2e8bdeba54ea809da1b6be4a1d1154067cd3b996165952042924da2930896dcd

General

Target

Crespo_Loader.exe
Size

1.3MB
MD5

1564a6c09efd13e7d9276ea68657a7a2
SHA1

89afd7e12daec09e498cdce31c42af7d3b644833
SHA256

2e8bdeba54ea809da1b6be4a1d1154067cd3b996165952042924da2930896dcd
SHA512

6c21ecdb7fb3d16daa00015bdf4f7afbefd1d1f472a16dc60095ee5b396b6c2c4dc0b31ade9214ea0a7f497360bc8100cd28f8e1d887aad783c8fec84249c761
SSDEEP

24576:VVgSy3IRUovmtgOzAz/PTP8DdCJ1Jz1b1Ga4Xr6w9KH3eyHl/pvW5HNtoKSkLzUU:VVymUkKo/IDdMz11WrgJ/I1NtpL

Score

8^/10

vmprotect

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Crespo_Loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Crespo_Loader.exe

Executes dropped EXE 1 IoCs

Processes:

6PPCUcL4.exe

pid process

3020 6PPCUcL4.exe

pid	process
3020	6PPCUcL4.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dll	vmprotect
C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dll	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Crespo_Loader.exe6PPCUcL4.exe

description pid process

Token: SeDebugPrivilege 4284 Crespo_Loader.exe
Token: SeDebugPrivilege 3020 6PPCUcL4.exe

description	pid	process
Token: SeDebugPrivilege	4284	Crespo_Loader.exe
Token: SeDebugPrivilege	3020	6PPCUcL4.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Crespo_Loader.exe

description	pid	process	target process
PID 4284 wrote to memory of 3020	4284	Crespo_Loader.exe	6PPCUcL4.exe
PID 4284 wrote to memory of 3020	4284	Crespo_Loader.exe	6PPCUcL4.exe

C:\Users\Admin\AppData\Local\Temp\Crespo_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Crespo_Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exe
"C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Crespo\Logs\Loader.txt
Filesize
53B

MD5
b7e811a27ef5ff499fde3fbb035b3b2c

SHA1
7cbc2f841f29c75444fef772179994c8b21c6285

SHA256
dbb28ad12f0eb8b22fc274ac63e402f950389685e50aedab5e78c94dd71a870d

SHA512
4bd925aa267a0ab0e335d77cdd1e7078e11fccacf39b69de8389de7995c887c869626c81232665fe63286e8f82d68f9016700876334f0e47624f85a24c846953

Download Submit
C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exe
Filesize
1.4MB

MD5
d36e2ba2c7d7f5080a9fcac564906b56

SHA1
1fe7fecb88addc4a0b7200671bfda300c83633cd

SHA256
621aafceb98966f0c7def8585c1f961c07b1ff90a47513a798466d419fba78cf

SHA512
6070f9f8cb503fe1c4fcfbc9f69d4cc58f19d6c9a97fc0f16ee9b53bda88ad0993b6ebf6933ebb0616fba68a7c99f106c68c20f8f24f463d89fbf10451367884

Download Submit
C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exe
Filesize
1.4MB

MD5
d36e2ba2c7d7f5080a9fcac564906b56

SHA1
1fe7fecb88addc4a0b7200671bfda300c83633cd

SHA256
621aafceb98966f0c7def8585c1f961c07b1ff90a47513a798466d419fba78cf

SHA512
6070f9f8cb503fe1c4fcfbc9f69d4cc58f19d6c9a97fc0f16ee9b53bda88ad0993b6ebf6933ebb0616fba68a7c99f106c68c20f8f24f463d89fbf10451367884

Download Submit
C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exe
Filesize
1.4MB

MD5
d36e2ba2c7d7f5080a9fcac564906b56

SHA1
1fe7fecb88addc4a0b7200671bfda300c83633cd

SHA256
621aafceb98966f0c7def8585c1f961c07b1ff90a47513a798466d419fba78cf

SHA512
6070f9f8cb503fe1c4fcfbc9f69d4cc58f19d6c9a97fc0f16ee9b53bda88ad0993b6ebf6933ebb0616fba68a7c99f106c68c20f8f24f463d89fbf10451367884

Download Submit
C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dll
Filesize
2.2MB

MD5
429f01b5b5efcf13ddd46dbf98e8a181

SHA1
0fa819f68ca47f4e0b61e20df02bceda7b3d4046

SHA256
c181c4987b4cf8bd3102c93203517cc48261cc5071f3c6098f1ad086fe8c3ee5

SHA512
5a3003225294ec5b1cd54fd9f8da5ddf11a95a2195bef3c64c4ba8792ff5a8e0c73b64140658781d6606077afa42b206ce88dacdcb7a7778132542642a334c0d

Download Submit
C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dll
Filesize
2.2MB

MD5
429f01b5b5efcf13ddd46dbf98e8a181

SHA1
0fa819f68ca47f4e0b61e20df02bceda7b3d4046

SHA256
c181c4987b4cf8bd3102c93203517cc48261cc5071f3c6098f1ad086fe8c3ee5

SHA512
5a3003225294ec5b1cd54fd9f8da5ddf11a95a2195bef3c64c4ba8792ff5a8e0c73b64140658781d6606077afa42b206ce88dacdcb7a7778132542642a334c0d

Download Submit
memory/3020-156-0x00000173D3C30000-0x00000173D3D9C000-memory.dmp

Filesize
1.4MB

Download
memory/3020-165-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmp

Filesize
64KB

Download
memory/3020-169-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmp

Filesize
64KB

Download
memory/3020-168-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmp

Filesize
64KB

Download
memory/3020-167-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmp

Filesize
64KB

Download
memory/3020-158-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmp

Filesize
64KB

Download
memory/3020-157-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmp

Filesize
64KB

Download
memory/3020-159-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmp

Filesize
64KB

Download
memory/3020-166-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmp

Filesize
64KB

Download
memory/4284-133-0x00000178061E0000-0x0000017806336000-memory.dmp

Filesize
1.3MB

Download
memory/4284-134-0x0000017820B80000-0x0000017820B90000-memory.dmp

Filesize
64KB

Download
memory/4284-135-0x0000017820B80000-0x0000017820B90000-memory.dmp

Filesize
64KB

Download
memory/4284-136-0x0000017820B80000-0x0000017820B90000-memory.dmp

Filesize
64KB

Download
memory/4284-143-0x0000017820B80000-0x0000017820B90000-memory.dmp

Filesize
64KB

Download
memory/4284-141-0x0000017820B80000-0x0000017820B90000-memory.dmp

Filesize
64KB

Download
memory/4284-142-0x0000017820B80000-0x0000017820B90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads