39211f07d03d6378742320296fe3a2566531ec085171e79e6538f426ed1bb97c | Triage

Submit
Reports

Overview

overview

9

Static

static

Etina.exe

windows7-x64

8

Etina.exe

windows10-2004-x64

9

Sharing

General

Target

Etina.exe
Size

7.9MB
Sample

221231-tvgdwahh76
MD5

4911701b9a4ec37a921d146559fdeba2
SHA1

3c1187a150a169454b232b9f7a0498463cae12a3
SHA256

39211f07d03d6378742320296fe3a2566531ec085171e79e6538f426ed1bb97c
SHA512

35c39757984d52f473ceb57f66cc1fcc94130a416aa2c2b9ba2e6e786b57c70b242a8a972b19e035775b4ab69d6d3fbdc3672b6afa306c96cdd6dd5f81a35260
SSDEEP

98304:QWmZk1jiDz4NGbSZfmQZ6QtQljrnMfWA0ISjJsibwe1BT9r51eULRPXg:QWDjiDHs2PN/JbxBT9rDeOm

Score

9^/10

cryptone discovery packer persistence

Static task

static1

Behavioral task

behavioral1

Sample

Etina.exe

Resource

win7-20220812-es

windows7-x64

15 signatures

1800 seconds

Behavioral task

behavioral2

Sample

Etina.exe

Resource

win10v2004-20220812-es

cryptone discovery packer persistence

windows10-2004-x64

29 signatures

1800 seconds

Malware Config

Targets

- Target
  
  Etina.exe
- Size
  
  7.9MB
- MD5
  
  4911701b9a4ec37a921d146559fdeba2
- SHA1
  
  3c1187a150a169454b232b9f7a0498463cae12a3
- SHA256
  
  39211f07d03d6378742320296fe3a2566531ec085171e79e6538f426ed1bb97c
- SHA512
  
  35c39757984d52f473ceb57f66cc1fcc94130a416aa2c2b9ba2e6e786b57c70b242a8a972b19e035775b4ab69d6d3fbdc3672b6afa306c96cdd6dd5f81a35260
- SSDEEP
  
  98304:QWmZk1jiDz4NGbSZfmQZ6QtQljrnMfWA0ISjJsibwe1BT9r51eULRPXg:QWDjiDHs2PN/JbxBT9rDeOm
Score

9^/10

cryptone discovery packer persistence
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Downloads MZ/PE file
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

cryptonediscoverypackerpersistence

© 2018-2024

Terms | Privacy