d7d9d426d72d2a994839ecba5e9a08a246c0b23d7a894804f070bd18ce513e65

Resubmissions

22-09-2023 16:16

230922-tqtteabb38 7

11-04-2023 19:36

230411-ya81lsgd6x 10

11-04-2023 19:28

230411-x6tp5aeg65 7

Analysis

max time kernel
142s
max time network
121s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11-04-2023 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

krisp-1.21.1-installer_pQow-O1.exe
Size

1.7MB
MD5

02aca2415c558b9d62d6d2c61f568f5d
SHA1

d2bb3e72371aee2d458bd2f147e56a9279e491e3
SHA256

d7d9d426d72d2a994839ecba5e9a08a246c0b23d7a894804f070bd18ce513e65
SHA512

5095f28f21a7b409d1ffb0a8e47ea741876c26436873d5ae3bb46ba6506b5f2baa866c0b3a8be61353ac3a472fe1d67bd93246509dd0c38040a0ab0ee6d7ce09
SSDEEP

24576:+7FUDowAyrTVE3U5FmxNfKzSYJMPaJPfrT90eKc4cgFLNPfs8duMpmsD:+BuZrEUeKzkwPH9RHgFLRdp/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

krisp-1.21.1-installer_pQow-O1.tmp

pid process

2592 krisp-1.21.1-installer_pQow-O1.tmp
Loads dropped DLL 2 IoCs

Processes:

krisp-1.21.1-installer_pQow-O1.tmp

pid process

2592 krisp-1.21.1-installer_pQow-O1.tmp
2592 krisp-1.21.1-installer_pQow-O1.tmp

pid	process
2592	krisp-1.21.1-installer_pQow-O1.tmp

pid	process
2592	krisp-1.21.1-installer_pQow-O1.tmp
2592	krisp-1.21.1-installer_pQow-O1.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

krisp-1.21.1-installer_pQow-O1.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	krisp-1.21.1-installer_pQow-O1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	krisp-1.21.1-installer_pQow-O1.tmp

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

krisp-1.21.1-installer_pQow-O1.exe

description	pid	process	target process
PID 4024 wrote to memory of 2592	4024	krisp-1.21.1-installer_pQow-O1.exe	krisp-1.21.1-installer_pQow-O1.tmp
PID 4024 wrote to memory of 2592	4024	krisp-1.21.1-installer_pQow-O1.exe	krisp-1.21.1-installer_pQow-O1.tmp
PID 4024 wrote to memory of 2592	4024	krisp-1.21.1-installer_pQow-O1.exe	krisp-1.21.1-installer_pQow-O1.tmp

C:\Users\Admin\AppData\Local\Temp\krisp-1.21.1-installer_pQow-O1.exe
"C:\Users\Admin\AppData\Local\Temp\krisp-1.21.1-installer_pQow-O1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Users\Admin\AppData\Local\Temp\is-2ULF0.tmp\krisp-1.21.1-installer_pQow-O1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2ULF0.tmp\krisp-1.21.1-installer_pQow-O1.tmp" /SL5="$701E6,875199,832512,C:\Users\Admin\AppData\Local\Temp\krisp-1.21.1-installer_pQow-O1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:2592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-07GDE.tmp\mainlogo.jpg

Filesize
1KB

MD5
44ee5d39261b2dee433f25bd94636541

SHA1
5dd8ff8f152302f547afed43566f87b8485b7608

SHA256
4c33464206422caedd89aec841eba5bd97cdb09681a6fb71982c4a8cdda6468e

SHA512
00bb24405d8932fec67c66fb7feca5f79e7c22a1488682cafa582d252aabac4872c3dbc4b222dae5c95b9e062ef20910ea52bffb1c511b56cbc421f1f35d1b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2ULF0.tmp\krisp-1.21.1-installer_pQow-O1.tmp

Filesize
3.0MB

MD5
a13e891e7f1734de75ec6d3645b5604d

SHA1
3f39e07f548f9f056ba55f69cbc90bb75d0c0a05

SHA256
cbc9575ca8ebfbeaaf95bd21b2ac54956c460e975c4c9d71fee791accdedd94e

SHA512
2f74400c821d4f0f2d6386d05bfbb01da9abcd3a341a630c82a35ea976fea26ad62f1b83f27db760fd42dac1fae5dbaf2371b9e61c30e18a2e39f443b1cafdb1

Download Submit
\Users\Admin\AppData\Local\Temp\is-07GDE.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-07GDE.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
memory/2592-126-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2592-139-0x0000000005400000-0x000000000540F000-memory.dmp

Filesize
60KB

Download
memory/2592-146-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2592-147-0x0000000005400000-0x000000000540F000-memory.dmp

Filesize
60KB

Download
memory/2592-148-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4024-121-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4024-145-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download