73f52e38ae7c9e66f702c34cbfa5d1db00852274ebfec2efdbd0d71b19a04ecd

General

Target

29161ec3f250f63d659414f8e32b0b89.exe
Size

157KB
MD5

29161ec3f250f63d659414f8e32b0b89
SHA1

35abe61fefe668d329b73a68a65d1098db5c9168
SHA256

73f52e38ae7c9e66f702c34cbfa5d1db00852274ebfec2efdbd0d71b19a04ecd
SHA512

312d2c319fffffe9c3ee888f7c485e23a443a383f4e94fa675557b1da24bc5d840fdb43eb691c8eef4fed4ba8004b1e5a9e58be83a2456a6ab5c5e1a606f0c15
SSDEEP

3072:j6CIAhi93Cxa9UbCoQNLZqy4V+H0Y9zW3IbaMvxvG1RvXcfpPPurRI:eCThi9yIisNP4TY9KiHvxvG3Ed

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2772	Cryvea.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WEK9EMDHI9 = "C:\\Windows\\Cryvea.exe"	Cryvea.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	29161ec3f250f63d659414f8e32b0b89.exe
File opened for modification	C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	29161ec3f250f63d659414f8e32b0b89.exe
File created	C:\Windows\Cryvea.exe	29161ec3f250f63d659414f8e32b0b89.exe
File opened for modification	C:\Windows\Cryvea.exe	29161ec3f250f63d659414f8e32b0b89.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2372	29161ec3f250f63d659414f8e32b0b89.exe
2772	Cryvea.exe
2772	Cryvea.exe
2772	Cryvea.exe
2772	Cryvea.exe
2772	Cryvea.exe
2772	Cryvea.exe
2772	Cryvea.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2772	2372	29161ec3f250f63d659414f8e32b0b89.exe	28
PID 2372 wrote to memory of 2772	2372	29161ec3f250f63d659414f8e32b0b89.exe	28
PID 2372 wrote to memory of 2772	2372	29161ec3f250f63d659414f8e32b0b89.exe	28
PID 2372 wrote to memory of 2772	2372	29161ec3f250f63d659414f8e32b0b89.exe	28

C:\Users\Admin\AppData\Local\Temp\29161ec3f250f63d659414f8e32b0b89.exe
"C:\Users\Admin\AppData\Local\Temp\29161ec3f250f63d659414f8e32b0b89.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\Cryvea.exe
  C:\Windows\Cryvea.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Cryvea.exe

Filesize
157KB

MD5
29161ec3f250f63d659414f8e32b0b89

SHA1
35abe61fefe668d329b73a68a65d1098db5c9168

SHA256
73f52e38ae7c9e66f702c34cbfa5d1db00852274ebfec2efdbd0d71b19a04ecd

SHA512
312d2c319fffffe9c3ee888f7c485e23a443a383f4e94fa675557b1da24bc5d840fdb43eb691c8eef4fed4ba8004b1e5a9e58be83a2456a6ab5c5e1a606f0c15

Download Submit
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Filesize
344B

MD5
6feae8d98e419952c8e08fccec49f5bf

SHA1
0885208f77bd4e256d6238d1e323683ab6a18c01

SHA256
ccaf70584bfeeb02fa0fd9b85e86baf443d4942dbbc451834afa08220c40db98

SHA512
b80eec065b7b185fec90a3576531e897a3328f26e8f95f934f928b36fec18283ba9e78afe9b758c535e7da49ea20ee89fb6567444b896916755fa2a93e98ef4f

Download Submit
memory/2372-38974-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-0-0x00000000003C0000-0x00000000003CF000-memory.dmp

Filesize
60KB

Download
memory/2372-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-38972-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38978-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38981-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38975-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38977-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38979-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38980-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38973-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38982-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38983-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38984-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38985-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38986-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-38987-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads