88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb

General

Target

88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
Size

253KB
MD5

bc413cd7fb642e045f9f33847223c9bd
SHA1

b861734176811d0938e7cb62225d217a86cdc7b4
SHA256

88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb
SHA512

3fb07c1df69b865d312df7c886ac723c4a20e562f254253594ee27bb8165ad38199d36df4e377770859df09ca6083f3adb1dc24bed9175bfb49fe32cb5566c55
SSDEEP

3072:EtAcb+inTJscH6KkT0uXJOYokNbQaRP/HdyPZ39po6ybO3NVJCkt4oaFrh3kWsl/:EI2KMEOYoKG3bfybODJtvaFuzl/

Score

9^/10

cryptone packer persistence

Malware Config

Signatures

CryptOne packer 3 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
behavioral2/memory/2008-134-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral2/memory/2008-139-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral2/memory/3196-140-0x0000000000B80000-0x0000000000BA9000-memory.dmp	cryptone

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe System Incorporated = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\Reader_sl.exe"	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe

description	pid	process	target process
PID 3276 set thread context of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exesvchost.exe

pid	process
3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
3196	svchost.exe
3196	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exesvchost.exe

description	pid	process	target process
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 3276 wrote to memory of 2008	3276	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
PID 2008 wrote to memory of 3196	2008	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	svchost.exe
PID 2008 wrote to memory of 3196	2008	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	svchost.exe
PID 2008 wrote to memory of 3196	2008	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	svchost.exe
PID 2008 wrote to memory of 3196	2008	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	svchost.exe
PID 2008 wrote to memory of 3116	2008	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	calc.exe
PID 2008 wrote to memory of 3116	2008	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	calc.exe
PID 2008 wrote to memory of 3116	2008	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	calc.exe
PID 2008 wrote to memory of 3116	2008	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	calc.exe
PID 2008 wrote to memory of 3116	2008	88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe	calc.exe
PID 3196 wrote to memory of 2124	3196	svchost.exe	mspaint.exe
PID 3196 wrote to memory of 2124	3196	svchost.exe	mspaint.exe
PID 3196 wrote to memory of 2124	3196	svchost.exe	mspaint.exe
PID 3196 wrote to memory of 2124	3196	svchost.exe	mspaint.exe

C:\Users\Admin\AppData\Local\Temp\88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
"C:\Users\Admin\AppData\Local\Temp\88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3276

C:\Users\Admin\AppData\Local\Temp\88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe
"C:\Users\Admin\AppData\Local\Temp\88c6e8b9765435d45271ad1422a82c70760c15116f3ed32277c879bae1529eeb.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\calc.exe
"C:\Windows\SysWOW64\calc.exe"
3⤵
PID:3116

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\SysWOW64\mspaint.exe"
4⤵
PID:2124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2008-133-0x0000000000000000-mapping.dmp

Download
memory/2008-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2008-139-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-138-0x0000000000000000-mapping.dmp

Download
memory/3116-137-0x0000000000000000-mapping.dmp

Download
memory/3196-136-0x0000000000000000-mapping.dmp

Download
memory/3196-140-0x0000000000B80000-0x0000000000BA9000-memory.dmp

Filesize
164KB

Download
memory/3276-132-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads