04e270571abf137c33ca3e8ca45b75a296ac3138cf5a6bf62fdac3f9e16e5847

Analysis

max time kernel
146s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02937aee76378f87115f46a1115df1e5.exe
Size

260KB
MD5

02937aee76378f87115f46a1115df1e5
SHA1

c0b29151b5524d412ff4df1d2f8dd3986de45539
SHA256

04e270571abf137c33ca3e8ca45b75a296ac3138cf5a6bf62fdac3f9e16e5847
SHA512

b2fb4236c12a34c373550258912de7713a4495ad386eecb922b25d40b784ea663723ad9aa9c220fc224285931d5c2300244ed3a99f88c5b0e3b40013c89d3c44
SSDEEP

3072:8gfAlN+wvh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGL:8dQgTSrMaIl/jcLijfHFEHWzXvjT85R

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	crdeaf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	02937aee76378f87115f46a1115df1e5.exe

Executes dropped EXE 1 IoCs

pid	Process
4616	crdeaf.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /P"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /z"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /K"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /B"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /g"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /o"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /S"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /q"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /W"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /T"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /J"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /b"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /y"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /Z"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /c"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /d"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /Q"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /k"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /L"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /s"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /x"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /A"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /O"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /m"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /t"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /p"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /I"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /r"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /C"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /X"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /Y"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /G"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /e"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /f"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /N"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /j"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /R"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /n"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /U"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /E"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /D"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /h"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /M"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /i"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /F"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /H"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /u"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /a"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /l"	crdeaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crdeaf = "C:\\Users\\Admin\\crdeaf.exe /V"	crdeaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe
4616	crdeaf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3620	02937aee76378f87115f46a1115df1e5.exe
4616	crdeaf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4616	3620	02937aee76378f87115f46a1115df1e5.exe	92
PID 3620 wrote to memory of 4616	3620	02937aee76378f87115f46a1115df1e5.exe	92
PID 3620 wrote to memory of 4616	3620	02937aee76378f87115f46a1115df1e5.exe	92

C:\Users\Admin\AppData\Local\Temp\02937aee76378f87115f46a1115df1e5.exe
"C:\Users\Admin\AppData\Local\Temp\02937aee76378f87115f46a1115df1e5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\crdeaf.exe
  "C:\Users\Admin\crdeaf.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\crdeaf.exe

Filesize
260KB

MD5
7539455da27301619bf08f013cb4d944

SHA1
6e54c33c5b70564477bf52abd0f6f01f66a8a15c

SHA256
bf756030227f7cca4a9b0b0d0c9b18fdd10809ea18c0cfe4dba7fedb3862382d

SHA512
116da51ff3cbcab3e38247f353b6608d393458a0e154aac70fc89b404a342306d88e9b89d2c0a9bf6096c42fa582c5cfac261fa9f2c0325a8667ba1083ed94a6

Download Submit