7f13bb7a4b4fdab3ee99aa40599314fb2ab48f17c02736e06894c2578b3c0a36

Resubmissions

02/02/2023, 18:40

230202-xbpgxscg53 7

02/02/2023, 18:33

230202-w7pl5afc2x 7

02/02/2023, 18:29

230202-w455psbf99 3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
02/02/2023, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrystalLauncherN.exe
Size

1.5MB
MD5

71ce62ad6a1da34bcc3a0bca71f1e2df
SHA1

c5080fcb7b9ca8a8a267e217a4df2170eafc2bb2
SHA256

7f13bb7a4b4fdab3ee99aa40599314fb2ab48f17c02736e06894c2578b3c0a36
SHA512

f519cae4b8a71700bda63672219e1a9cf15e5a94cc2d7f1b96799144f91bd2d1e6782d637b935051ba2d08d59bf84d363921420b624fcaed21518f19b1fc1d8b
SSDEEP

12288:qXlhhEayVkv/JBdBS4msNUCe65frHMnz2R9aty+v54BgC:qXlhhUQ/bdo4mz1U8z22y+vLC

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	CrystalLauncherN.exe

C:\Users\Admin\AppData\Local\Temp\CrystalLauncherN.exe
"C:\Users\Admin\AppData\Local\Temp\CrystalLauncherN.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2596-116-0x0000025494920000-0x0000025494AB0000-memory.dmp

Filesize
1.6MB

Download
memory/2596-117-0x00000254AEE00000-0x00000254AEE78000-memory.dmp

Filesize
480KB

Download
memory/2596-118-0x0000025494DA0000-0x0000025494DB8000-memory.dmp

Filesize
96KB

Download