Analysis
-
max time kernel
40s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 22:37
Static task
static1
Behavioral task
behavioral1
Sample
Crespo_Loader.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Crespo_Loader.exe
Resource
win10v2004-20230220-en
General
-
Target
Crespo_Loader.exe
-
Size
1.3MB
-
MD5
1564a6c09efd13e7d9276ea68657a7a2
-
SHA1
89afd7e12daec09e498cdce31c42af7d3b644833
-
SHA256
2e8bdeba54ea809da1b6be4a1d1154067cd3b996165952042924da2930896dcd
-
SHA512
6c21ecdb7fb3d16daa00015bdf4f7afbefd1d1f472a16dc60095ee5b396b6c2c4dc0b31ade9214ea0a7f497360bc8100cd28f8e1d887aad783c8fec84249c761
-
SSDEEP
24576:VVgSy3IRUovmtgOzAz/PTP8DdCJ1Jz1b1Ga4Xr6w9KH3eyHl/pvW5HNtoKSkLzUU:VVymUkKo/IDdMz11WrgJ/I1NtpL
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Crespo_Loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation Crespo_Loader.exe -
Executes dropped EXE 1 IoCs
Processes:
6PPCUcL4.exepid process 3020 6PPCUcL4.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dll vmprotect C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dll vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Crespo_Loader.exe6PPCUcL4.exedescription pid process Token: SeDebugPrivilege 4284 Crespo_Loader.exe Token: SeDebugPrivilege 3020 6PPCUcL4.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Crespo_Loader.exedescription pid process target process PID 4284 wrote to memory of 3020 4284 Crespo_Loader.exe 6PPCUcL4.exe PID 4284 wrote to memory of 3020 4284 Crespo_Loader.exe 6PPCUcL4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crespo_Loader.exe"C:\Users\Admin\AppData\Local\Temp\Crespo_Loader.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exe"C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Crespo\Logs\Loader.txtFilesize
53B
MD5b7e811a27ef5ff499fde3fbb035b3b2c
SHA17cbc2f841f29c75444fef772179994c8b21c6285
SHA256dbb28ad12f0eb8b22fc274ac63e402f950389685e50aedab5e78c94dd71a870d
SHA5124bd925aa267a0ab0e335d77cdd1e7078e11fccacf39b69de8389de7995c887c869626c81232665fe63286e8f82d68f9016700876334f0e47624f85a24c846953
-
C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exeFilesize
1.4MB
MD5d36e2ba2c7d7f5080a9fcac564906b56
SHA11fe7fecb88addc4a0b7200671bfda300c83633cd
SHA256621aafceb98966f0c7def8585c1f961c07b1ff90a47513a798466d419fba78cf
SHA5126070f9f8cb503fe1c4fcfbc9f69d4cc58f19d6c9a97fc0f16ee9b53bda88ad0993b6ebf6933ebb0616fba68a7c99f106c68c20f8f24f463d89fbf10451367884
-
C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exeFilesize
1.4MB
MD5d36e2ba2c7d7f5080a9fcac564906b56
SHA11fe7fecb88addc4a0b7200671bfda300c83633cd
SHA256621aafceb98966f0c7def8585c1f961c07b1ff90a47513a798466d419fba78cf
SHA5126070f9f8cb503fe1c4fcfbc9f69d4cc58f19d6c9a97fc0f16ee9b53bda88ad0993b6ebf6933ebb0616fba68a7c99f106c68c20f8f24f463d89fbf10451367884
-
C:\Users\Admin\AppData\Local\Temp\6PPCUcL4.exeFilesize
1.4MB
MD5d36e2ba2c7d7f5080a9fcac564906b56
SHA11fe7fecb88addc4a0b7200671bfda300c83633cd
SHA256621aafceb98966f0c7def8585c1f961c07b1ff90a47513a798466d419fba78cf
SHA5126070f9f8cb503fe1c4fcfbc9f69d4cc58f19d6c9a97fc0f16ee9b53bda88ad0993b6ebf6933ebb0616fba68a7c99f106c68c20f8f24f463d89fbf10451367884
-
C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dllFilesize
2.2MB
MD5429f01b5b5efcf13ddd46dbf98e8a181
SHA10fa819f68ca47f4e0b61e20df02bceda7b3d4046
SHA256c181c4987b4cf8bd3102c93203517cc48261cc5071f3c6098f1ad086fe8c3ee5
SHA5125a3003225294ec5b1cd54fd9f8da5ddf11a95a2195bef3c64c4ba8792ff5a8e0c73b64140658781d6606077afa42b206ce88dacdcb7a7778132542642a334c0d
-
C:\Users\Admin\AppData\Roaming\CrespoBaseMenu\DLLs\Crespo.dllFilesize
2.2MB
MD5429f01b5b5efcf13ddd46dbf98e8a181
SHA10fa819f68ca47f4e0b61e20df02bceda7b3d4046
SHA256c181c4987b4cf8bd3102c93203517cc48261cc5071f3c6098f1ad086fe8c3ee5
SHA5125a3003225294ec5b1cd54fd9f8da5ddf11a95a2195bef3c64c4ba8792ff5a8e0c73b64140658781d6606077afa42b206ce88dacdcb7a7778132542642a334c0d
-
memory/3020-156-0x00000173D3C30000-0x00000173D3D9C000-memory.dmpFilesize
1.4MB
-
memory/3020-165-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmpFilesize
64KB
-
memory/3020-169-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmpFilesize
64KB
-
memory/3020-168-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmpFilesize
64KB
-
memory/3020-167-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmpFilesize
64KB
-
memory/3020-158-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmpFilesize
64KB
-
memory/3020-157-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmpFilesize
64KB
-
memory/3020-159-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmpFilesize
64KB
-
memory/3020-166-0x00000173EE1A0000-0x00000173EE1B0000-memory.dmpFilesize
64KB
-
memory/4284-133-0x00000178061E0000-0x0000017806336000-memory.dmpFilesize
1.3MB
-
memory/4284-134-0x0000017820B80000-0x0000017820B90000-memory.dmpFilesize
64KB
-
memory/4284-135-0x0000017820B80000-0x0000017820B90000-memory.dmpFilesize
64KB
-
memory/4284-136-0x0000017820B80000-0x0000017820B90000-memory.dmpFilesize
64KB
-
memory/4284-143-0x0000017820B80000-0x0000017820B90000-memory.dmpFilesize
64KB
-
memory/4284-141-0x0000017820B80000-0x0000017820B90000-memory.dmpFilesize
64KB
-
memory/4284-142-0x0000017820B80000-0x0000017820B90000-memory.dmpFilesize
64KB