c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 12:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

271f7b27aa5a425e6968596820f5dad7.exe
Size

11.0MB
MD5

271f7b27aa5a425e6968596820f5dad7
SHA1

936eeaeb3a6637e747d03e9ee45a8f8f40283b03
SHA256

c11675751bb311049da57745dbae337eafd48db2ca17c4195de23ff9eb40c5b3
SHA512

01f40b5ab899b1ccd7cd7e3365ad1efe91040169ef418e52e27654add7281431ab944145df6753bb74306574b843c637edba85021497738dadc8d5023002ff8c
SSDEEP

196608:YzHH/QS6LUNZsxIPySsam4PYoOtwccTq+TOfR6wuTVAUbi1f0NNqfO9UNn:YzH4S0UNZmIoam4PYpmXTq+awAUWSNgp

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	271f7b27aa5a425e6968596820f5dad7.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	271f7b27aa5a425e6968596820f5dad7.exe

Executes dropped EXE 1 IoCs

pid	Process
2172	Crossbarre.exe

Loads dropped DLL 1 IoCs

pid	Process
1800	271f7b27aa5a425e6968596820f5dad7.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Microsoft\Airexpress	271f7b27aa5a425e6968596820f5dad7.exe
File created	C:\Windows\system32\Holocryptic\Crossbarre.exe	271f7b27aa5a425e6968596820f5dad7.exe
File opened for modification	C:\Windows\system32\Holocryptic\Crossbarre.exe	271f7b27aa5a425e6968596820f5dad7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2980	schtasks.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2568	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1800	271f7b27aa5a425e6968596820f5dad7.exe
2824	powershell.exe
2984	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	271f7b27aa5a425e6968596820f5dad7.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2172	Crossbarre.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3004	1800	271f7b27aa5a425e6968596820f5dad7.exe	35
PID 1800 wrote to memory of 3004	1800	271f7b27aa5a425e6968596820f5dad7.exe	35
PID 1800 wrote to memory of 3004	1800	271f7b27aa5a425e6968596820f5dad7.exe	35
PID 1800 wrote to memory of 2664	1800	271f7b27aa5a425e6968596820f5dad7.exe	33
PID 1800 wrote to memory of 2664	1800	271f7b27aa5a425e6968596820f5dad7.exe	33
PID 1800 wrote to memory of 2664	1800	271f7b27aa5a425e6968596820f5dad7.exe	33
PID 3004 wrote to memory of 2824	3004	cmd.exe	32
PID 3004 wrote to memory of 2824	3004	cmd.exe	32
PID 3004 wrote to memory of 2824	3004	cmd.exe	32
PID 1800 wrote to memory of 2568	1800	271f7b27aa5a425e6968596820f5dad7.exe	31
PID 1800 wrote to memory of 2568	1800	271f7b27aa5a425e6968596820f5dad7.exe	31
PID 1800 wrote to memory of 2568	1800	271f7b27aa5a425e6968596820f5dad7.exe	31
PID 2664 wrote to memory of 2984	2664	cmd.exe	39
PID 2664 wrote to memory of 2984	2664	cmd.exe	39
PID 2664 wrote to memory of 2984	2664	cmd.exe	39
PID 1800 wrote to memory of 2720	1800	271f7b27aa5a425e6968596820f5dad7.exe	40
PID 1800 wrote to memory of 2720	1800	271f7b27aa5a425e6968596820f5dad7.exe	40
PID 1800 wrote to memory of 2720	1800	271f7b27aa5a425e6968596820f5dad7.exe	40
PID 1800 wrote to memory of 2980	1800	271f7b27aa5a425e6968596820f5dad7.exe	36
PID 1800 wrote to memory of 2980	1800	271f7b27aa5a425e6968596820f5dad7.exe	36
PID 1800 wrote to memory of 2980	1800	271f7b27aa5a425e6968596820f5dad7.exe	36
PID 1800 wrote to memory of 2172	1800	271f7b27aa5a425e6968596820f5dad7.exe	41
PID 1800 wrote to memory of 2172	1800	271f7b27aa5a425e6968596820f5dad7.exe	41
PID 1800 wrote to memory of 2172	1800	271f7b27aa5a425e6968596820f5dad7.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\271f7b27aa5a425e6968596820f5dad7.exe
"C:\Users\Admin\AppData\Local\Temp\271f7b27aa5a425e6968596820f5dad7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\System32\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" flushdns
  2⤵
  - Gathers network information
  PID:2568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Holocryptic\Crossbarre.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" #/k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /sc minute /mo 10 /tn Service /tr "C:\Windows\system32\Holocryptic\Crossbarre.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2980
- C:\Windows\system32\schtasks.exe
  "schtasks" /delete /tn Service /f
  2⤵
  PID:2720
- C:\Windows\system32\Holocryptic\Crossbarre.exe
  "C:\Windows\system32\Holocryptic\Crossbarre.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\system32\Microsoft\Airexpress
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ef55fcb4ad43ac4f4adb37d4d606300d

SHA1
83cafe6d6accb72a241101d668ab429fbbcb28d6

SHA256
b9105062ff462001bb6bb72fdc7155a1ede9e731a603440ce805a46788cf3421

SHA512
a402f143831a9186b6bcabb50f5e42442738c59b7ce62adae874a7cc6933b35199f84803af14f7a55f2264a3e3f4eebb15996621fb9f35435180916d73d22ca4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SPTSUTZ627KWGMD4T6Z3.temp

Filesize
7KB

MD5
7d751e8f9a3bc439eef4ee847d9d4dfb

SHA1
175ad3e869252f520fb0cea1400cd092a98bc26f

SHA256
efe4002d819936f93af79723e9952290132f7654d5128f4ede548347227e1093

SHA512
9bd4db474cfde6042418b42eab68e6a9b0b1f812d1f7d6ceeb32e0115c5eecb57be8ccc5b00bd180bdb10d5162dd98fca9b16176bf3dfbe658157e182901b816

Download Submit
C:\Windows\System32\Holocryptic\Crossbarre.exe

Filesize
1.2MB

MD5
d17d08bc7ac067e8615c6c5a1acb4664

SHA1
fecf47c3230ec7208e31ef8d7e9d663259272090

SHA256
37b16cede7ee2bcac0576efb47ae6b3d0a64917c2cda441c3c01fc673671cb88

SHA512
69cc1d21bd5d3c5f59c887de3e273df84baeb5269b3ffa8a19493ce0b60a8593ae56615df91788e4cfdc7902e0f7ed65edc379bdaf016515298876a04a8da0f5

Download Submit
C:\Windows\System32\Holocryptic\Crossbarre.exe

Filesize
665KB

MD5
d9cda73c8225fdf7f671aa1806e6ac1b

SHA1
3858611ac4b911c97ca5f09139c9f77ae7fbdd5a

SHA256
7a1f90a9488a026e84e38416632051383b3b32b568fd5fb489a266c524670a04

SHA512
c2b7cdddb2d82d601bcfb319cca8bbfa46e15d212555243b7034ac4d61b813a2891cfdd5f2d4bb4ea08844356a63cf404b95d48cad4a9f178b54d885d23c4289

Download Submit
C:\Windows\system32\Holocryptic\Crossbarre.exe

Filesize
356KB

MD5
7d52c5c418d985edcb42fbfbca2f5aa9

SHA1
b3a5267d8dbc60f598c003682a43731fe06449bd

SHA256
56f5fa6b72be7983557e6ab25dd5497a3dddbfc83c21158220f20fd88bcba42e

SHA512
41f9055b5e0ea6ceaf6a74c7570ee3a937fadac7a7ba5fc458a2d2d57c10a100effa941079e137cf615071a646cd32a85ef529669f926b0c7905fea9764f3dd5

Download Submit
\Windows\System32\Holocryptic\Crossbarre.exe

Filesize
712KB

MD5
ff97b25503aad587cd50fa851fdd6493

SHA1
0f462e00af0352a4ec54df5dc654e86060b8c97a

SHA256
7bb7cc727def2a14f0512f2e919438e093a992d0cc0b7129186d43c00dce414c

SHA512
4fcc2c3e338c4df3c960f647cf4a388773ddfe2dc18ebf9ce1dbf4dac24eb649b72599980df4b73ee24a5cd3edfeab3794285b504a68e7c8c01083e49e3f10fe

Download Submit
memory/1800-10-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/1800-4-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/1800-8-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/1800-9-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/1800-6-0x000000001D400000-0x000000001D4FA000-memory.dmp

Filesize
1000KB

Download
memory/1800-16-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/1800-5-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/1800-7-0x0000000002360000-0x00000000023B8000-memory.dmp

Filesize
352KB

Download
memory/1800-47-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/1800-46-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/1800-3-0x000000001B5C0000-0x000000001B640000-memory.dmp

Filesize
512KB

Download
memory/1800-0-0x0000000000C60000-0x0000000000DC8000-memory.dmp

Filesize
1.4MB

Download
memory/1800-2-0x000000001BB40000-0x000000001BC40000-memory.dmp

Filesize
1024KB

Download
memory/1800-1-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-44-0x000000001BD80000-0x000000001BE00000-memory.dmp

Filesize
512KB

Download
memory/2172-45-0x000000001BD80000-0x000000001BE00000-memory.dmp

Filesize
512KB

Download
memory/2172-55-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-56-0x00000000773C0000-0x0000000077569000-memory.dmp

Filesize
1.7MB

Download
memory/2172-53-0x000000001BD80000-0x000000001BE00000-memory.dmp

Filesize
512KB

Download
memory/2172-42-0x00000000013E0000-0x0000000001548000-memory.dmp

Filesize
1.4MB

Download
memory/2172-43-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-54-0x00000000773C0000-0x0000000077569000-memory.dmp

Filesize
1.7MB

Download
memory/2172-52-0x000000001BD80000-0x000000001BE00000-memory.dmp

Filesize
512KB

Download
memory/2172-51-0x000000001BD80000-0x000000001BE00000-memory.dmp

Filesize
512KB

Download
memory/2172-50-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2172-49-0x000000001BD80000-0x000000001BE00000-memory.dmp

Filesize
512KB

Download
memory/2824-17-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2824-24-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2824-30-0x000007FEEC810000-0x000007FEED1AD000-memory.dmp

Filesize
9.6MB

Download
memory/2824-29-0x0000000002CF4000-0x0000000002CF7000-memory.dmp

Filesize
12KB

Download
memory/2824-31-0x000007FEEC810000-0x000007FEED1AD000-memory.dmp

Filesize
9.6MB

Download
memory/2824-33-0x0000000002CFB000-0x0000000002D62000-memory.dmp

Filesize
412KB

Download
memory/2984-48-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download
memory/2984-35-0x0000000002E54000-0x0000000002E57000-memory.dmp

Filesize
12KB

Download
memory/2984-32-0x000007FEEC810000-0x000007FEED1AD000-memory.dmp

Filesize
9.6MB

Download
memory/2984-34-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download
memory/2984-36-0x0000000002E50000-0x0000000002ED0000-memory.dmp

Filesize
512KB

Download