87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db

General

Target

87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
Size

180KB
MD5

597667895aedbcaa4c6f77b90e9e2994
SHA1

681232c7a6f08da5652c775b77f739a8273a96b3
SHA256

87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db
SHA512

6464a0d666a21fdef70bb42cc5d101301353a76c01ad0177dfb0af4f852d706196eda0a5569ad7810070a8a573da0a0cac357e5320b5c232ca18b8519eea7cd0
SSDEEP

3072:nyEhVg7DPPiyJajXzsyxwiFdZz2iJHlSRcMgfBRbL:yEhS7DFa8P6dxpl4I

Score

9^/10

cryptone packer persistence

Malware Config

Signatures

CryptOne packer 6 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
behavioral2/memory/2688-133-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral2/memory/3172-139-0x0000000000110000-0x0000000000139000-memory.dmp	cryptone
behavioral2/memory/3172-140-0x0000000000110000-0x0000000000139000-memory.dmp	cryptone
behavioral2/memory/3172-141-0x0000000000110000-0x0000000000139000-memory.dmp	cryptone
behavioral2/memory/2688-145-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral2/memory/3132-146-0x00000000005A0000-0x00000000005C9000-memory.dmp	cryptone

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mspaint.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qwlglw = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Qwlglw.exe"	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe System Incorporated = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\Reader_sl.exe"	svchost.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exemspaint.exe

description	ioc	process
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\D:	mspaint.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe

description	pid	process	target process
PID 3484 set thread context of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 set thread context of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exesvchost.exe87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe

pid	process
3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
3132	svchost.exe
3132	svchost.exe
876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe

pid process

2688 87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe

pid	process
2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.execalc.exemspaint.exesvchost.exe

description	pid	process
Token: 33	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
Token: SeIncBasePriorityPrivilege	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
Token: SeDebugPrivilege	876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
Token: SeDebugPrivilege	2616	calc.exe
Token: SeDebugPrivilege	3172	mspaint.exe
Token: SeDebugPrivilege	3132	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exesvchost.exe87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe

description	pid	process	target process
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 3484 wrote to memory of 2688	3484	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 wrote to memory of 3132	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	svchost.exe
PID 2688 wrote to memory of 3132	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	svchost.exe
PID 2688 wrote to memory of 3132	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	svchost.exe
PID 2688 wrote to memory of 3132	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	svchost.exe
PID 2688 wrote to memory of 2616	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	calc.exe
PID 2688 wrote to memory of 2616	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	calc.exe
PID 2688 wrote to memory of 2616	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	calc.exe
PID 2688 wrote to memory of 2616	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	calc.exe
PID 2688 wrote to memory of 2616	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	calc.exe
PID 3132 wrote to memory of 3172	3132	svchost.exe	mspaint.exe
PID 3132 wrote to memory of 3172	3132	svchost.exe	mspaint.exe
PID 3132 wrote to memory of 3172	3132	svchost.exe	mspaint.exe
PID 3132 wrote to memory of 3172	3132	svchost.exe	mspaint.exe
PID 2688 wrote to memory of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 wrote to memory of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 wrote to memory of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 wrote to memory of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 wrote to memory of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 wrote to memory of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 wrote to memory of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 wrote to memory of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 2688 wrote to memory of 876	2688	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
PID 876 wrote to memory of 3132	876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	svchost.exe
PID 876 wrote to memory of 3132	876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	svchost.exe
PID 876 wrote to memory of 2616	876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	calc.exe
PID 876 wrote to memory of 2616	876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	calc.exe
PID 876 wrote to memory of 3172	876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	mspaint.exe
PID 876 wrote to memory of 3172	876	87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe	mspaint.exe

C:\Users\Admin\AppData\Local\Temp\87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
"C:\Users\Admin\AppData\Local\Temp\87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
"C:\Users\Admin\AppData\Local\Temp\87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\calc.exe
"C:\Windows\SysWOW64\calc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\SysWOW64\mspaint.exe"
4⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Users\Admin\AppData\Local\Temp\87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe
"C:\Users\Admin\AppData\Local\Temp\87ef7737e731697628480a80fcd00dfecadf68a2a7f40a9ebf7f00908d1fd6db.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/876-155-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/876-151-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/876-150-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/876-149-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/876-143-0x0000000000000000-mapping.dmp

Download
memory/2616-157-0x0000000002D10000-0x0000000002D5E000-memory.dmp

Filesize
312KB

Download
memory/2616-137-0x0000000000000000-mapping.dmp

Download
memory/2616-153-0x0000000002D10000-0x0000000002D5E000-memory.dmp

Filesize
312KB

Download
memory/2688-133-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2688-132-0x0000000000000000-mapping.dmp

Download
memory/2688-145-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3132-152-0x0000000000810000-0x000000000085E000-memory.dmp

Filesize
312KB

Download
memory/3132-146-0x00000000005A0000-0x00000000005C9000-memory.dmp

Filesize
164KB

Download
memory/3132-136-0x0000000000000000-mapping.dmp

Download
memory/3132-156-0x0000000000810000-0x000000000085E000-memory.dmp

Filesize
312KB

Download
memory/3172-148-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/3172-142-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/3172-141-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/3172-140-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/3172-139-0x0000000000110000-0x0000000000139000-memory.dmp

Filesize
164KB

Download
memory/3172-138-0x0000000000000000-mapping.dmp

Download
memory/3172-154-0x0000000000150000-0x000000000019E000-memory.dmp

Filesize
312KB

Download
memory/3172-158-0x0000000000150000-0x000000000019E000-memory.dmp

Filesize
312KB

Download
memory/3484-134-0x00000000007A0000-0x00000000007B4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads