fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe
Size

894KB
MD5

535c08605abd1ad8fccb60413115ec93
SHA1

5ff71dab382fbe4e6159baa65ac7b013e5637fae
SHA256

fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de
SHA512

67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da
SSDEEP

24576:MyZGrihlF2cBRkppKgcIYfzZCvFohVUwO:MIGOhlNkppKFIYfzZGFw+w

Score

9^/10

cryptone packer persistence

Malware Config

Signatures

CryptOne packer 11 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\e0vboai48kpcqdcvj7vakejv.exe	cryptone
\Users\Admin\AppData\Local\Temp\e0vboai48kpcqdcvj7vakejv.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\e0vboai48kpcqdcvj7vakejv.exe	cryptone
\??\c:\users\admin\appdata\local\temp\e0vboai48kpcqdcvj7vakejv.exe	cryptone
\Users\Admin\AppData\Local\bfodhna.exe	cryptone
\Users\Admin\AppData\Local\bfodhna.exe	cryptone
C:\Users\Admin\AppData\Local\bfodhna.exe	cryptone
\??\c:\users\admin\appdata\local\bfodhna.exe	cryptone
\Users\Admin\AppData\Local\mdvfjceo.exe	cryptone
C:\Users\Admin\AppData\Local\mdvfjceo.exe	cryptone
\Users\Admin\AppData\Local\mdvfjceo.exe	cryptone

Executes dropped EXE 3 IoCs

Processes:

e0vboai48kpcqdcvj7vakejv.exebfodhna.exemdvfjceo.exe

pid process

2692 e0vboai48kpcqdcvj7vakejv.exe
3872 bfodhna.exe
2512 mdvfjceo.exe

pid	process
2692	e0vboai48kpcqdcvj7vakejv.exe
3872	bfodhna.exe
2512	mdvfjceo.exe

Loads dropped DLL 6 IoCs

Processes:

fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exee0vboai48kpcqdcvj7vakejv.exebfodhna.exe

pid	process
1356	fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe
1356	fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe
2692	e0vboai48kpcqdcvj7vakejv.exe
2692	e0vboai48kpcqdcvj7vakejv.exe
3872	bfodhna.exe
3872	bfodhna.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e0vboai48kpcqdcvj7vakejv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bus Gateway Base Publication Collector = "C:\\Users\\Admin\\AppData\\Local\\bfodhna.exe"	e0vboai48kpcqdcvj7vakejv.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

bfodhna.exe

pid	process
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe
3872	bfodhna.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exee0vboai48kpcqdcvj7vakejv.exebfodhna.exe

description	pid	process	target process
PID 1356 wrote to memory of 2692	1356	fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe	e0vboai48kpcqdcvj7vakejv.exe
PID 1356 wrote to memory of 2692	1356	fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe	e0vboai48kpcqdcvj7vakejv.exe
PID 1356 wrote to memory of 2692	1356	fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe	e0vboai48kpcqdcvj7vakejv.exe
PID 1356 wrote to memory of 2692	1356	fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe	e0vboai48kpcqdcvj7vakejv.exe
PID 2692 wrote to memory of 3872	2692	e0vboai48kpcqdcvj7vakejv.exe	bfodhna.exe
PID 2692 wrote to memory of 3872	2692	e0vboai48kpcqdcvj7vakejv.exe	bfodhna.exe
PID 2692 wrote to memory of 3872	2692	e0vboai48kpcqdcvj7vakejv.exe	bfodhna.exe
PID 2692 wrote to memory of 3872	2692	e0vboai48kpcqdcvj7vakejv.exe	bfodhna.exe
PID 3872 wrote to memory of 2512	3872	bfodhna.exe	mdvfjceo.exe
PID 3872 wrote to memory of 2512	3872	bfodhna.exe	mdvfjceo.exe
PID 3872 wrote to memory of 2512	3872	bfodhna.exe	mdvfjceo.exe
PID 3872 wrote to memory of 2512	3872	bfodhna.exe	mdvfjceo.exe

C:\Users\Admin\AppData\Local\Temp\fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe
"C:\Users\Admin\AppData\Local\Temp\fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\e0vboai48kpcqdcvj7vakejv.exe
"C:\Users\Admin\AppData\Local\Temp\e0vboai48kpcqdcvj7vakejv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\bfodhna.exe
"C:\Users\Admin\AppData\Local\bfodhna.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Local\mdvfjceo.exe
WATCHDOGPROC "c:\users\admin\appdata\local\bfodhna.exe"
4⤵
- Executes dropped EXE
PID:2512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e0vboai48kpcqdcvj7vakejv.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
C:\Users\Admin\AppData\Local\bfodhna.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
C:\Users\Admin\AppData\Local\mdvfjceo.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
C:\Users\Admin\AppData\Local\ptgfukh\etc
Filesize
10B

MD5
019981d7155717870b8a4bb77e5818fe

SHA1
03a39922fa816da8edbf8f58c43ea7fb0e961f7d

SHA256
4a8bbe987237ea27beea0c6477f82118045564f8b13106076c61252b6c540269

SHA512
2652fd42ac5c2374368a81548c9f4276c816ceca3bc094bd24200fc5bd61bbbcb676e497dfa422b1e8252a1a6b35c44d7df44b803149dc03136ec8118bcd435e

Download Submit
C:\Users\Admin\AppData\Local\ptgfukh\tst
Filesize
10B

MD5
ccd4a74a1cd5422e0be4750ddfc50b18

SHA1
d17cae45b7628f369e3c365f4c8fac3e676b0fc4

SHA256
9b76d7b5c4e0ebc6dae483584584c0750b1b13617c993d9af525f6b8b5e5b694

SHA512
596a93653cdcc976a50c54ae8e2058a0618b7aab9b7abaa596f2d1b2ac1c25deae01149f937bd677c39aa5957abde6d5a3ec8ae0eb7f3a2a95b7686b1497d1a8

Download Submit
C:\Users\Admin\AppData\Local\ptgfukh\tst
Filesize
10B

MD5
ccd4a74a1cd5422e0be4750ddfc50b18

SHA1
d17cae45b7628f369e3c365f4c8fac3e676b0fc4

SHA256
9b76d7b5c4e0ebc6dae483584584c0750b1b13617c993d9af525f6b8b5e5b694

SHA512
596a93653cdcc976a50c54ae8e2058a0618b7aab9b7abaa596f2d1b2ac1c25deae01149f937bd677c39aa5957abde6d5a3ec8ae0eb7f3a2a95b7686b1497d1a8

Download Submit
\??\c:\users\admin\appdata\local\bfodhna.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
\??\c:\users\admin\appdata\local\temp\e0vboai48kpcqdcvj7vakejv.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
\Users\Admin\AppData\Local\Temp\e0vboai48kpcqdcvj7vakejv.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
\Users\Admin\AppData\Local\Temp\e0vboai48kpcqdcvj7vakejv.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
\Users\Admin\AppData\Local\bfodhna.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
\Users\Admin\AppData\Local\bfodhna.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
\Users\Admin\AppData\Local\mdvfjceo.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
\Users\Admin\AppData\Local\mdvfjceo.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
memory/1356-54-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/2512-72-0x0000000000000000-mapping.dmp

Download
memory/2692-57-0x0000000000000000-mapping.dmp

Download
memory/3872-64-0x0000000000000000-mapping.dmp

Download