2e8bdeba54ea809da1b6be4a1d1154067cd3b996165952042924da2930896dcd

General

Target

Crespo_Loader.exe
Size

1.3MB
MD5

1564a6c09efd13e7d9276ea68657a7a2
SHA1

89afd7e12daec09e498cdce31c42af7d3b644833
SHA256

2e8bdeba54ea809da1b6be4a1d1154067cd3b996165952042924da2930896dcd
SHA512

6c21ecdb7fb3d16daa00015bdf4f7afbefd1d1f472a16dc60095ee5b396b6c2c4dc0b31ade9214ea0a7f497360bc8100cd28f8e1d887aad783c8fec84249c761
SSDEEP

24576:VVgSy3IRUovmtgOzAz/PTP8DdCJ1Jz1b1Ga4Xr6w9KH3eyHl/pvW5HNtoKSkLzUU:VVymUkKo/IDdMz11WrgJ/I1NtpL

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file
Deletes itself 1 IoCs

Processes:

MMTDyMZR.exe

pid process

1464 MMTDyMZR.exe
Executes dropped EXE 1 IoCs

Processes:

MMTDyMZR.exe

pid process

1464 MMTDyMZR.exe

pid	process
1464	MMTDyMZR.exe

pid	process
1464	MMTDyMZR.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dll	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Crespo_Loader.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	Crespo_Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Crespo_Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Crespo_Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181180b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded309000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703090f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	Crespo_Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030806082b060105050703091400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000000300000001000000140000006252dc40f71143a22fde9ef7348e064251b181181900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	Crespo_Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	Crespo_Loader.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

taskmgr.exe

pid	process
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

540 taskmgr.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Crespo_Loader.exeMMTDyMZR.exetaskmgr.exe

description pid process

Token: SeDebugPrivilege 1740 Crespo_Loader.exe
Token: SeDebugPrivilege 1464 MMTDyMZR.exe
Token: SeDebugPrivilege 540 taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1740	Crespo_Loader.exe
Token: SeDebugPrivilege	1464	MMTDyMZR.exe
Token: SeDebugPrivilege	540	taskmgr.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

taskmgr.exe

pid	process
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

taskmgr.exe

pid	process
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe
540	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Crespo_Loader.exe

description	pid	process	target process
PID 1740 wrote to memory of 1464	1740	Crespo_Loader.exe	MMTDyMZR.exe
PID 1740 wrote to memory of 1464	1740	Crespo_Loader.exe	MMTDyMZR.exe
PID 1740 wrote to memory of 1464	1740	Crespo_Loader.exe	MMTDyMZR.exe

C:\Users\Admin\AppData\Local\Temp\Crespo_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Crespo_Loader.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\MMTDyMZR.exe
"C:\Users\Admin\AppData\Local\Temp\MMTDyMZR.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Crespo\Logs\Loader.txt
Filesize
53B

MD5
b7e811a27ef5ff499fde3fbb035b3b2c

SHA1
7cbc2f841f29c75444fef772179994c8b21c6285

SHA256
dbb28ad12f0eb8b22fc274ac63e402f950389685e50aedab5e78c94dd71a870d

SHA512
4bd925aa267a0ab0e335d77cdd1e7078e11fccacf39b69de8389de7995c887c869626c81232665fe63286e8f82d68f9016700876334f0e47624f85a24c846953

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMTDyMZR.exe
Filesize
1.4MB

MD5
d36e2ba2c7d7f5080a9fcac564906b56

SHA1
1fe7fecb88addc4a0b7200671bfda300c83633cd

SHA256
621aafceb98966f0c7def8585c1f961c07b1ff90a47513a798466d419fba78cf

SHA512
6070f9f8cb503fe1c4fcfbc9f69d4cc58f19d6c9a97fc0f16ee9b53bda88ad0993b6ebf6933ebb0616fba68a7c99f106c68c20f8f24f463d89fbf10451367884

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMTDyMZR.exe
Filesize
1.4MB

MD5
d36e2ba2c7d7f5080a9fcac564906b56

SHA1
1fe7fecb88addc4a0b7200671bfda300c83633cd

SHA256
621aafceb98966f0c7def8585c1f961c07b1ff90a47513a798466d419fba78cf

SHA512
6070f9f8cb503fe1c4fcfbc9f69d4cc58f19d6c9a97fc0f16ee9b53bda88ad0993b6ebf6933ebb0616fba68a7c99f106c68c20f8f24f463d89fbf10451367884

Download Submit
C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dll
Filesize
2.2MB

MD5
429f01b5b5efcf13ddd46dbf98e8a181

SHA1
0fa819f68ca47f4e0b61e20df02bceda7b3d4046

SHA256
c181c4987b4cf8bd3102c93203517cc48261cc5071f3c6098f1ad086fe8c3ee5

SHA512
5a3003225294ec5b1cd54fd9f8da5ddf11a95a2195bef3c64c4ba8792ff5a8e0c73b64140658781d6606077afa42b206ce88dacdcb7a7778132542642a334c0d

Download Submit
memory/540-100-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/540-99-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/540-98-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/540-97-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1464-90-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/1464-89-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/1464-91-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/1464-88-0x000000001B340000-0x000000001B6BC000-memory.dmp

Filesize
3.5MB

Download
memory/1464-87-0x0000000000DA0000-0x0000000000F0C000-memory.dmp

Filesize
1.4MB

Download
memory/1464-94-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/1464-95-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/1464-96-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/1740-54-0x00000000001F0000-0x0000000000346000-memory.dmp

Filesize
1.3MB

Download
memory/1740-81-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/1740-57-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/1740-56-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/1740-55-0x000000001B400000-0x000000001B758000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads