Overview

overview

9

Static

static

2593e25ff0...62.exe

windows7-x64

9

2593e25ff0...62.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    151s
  • max time network
    190s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2593e25ff0b8df13067071ca27532c46e9de52cadb3b0159a8879f68d2d12762.exe

  • Size

    165KB

  • MD5

    20d875ef318f7fe70895b7ca2d8c73fa

  • SHA1

    8368173f6edc826b06f72b2fef0818931f49ba5d

  • SHA256

    2593e25ff0b8df13067071ca27532c46e9de52cadb3b0159a8879f68d2d12762

  • SHA512

    bd8632736cb816bd94fefad125138996dc0ae02f066dff3f498762c55be96c652fbcf6763b46f99c212c578275795fb4b675b4aaf138f0e237c5934ac71e375c

  • SSDEEP

    3072:KYmlOJseb6jEfMR5kF/71yiMF44WyUtVU1yOXGB8kFF/df2oFfHgWiI+xR:vueOwqfJxU7iFXG/rdf2oRPy

Score
9/10
cryptonepackerpersistence

Malware Config

Signatures

  • CryptOne packer 6 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2593e25ff0b8df13067071ca27532c46e9de52cadb3b0159a8879f68d2d12762.exe
    "C:\Users\Admin\AppData\Local\Temp\2593e25ff0b8df13067071ca27532c46e9de52cadb3b0159a8879f68d2d12762.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Adds Run key to start application
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\SysWOW64\mspaint.exe
        "C:\Windows\SysWOW64\mspaint.exe"
        3⤵
        • Adds Run key to start application
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:376
    • C:\Windows\SysWOW64\calc.exe
      "C:\Windows\SysWOW64\calc.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:832
    • C:\Users\Admin\AppData\Local\Temp\2593e25ff0b8df13067071ca27532c46e9de52cadb3b0159a8879f68d2d12762.exe
      "C:\Users\Admin\AppData\Local\Temp\2593e25ff0b8df13067071ca27532c46e9de52cadb3b0159a8879f68d2d12762.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/376-90-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/376-251-0x0000000000330000-0x000000000037E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/376-107-0x0000000000330000-0x000000000037E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/376-138-0x0000000000330000-0x000000000037E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/376-127-0x0000000000330000-0x000000000037E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/376-123-0x0000000000330000-0x000000000037E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/376-119-0x0000000000330000-0x000000000037E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/376-67-0x0000000000000000-mapping.dmp
    Download
  • memory/376-69-0x0000000000D81000-0x0000000000D83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/376-71-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/376-72-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/376-73-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/376-115-0x0000000000330000-0x000000000037E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/376-70-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/376-111-0x0000000000330000-0x000000000037E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/832-118-0x0000000000360000-0x00000000003AE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/832-102-0x0000000000360000-0x00000000003AE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/832-252-0x0000000000398000-0x000000000039A000-memory.dmp
    Filesize

    8KB

    Download
  • memory/832-88-0x0000000000080000-0x0000000000082000-memory.dmp
    Filesize

    8KB

    Download
  • memory/832-250-0x0000000000360000-0x00000000003AE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/832-134-0x0000000000360000-0x00000000003AE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/832-110-0x0000000000360000-0x00000000003AE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/832-126-0x0000000000360000-0x00000000003AE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/832-122-0x0000000000360000-0x00000000003AE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/832-60-0x0000000000080000-0x0000000000082000-memory.dmp
    Filesize

    8KB

    Download
  • memory/832-62-0x0000000000000000-mapping.dmp
    Download
  • memory/832-98-0x0000000000360000-0x00000000003AE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/832-114-0x0000000000360000-0x00000000003AE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1172-75-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1172-89-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1172-81-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1172-74-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1172-83-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1172-92-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1172-84-0x0000000000410910-mapping.dmp
    Download
  • memory/1172-79-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1172-77-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1172-109-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1452-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1452-86-0x00000000000D0000-0x00000000000F9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1452-57-0x00000000000D0000-0x00000000000F9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1452-100-0x0000000000270000-0x00000000002BE000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1584-91-0x0000000000400000-0x0000000000446000-memory.dmp
    Filesize

    280KB

    Download
  • memory/1584-56-0x0000000000400000-0x0000000000446000-memory.dmp
    Filesize

    280KB

    Download
  • memory/1584-55-0x0000000000240000-0x0000000000259000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1584-54-0x0000000075C81000-0x0000000075C83000-memory.dmp
    Filesize

    8KB

    Download