70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8

General

Target

70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
Size

211KB
MD5

3f68886e4974aa2cda27e7ebd4577488
SHA1

a21326daa72e09db39a61c13258adb9737deac0e
SHA256

70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8
SHA512

7f4e262847795f5371823b1bf5dbcf461774382d03dc8c653fba7b9261a4bbc55c778101e93f20241b41add223d3ed8cddbae3a80c980a846893a3a506f0d732
SSDEEP

3072:WfJ4pUdCdc0E+/tYByANc/sg1WyQmG07nMzHrscxO9xEtobhlL5WN:WfJ4GCdlEQtGaWcGQiLnxO9xEto9lu

Score

9^/10

cryptone packer

Malware Config

Signatures

CryptOne packer 7 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
behavioral1/memory/576-57-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/576-59-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/576-60-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/576-62-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/576-63-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/576-68-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral1/memory/576-74-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone

Suspicious use of SetThreadContext 1 IoCs

Processes:

70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe

description	pid	process	target process
PID 956 set thread context of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe

pid	process
956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe

description	pid	process	target process
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 956 wrote to memory of 576	956	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
PID 576 wrote to memory of 588	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	svchost.exe
PID 576 wrote to memory of 588	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	svchost.exe
PID 576 wrote to memory of 588	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	svchost.exe
PID 576 wrote to memory of 588	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	svchost.exe
PID 576 wrote to memory of 1400	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	calc.exe
PID 576 wrote to memory of 1400	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	calc.exe
PID 576 wrote to memory of 1400	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	calc.exe
PID 576 wrote to memory of 1400	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	calc.exe
PID 576 wrote to memory of 1400	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	calc.exe
PID 576 wrote to memory of 1400	576	70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
"C:\Users\Admin\AppData\Local\Temp\70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe
"C:\Users\Admin\AppData\Local\Temp\70bb37aed4406a1fd15a466095198b562da388a9525e5f6bc6c899ab2b9e9eb8.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\calc.exe
"C:\Windows\SysWOW64\calc.exe"
3⤵
PID:1400

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:588

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-68-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-74-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/576-67-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/576-64-0x0000000000404BF0-mapping.dmp

Download
memory/956-65-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1400-70-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/1400-72-0x0000000000000000-mapping.dmp

Download
memory/1400-75-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads