dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb

General

Target

SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe
Size

22.7MB
MD5

bfc65ce21e22544286826e26a5ec45ef
SHA1

e27dc55c11a9b10ca3966f1f7fec14e064c7d717
SHA256

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb
SHA512

9866b4573795264972abf7c31f7056cdc17edc4c249fba487a0c583866991cc168ecb2e8e95c6ed2bb3f9e31bd4f485ae7264e7d555dcccf573417b1b50fc7b3
SSDEEP

393216:4CniWcrE+N29tz2cDhctoqfv42GhoxAq8kZ/Pnin2um6h/rhg03X1nqW4A0ySQyG:fniWc4+N8tkv42GhoxAcs/rhtXdN4wp

Score

9^/10

cryptone discovery evasion packer trojan

Malware Config

Signatures

CryptOne packer 3 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe	cryptone
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe	cryptone
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocx	cryptone

Executes dropped EXE 1 IoCs

Processes:

MiniClient.exe

pid process

2384 MiniClient.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MiniClient.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MiniClient.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5032 2384 WerFault.exe MiniClient.exe

pid	process
2384	MiniClient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MiniClient.exe

pid	pid_target	process	target process
5032	2384	WerFault.exe	MiniClient.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exeMiniClient.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe = "9999"	SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MiniClient.exe = "9999"	MiniClient.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe

pid process

2740 SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe
2740 SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MiniClient.exe

pid process

2384 MiniClient.exe
2384 MiniClient.exe

pid	process
2740	SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe
2740	SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe

pid	process
2384	MiniClient.exe
2384	MiniClient.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe

description	pid	process	target process
PID 2740 wrote to memory of 2384	2740	SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe	MiniClient.exe
PID 2740 wrote to memory of 2384	2740	SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe	MiniClient.exe
PID 2740 wrote to memory of 2384	2740	SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe	MiniClient.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Trojan.InstallCore.736.14024.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740

C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 2232
3⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2384 -ip 2384
1⤵
PID:3232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GH_38D3.tmp
Filesize
893B

MD5
388aa031ce9226133d436591bf387a1c

SHA1
87de6709cafd46ca946a784dfe57811aa20ca02b

SHA256
cf8be59a9eb914c8248ab07bafdd3ecc45cec0e2206dd093673029c324d4a505

SHA512
945a256376dbc28f8b7dc37ec36b0279d45baee265497fc9eff9dcc558023880ee30e24c5433240d3926672114afd53e3cc44c324210249cfffd4d5aa329b8a3

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocx
Filesize
3.6MB

MD5
cafb42ca54e905004d82e4b874336020

SHA1
677847af00d5c29434110f951427cce27449c7b9

SHA256
b05cbd2356c15ebd0229948756c5f80366cd94e38cf5f67f1ebb3a3c220552af

SHA512
22161d9786ac9ab5516aa862d96e56c85d230d1d1debf3ad27daa72534b23f4ebb7e4bf58b54e363194827c6e3478f2988dbe5961ef631e10d18a030f760e394

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
Filesize
4.8MB

MD5
b80a2c21fc5dcbc874d9c5a1da38d59d

SHA1
3b0a4e1f10fa69d2a29fd057471156fc8e439dcc

SHA256
e47119edd7032aea344f84da6f15a62136f979362c7ff5282c64f6b427f8c77c

SHA512
59be185657aba9d95c3c2edd62d8e7a870dda0c324bcc6f8070d0e192f1e2c4b93baeeb49d3ba72b505b5aa5bd534432ea9082c245dc2697e0b0739aa8d88f10

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
Filesize
4.2MB

MD5
a333c4bd3468784bb40ad44212f5e9dd

SHA1
c3dfa34797c194f5558c522c5d792621acf55acd

SHA256
e8fc3a3edbea84584324cc32d4cfdbe20e4608b83dfbb2e515c758631eeab36b

SHA512
b3405a3865ee6b1a3a5aa0bcbf1116b9b27f63e09a9861f0a11e121ccf9c39955fe1e080e298fa1a9b2d89090ad5df5426641f5b6116859bd76f1db6d26a4f48

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\cfg.ini
Filesize
167B

MD5
83ca3a223ff85522bb7089f88f7b10d0

SHA1
ab86a3dda4471691c1e7292f0449aad321cd2dc9

SHA256
00a4a5549ac1d4675e63394991d949d21bebebd0bd3dc56b822bf156a1d9bc88

SHA512
291ae1f0a23f00aee2e333d531b6a8bb7d26c0306af551832aae7b90a04a43b54bd9f8edf6114a7666f09d8fc0395c30d8657150397bac35d4bad94b5efd91cd

Download Submit
memory/2384-27-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2740-4-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads