8f0b07e085dc1480df50fb3deeab387cc3008b1d1563c5c4b5294edb11010cbf

Analysis

max time kernel
153s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 10:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Crystal_Proxy_V1.5_Launcher.exe
Size

9.8MB
MD5

b49565f96a274a09b91f8b9ac69b2732
SHA1

48df856dafb42222c2ca17fcad9ef5b82bebb380
SHA256

8f0b07e085dc1480df50fb3deeab387cc3008b1d1563c5c4b5294edb11010cbf
SHA512

2a5967dc84750614b6ab1ba16d954d7093311fd59028522f8118553a8bfb19a8a299deca22d1bd13f29b3aa952a1a4a411d6e179608bf5725c4da1d15b946a3d
SSDEEP

196608:DbjVhPvAnfnERIsCbTnNXL+d+Vo4/AyyHUR044XaGwlrO9R0:zVhWPERIsCXnNXLrVoeAy2kJuwlrWR0

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Crystal_Proxy_V1.5_Launcher.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Crystal_Proxy_V1.5_Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Crystal_Proxy_V1.5_Launcher.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Crystal_Proxy_V1.5_Launcher.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Crystal_Proxy_V1.5_Launcher.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe
2300	Crystal_Proxy_V1.5_Launcher.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 3068	2300	Crystal_Proxy_V1.5_Launcher.exe	87
PID 2300 wrote to memory of 3068	2300	Crystal_Proxy_V1.5_Launcher.exe	87
PID 3068 wrote to memory of 1636	3068	cmd.exe	88
PID 3068 wrote to memory of 1636	3068	cmd.exe	88
PID 3068 wrote to memory of 1384	3068	cmd.exe	92
PID 3068 wrote to memory of 1384	3068	cmd.exe	92
PID 3068 wrote to memory of 4884	3068	cmd.exe	91
PID 3068 wrote to memory of 4884	3068	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\Crystal_Proxy_V1.5_Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Crystal_Proxy_V1.5_Launcher.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Crystal_Proxy_V1.5_Launcher.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Crystal_Proxy_V1.5_Launcher.exe" MD5
    3⤵
    PID:1636
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4884
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-0-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-3-0x00007FFC0FA90000-0x00007FFC0FC85000-memory.dmp

Filesize
2.0MB

Download
memory/2300-7-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-8-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-9-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-11-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-10-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-12-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-13-0x00007FFC0FA90000-0x00007FFC0FC85000-memory.dmp

Filesize
2.0MB

Download
memory/2300-14-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-15-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-17-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-18-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download
memory/2300-23-0x00007FF6EBFA0000-0x00007FF6EDB9A000-memory.dmp

Filesize
28.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads