fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

Analysis

max time kernel
177s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe
Size

894KB
MD5

535c08605abd1ad8fccb60413115ec93
SHA1

5ff71dab382fbe4e6159baa65ac7b013e5637fae
SHA256

fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de
SHA512

67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da
SSDEEP

24576:MyZGrihlF2cBRkppKgcIYfzZCvFohVUwO:MIGOhlNkppKFIYfzZGFw+w

Score

9^/10

cryptone packer persistence

Malware Config

Signatures

CryptOne packer 6 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\e0vboai3z8f7iqdcvj7vakejv.exe	cryptone
C:\Users\Admin\AppData\Local\Temp\e0vboai3z8f7iqdcvj7vakejv.exe	cryptone
C:\Users\Admin\AppData\Local\bfodhna.exe	cryptone
C:\Users\Admin\AppData\Local\bfodhna.exe	cryptone
C:\Users\Admin\AppData\Local\mdvfjceo.exe	cryptone
C:\Users\Admin\AppData\Local\mdvfjceo.exe	cryptone

Executes dropped EXE 3 IoCs

Processes:

e0vboai3z8f7iqdcvj7vakejv.exebfodhna.exemdvfjceo.exe

pid process

4592 e0vboai3z8f7iqdcvj7vakejv.exe
5904 bfodhna.exe
2300 mdvfjceo.exe

pid	process
4592	e0vboai3z8f7iqdcvj7vakejv.exe
5904	bfodhna.exe
2300	mdvfjceo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e0vboai3z8f7iqdcvj7vakejv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bus Gateway Base Publication Collector = "C:\\Users\\Admin\\AppData\\Local\\bfodhna.exe"	e0vboai3z8f7iqdcvj7vakejv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bfodhna.exemdvfjceo.exe

pid	process
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe
5904	bfodhna.exe
5904	bfodhna.exe
2300	mdvfjceo.exe
2300	mdvfjceo.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exee0vboai3z8f7iqdcvj7vakejv.exebfodhna.exe

description	pid	process	target process
PID 4404 wrote to memory of 4592	4404	fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe	e0vboai3z8f7iqdcvj7vakejv.exe
PID 4404 wrote to memory of 4592	4404	fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe	e0vboai3z8f7iqdcvj7vakejv.exe
PID 4404 wrote to memory of 4592	4404	fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe	e0vboai3z8f7iqdcvj7vakejv.exe
PID 4592 wrote to memory of 5904	4592	e0vboai3z8f7iqdcvj7vakejv.exe	bfodhna.exe
PID 4592 wrote to memory of 5904	4592	e0vboai3z8f7iqdcvj7vakejv.exe	bfodhna.exe
PID 4592 wrote to memory of 5904	4592	e0vboai3z8f7iqdcvj7vakejv.exe	bfodhna.exe
PID 5904 wrote to memory of 2300	5904	bfodhna.exe	mdvfjceo.exe
PID 5904 wrote to memory of 2300	5904	bfodhna.exe	mdvfjceo.exe
PID 5904 wrote to memory of 2300	5904	bfodhna.exe	mdvfjceo.exe

C:\Users\Admin\AppData\Local\Temp\fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe
"C:\Users\Admin\AppData\Local\Temp\fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\e0vboai3z8f7iqdcvj7vakejv.exe
"C:\Users\Admin\AppData\Local\Temp\e0vboai3z8f7iqdcvj7vakejv.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\bfodhna.exe
"C:\Users\Admin\AppData\Local\bfodhna.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5904

C:\Users\Admin\AppData\Local\mdvfjceo.exe
WATCHDOGPROC "c:\users\admin\appdata\local\bfodhna.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e0vboai3z8f7iqdcvj7vakejv.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0vboai3z8f7iqdcvj7vakejv.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
C:\Users\Admin\AppData\Local\bfodhna.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
C:\Users\Admin\AppData\Local\bfodhna.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
C:\Users\Admin\AppData\Local\mdvfjceo.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
C:\Users\Admin\AppData\Local\mdvfjceo.exe
Filesize
894KB

MD5
535c08605abd1ad8fccb60413115ec93

SHA1
5ff71dab382fbe4e6159baa65ac7b013e5637fae

SHA256
fce657bfcddcdd0b59110e713fd3688ca5e7d4e4efd375d5f780c86412e6a0de

SHA512
67545f4daea9636fba9825c0b4a94977e59286a0fe8d7786fac92e6810d5a81e34f4f4c6f8fd8729c04ddac881c0fb7d6f48058ee4c02d206450e6959cb9b5da

Download Submit
C:\Users\Admin\AppData\Local\ptgfukh\etc
Filesize
10B

MD5
019981d7155717870b8a4bb77e5818fe

SHA1
03a39922fa816da8edbf8f58c43ea7fb0e961f7d

SHA256
4a8bbe987237ea27beea0c6477f82118045564f8b13106076c61252b6c540269

SHA512
2652fd42ac5c2374368a81548c9f4276c816ceca3bc094bd24200fc5bd61bbbcb676e497dfa422b1e8252a1a6b35c44d7df44b803149dc03136ec8118bcd435e

Download Submit
C:\Users\Admin\AppData\Local\ptgfukh\rng
Filesize
4B

MD5
3bf81e2bf6dc61706efb9a6dadc5793a

SHA1
bf1bbfb3b5aaddbc5065b8440ea616d84fad8ff2

SHA256
961ae28829f0b1cfbd073eff070ac5ea8994618c0e84fab4764367464a14b854

SHA512
354f74cb52f314226a6021c5745799d05a0c8ba21246c9717b8ce211193603c4704b72332f80576d15b14d76c8f772cd5b6fa7a10acb60fab67411573f732b1c

Download Submit
C:\Users\Admin\AppData\Local\ptgfukh\tst
Filesize
10B

MD5
ccd4a74a1cd5422e0be4750ddfc50b18

SHA1
d17cae45b7628f369e3c365f4c8fac3e676b0fc4

SHA256
9b76d7b5c4e0ebc6dae483584584c0750b1b13617c993d9af525f6b8b5e5b694

SHA512
596a93653cdcc976a50c54ae8e2058a0618b7aab9b7abaa596f2d1b2ac1c25deae01149f937bd677c39aa5957abde6d5a3ec8ae0eb7f3a2a95b7686b1497d1a8

Download Submit
C:\Users\Admin\AppData\Local\ptgfukh\tst
Filesize
10B

MD5
ccd4a74a1cd5422e0be4750ddfc50b18

SHA1
d17cae45b7628f369e3c365f4c8fac3e676b0fc4

SHA256
9b76d7b5c4e0ebc6dae483584584c0750b1b13617c993d9af525f6b8b5e5b694

SHA512
596a93653cdcc976a50c54ae8e2058a0618b7aab9b7abaa596f2d1b2ac1c25deae01149f937bd677c39aa5957abde6d5a3ec8ae0eb7f3a2a95b7686b1497d1a8

Download Submit
C:\Users\Admin\AppData\Local\ptgfukh\tst
Filesize
10B

MD5
ccd4a74a1cd5422e0be4750ddfc50b18

SHA1
d17cae45b7628f369e3c365f4c8fac3e676b0fc4

SHA256
9b76d7b5c4e0ebc6dae483584584c0750b1b13617c993d9af525f6b8b5e5b694

SHA512
596a93653cdcc976a50c54ae8e2058a0618b7aab9b7abaa596f2d1b2ac1c25deae01149f937bd677c39aa5957abde6d5a3ec8ae0eb7f3a2a95b7686b1497d1a8

Download Submit
memory/2300-141-0x0000000000000000-mapping.dmp

Download
memory/4592-132-0x0000000000000000-mapping.dmp

Download
memory/5904-136-0x0000000000000000-mapping.dmp

Download