256
652501c96221f778bdef647c8c5f0353dd658079e84e93817bec0afe422fdce2

SHA512
b757f699214abdcbbc1f50b4ba7cb2faf30ef6d9916920cf6ef396a76f24a986341cd5743e17d530b3e1d80d8103dc8d3c48ad1ba670c0f7fd8e512cb0710a46

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\tst
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\frzrmhyqz.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
\??\c:\users\admin\appdata\local\temp\jcldkb4888erinhjmjqqob.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
\Users\Admin\AppData\Local\Temp\jcldkb4888erinhjmjqqob.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
\Users\Admin\AppData\Local\Temp\jcldkb4888erinhjmjqqob.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
\Users\Admin\AppData\Local\frzrmhyqz.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
\Users\Admin\AppData\Local\frzrmhyqz.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
\Users\Admin\AppData\Local\hkmkelryw.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
\Users\Admin\AppData\Local\hkmkelryw.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
memory/1220-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/2360-72-0x0000000000000000-mapping.dmp

Download
memory/2620-57-0x0000000000000000-mapping.dmp

Download
memory/3804-64-0x0000000000000000-mapping.dmp

Download