Overview

overview

10

Static

static

10

ABO.exe

windows7-x64

8

ABO.exe

windows10-2004-x64

8

ABO.exe

windows7-x64

8

ABO.exe

windows10-2004-x64

10

Adobe.exe

windows7-x64

8

Adobe.exe

windows10-2004-x64

10

CGserver.exe

windows7-x64

10

CGserver.exe

windows10-2004-x64

10

COON.exe

windows7-x64

10

COON.exe

windows10-2004-x64

8

FFA.exe

windows7-x64

10

FFA.exe

windows10-2004-x64

8

FIle Rustyz bot.exe

windows7-x64

8

FIle Rustyz bot.exe

windows10-2004-x64

8

FrostBot v1.exe

windows7-x64

10

FrostBot v1.exe

windows10-2004-x64

10

Google.exe

windows7-x64

10

Google.exe

windows10-2004-x64

10

MORPH_9359...79.exe

windows7-x64

3

MORPH_9359...79.exe

windows10-2004-x64

3

Mycrypt.exe

windows7-x64

8

Mycrypt.exe

windows10-2004-x64

10

PortChecker.exe

windows7-x64

8

PortChecker.exe

windows10-2004-x64

10

R.exe

windows7-x64

10

R.exe

windows10-2004-x64

10

RSBOT.exe

windows7-x64

RSBOT.exe

windows10-2004-x64

Rustyz.exe

windows7-x64

8

Rustyz.exe

windows10-2004-x64

10

Rustyzzbot.exe

windows7-x64

8

Rustyzzbot.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    4s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2024 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mycrypt.exe

  • Size

    228KB

  • MD5

    a35e683f7392d7aa6be1ac5d325a0584

  • SHA1

    7b2a3dfd0579ec4a9f61e45994a48881ebb91b49

  • SHA256

    85fac218aabc9a6d08380d6f4fbe07818c5f7c8dc1f630bb849ab5681c83d7de

  • SHA512

    7c94c1f19f793d7efe251d9c0c4df900a10b8b85a36da9c883fce2b511f5f65d107d09be777efa92a3be6c0bdd38c302acd024ee48cf836889f79dfabb069470

  • SSDEEP

    3072:R26et7TW3+lXSittze7GjsZCc8dexm1qX2Gqfkz297vslPCTjUB9LQdItu:R2BTW6ji7ZCc8dMOqX2Gb29AlPn9Mx

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe
    "C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe
      "C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\spoolsv.exe" CityScape Enable
        3⤵
        • Modifies Windows Firewall
        PID:4808
      • C:\Users\Admin\AppData\Roaming\spoolsv.exe
        /d C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe
        3⤵
        • Executes dropped EXE
        PID:3620
        • C:\Users\Admin\AppData\Roaming\spoolsv.exe
          C:\Users\Admin\AppData\Roaming\spoolsv.exe /d C:\Users\Admin\AppData\Local\Temp\Mycrypt.exe
          4⤵
            PID:4440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\spoolsv.exe
      Filesize

      76KB

      MD5

      e496bf4e4988e5bb13244469e790fe07

      SHA1

      ac77df1729fee10693bca2ec7171eef7e8492501

      SHA256

      7dc863d1cbab09018b441a1714f1fbd448ed3d957659eb66d3a8929f64cb5b1c

      SHA512

      3dfe0eb3102ffc7b36b754415460daca2b062ab162d916cfa461afc70b1f2a019fcd435aeddf49c68b163e2725391a1a490e6e259c7a7a758ac73086adb905e7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\spoolsv.exe
      Filesize

      49KB

      MD5

      8550e925e0c90f1c179903631019376c

      SHA1

      8127185134b984c3b87fe81b51b4e97e896534a3

      SHA256

      924408df04cb8b4cd57c5975770eefc04b94f2aef5b43ae0e6112dee8944107c

      SHA512

      53de216449a9c18e5d3ee78df0e898ff33c1e4d84f0199990a451cc124373fb3796072be6f69aa0ccc5a4734870e669485871f560883360914b59428e6f63e4a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\spoolsv.exe
      Filesize

      43KB

      MD5

      9650735ad5c916a85f013d27edc4e283

      SHA1

      0deb426763bf6629b75ad4b678e2fb31a00fa2cf

      SHA256

      ba4a298838c3268325672ef1ea3c154322da83a7af9bf69f333318afeb696f01

      SHA512

      b79273cd09ed7feb46d6dce28d4fafa3e526149711456ab8e05cd4cd8311d2943868bc604589ccc198b95389a4b43dc22537b884dcf455630098bcfcc207f36e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\wDwIgvlM
      Filesize

      31KB

      MD5

      f7e385378fe48338ac59c328555387b5

      SHA1

      254e0c79898298733ec40f9a008cb08a38f6cd9f

      SHA256

      78d8d494a34f3d938b3acc41732195286d86404cdee4531878799a5bb3f16f94

      SHA512

      4f604c29c67ed531fa0395e08ea71a308c8fdcbd11f876345e3180fa14ed9d33b61aa6c60e11ed6647eed785a8b5e688a715e05bb3ed728b876661d03681be63

      Download Submit

    • memory/1536-0-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1536-22-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1536-2-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4440-27-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4440-30-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4440-31-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4440-33-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4440-36-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4440-39-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4440-41-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4440-42-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

      Download