7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

Analysis

max time kernel
151s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe
Size

1011KB
MD5

59c9b7c6507bc718780b46e6a01839c0
SHA1

58f6056de40c28956e7dc36913915b1b6f597e21
SHA256

7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7
SHA512

6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a
SSDEEP

24576:WGeByAZpyq8OawmaLn52tgxDvjQ9tFwScqaKP:heBdZpyyLnnxDvjQFpLrP

Score

9^/10

cryptone packer persistence

Malware Config

Signatures

CryptOne packer 6 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jcldkb3z7ylfrinhjmjqqob.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\jcldkb3z7ylfrinhjmjqqob.exe	cryptone
C:\Users\Admin\AppData\Local\frzrmhyqz.exe	cryptone
C:\Users\Admin\AppData\Local\frzrmhyqz.exe	cryptone
C:\Users\Admin\AppData\Local\hkmkelryw.exe	cryptone
C:\Users\Admin\AppData\Local\hkmkelryw.exe	cryptone

Executes dropped EXE 3 IoCs

Processes:

jcldkb3z7ylfrinhjmjqqob.exefrzrmhyqz.exehkmkelryw.exe

pid process

2200 jcldkb3z7ylfrinhjmjqqob.exe
5864 frzrmhyqz.exe
2680 hkmkelryw.exe

pid	process
2200	jcldkb3z7ylfrinhjmjqqob.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jcldkb3z7ylfrinhjmjqqob.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Telephony IP CardSpace DNS Security = "C:\\Users\\Admin\\AppData\\Local\\frzrmhyqz.exe"	jcldkb3z7ylfrinhjmjqqob.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

frzrmhyqz.exehkmkelryw.exe

pid	process
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe
5864	frzrmhyqz.exe
5864	frzrmhyqz.exe
2680	hkmkelryw.exe
2680	hkmkelryw.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exejcldkb3z7ylfrinhjmjqqob.exefrzrmhyqz.exe

description	pid	process	target process
PID 2856 wrote to memory of 2200	2856	7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe	jcldkb3z7ylfrinhjmjqqob.exe
PID 2856 wrote to memory of 2200	2856	7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe	jcldkb3z7ylfrinhjmjqqob.exe
PID 2856 wrote to memory of 2200	2856	7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe	jcldkb3z7ylfrinhjmjqqob.exe
PID 2200 wrote to memory of 5864	2200	jcldkb3z7ylfrinhjmjqqob.exe	frzrmhyqz.exe
PID 2200 wrote to memory of 5864	2200	jcldkb3z7ylfrinhjmjqqob.exe	frzrmhyqz.exe
PID 2200 wrote to memory of 5864	2200	jcldkb3z7ylfrinhjmjqqob.exe	frzrmhyqz.exe
PID 5864 wrote to memory of 2680	5864	frzrmhyqz.exe	hkmkelryw.exe
PID 5864 wrote to memory of 2680	5864	frzrmhyqz.exe	hkmkelryw.exe
PID 5864 wrote to memory of 2680	5864	frzrmhyqz.exe	hkmkelryw.exe

C:\Users\Admin\AppData\Local\Temp\7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe
"C:\Users\Admin\AppData\Local\Temp\7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\jcldkb3z7ylfrinhjmjqqob.exe
"C:\Users\Admin\AppData\Local\Temp\jcldkb3z7ylfrinhjmjqqob.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\frzrmhyqz.exe
"C:\Users\Admin\AppData\Local\frzrmhyqz.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5864

C:\Users\Admin\AppData\Local\hkmkelryw.exe
WATCHDOGPROC "c:\users\admin\appdata\local\frzrmhyqz.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jcldkb3z7ylfrinhjmjqqob.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcldkb3z7ylfrinhjmjqqob.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
C:\Users\Admin\AppData\Local\frzrmhyqz.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
C:\Users\Admin\AppData\Local\frzrmhyqz.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
C:\Users\Admin\AppData\Local\hkmkelryw.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
C:\Users\Admin\AppData\Local\hkmkelryw.exe
Filesize
1011KB

MD5
59c9b7c6507bc718780b46e6a01839c0

SHA1
58f6056de40c28956e7dc36913915b1b6f597e21

SHA256
7f449a5148ec86d84418b1fd0948d5a74b7d5d04fb73bc158432b0d1c5f59ce7

SHA512
6d5fd94bf5fde5da49980dcf703a6da45fbab64e12bcff81f5f12997645626857e2327d1f2c0a39eb490818603e818401d14fc2222a0e462d9a43642b1a7bc2a

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\etc
Filesize
10B

MD5
34d315fe1eeb3cb7b697559c67117622

SHA1
dfbe195cd969ef930ea4a6550373108841e2ef45

SHA256
fe49605d50c801f8620cd759c34bd56500ccfb2642868290a53a1a34f2485530

SHA512
f1fe211b0cb77204f3898ea921c65d55957e595690e8a3b23c9c7c815d9f76cc8b513809fb7f8c33b18fbcc1af3a093158b9423efa07c188be61f31cf4511d51

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\rng
Filesize
4B

MD5
3bf81e2bf6dc61706efb9a6dadc5793a

SHA1
bf1bbfb3b5aaddbc5065b8440ea616d84fad8ff2

SHA256
961ae28829f0b1cfbd073eff070ac5ea8994618c0e84fab4764367464a14b854

SHA512
354f74cb52f314226a6021c5745799d05a0c8ba21246c9717b8ce211193603c4704b72332f80576d15b14d76c8f772cd5b6fa7a10acb60fab67411573f732b1c

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\tst
Filesize
10B

MD5
bdd59441ea086de6aa5fdd626116a95d

SHA1
567f98e4d269a7ebf3bc7f255857e1f6dd435273

SHA256
652501c96221f778bdef647c8c5f0353dd658079e84e93817bec0afe422fdce2

SHA512
b757f699214abdcbbc1f50b4ba7cb2faf30ef6d9916920cf6ef396a76f24a986341cd5743e17d530b3e1d80d8103dc8d3c48ad1ba670c0f7fd8e512cb0710a46

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\tst
Filesize
10B

MD5
bdd59441ea086de6aa5fdd626116a95d

SHA1
567f98e4d269a7ebf3bc7f255857e1f6dd435273

SHA256
652501c96221f778bdef647c8c5f0353dd658079e84e93817bec0afe422fdce2

SHA512
b757f699214abdcbbc1f50b4ba7cb2faf30ef6d9916920cf6ef396a76f24a986341cd5743e17d530b3e1d80d8103dc8d3c48ad1ba670c0f7fd8e512cb0710a46

Download Submit
C:\Users\Admin\AppData\Local\lzfhdoipfuane\tst
Filesize
10B

MD5
bdd59441ea086de6aa5fdd626116a95d

SHA1
567f98e4d269a7ebf3bc7f255857e1f6dd435273

SHA256
652501c96221f778bdef647c8c5f0353dd658079e84e93817bec0afe422fdce2

SHA512
b757f699214abdcbbc1f50b4ba7cb2faf30ef6d9916920cf6ef396a76f24a986341cd5743e17d530b3e1d80d8103dc8d3c48ad1ba670c0f7fd8e512cb0710a46

Download Submit
memory/2200-132-0x0000000000000000-mapping.dmp

Download
memory/2680-141-0x0000000000000000-mapping.dmp

Download
memory/5864-136-0x0000000000000000-mapping.dmp

Download