dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe
Size

22.7MB
MD5

bfc65ce21e22544286826e26a5ec45ef
SHA1

e27dc55c11a9b10ca3966f1f7fec14e064c7d717
SHA256

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb
SHA512

9866b4573795264972abf7c31f7056cdc17edc4c249fba487a0c583866991cc168ecb2e8e95c6ed2bb3f9e31bd4f485ae7264e7d555dcccf573417b1b50fc7b3
SSDEEP

393216:4CniWcrE+N29tz2cDhctoqfv42GhoxAq8kZ/Pnin2um6h/rhg03X1nqW4A0ySQyG:fniWc4+N8tkv42GhoxAcs/rhtXdN4wp

Score

9^/10

cryptone discovery evasion packer trojan

Malware Config

Signatures

CryptOne packer 7 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe	cryptone
\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe	cryptone
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe	cryptone
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe	cryptone
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocx	cryptone
\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocx	cryptone
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe	cryptone

Executes dropped EXE 1 IoCs

Processes:

MiniClient.exe

pid process

2652 MiniClient.exe

pid	process
2652	MiniClient.exe

Loads dropped DLL 3 IoCs

Processes:

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exeMiniClient.exe

pid	process
2196	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe
2196	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe
2652	MiniClient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MiniClient.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MiniClient.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

MiniClient.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main MiniClient.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe

pid process

2196 dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MiniClient.exe

pid process

2652 MiniClient.exe
2652 MiniClient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MiniClient.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	MiniClient.exe

pid	process
2652	MiniClient.exe
2652	MiniClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe

description	pid	process	target process
PID 2196 wrote to memory of 2652	2196	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe	MiniClient.exe
PID 2196 wrote to memory of 2652	2196	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe	MiniClient.exe
PID 2196 wrote to memory of 2652	2196	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe	MiniClient.exe
PID 2196 wrote to memory of 2652	2196	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe	MiniClient.exe

C:\Users\Admin\AppData\Local\Temp\dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe
"C:\Users\Admin\AppData\Local\Temp\dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GH_9D0.tmp
Filesize
893B

MD5
388aa031ce9226133d436591bf387a1c

SHA1
87de6709cafd46ca946a784dfe57811aa20ca02b

SHA256
cf8be59a9eb914c8248ab07bafdd3ecc45cec0e2206dd093673029c324d4a505

SHA512
945a256376dbc28f8b7dc37ec36b0279d45baee265497fc9eff9dcc558023880ee30e24c5433240d3926672114afd53e3cc44c324210249cfffd4d5aa329b8a3

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocx
Filesize
8.7MB

MD5
83a711d6963599e9e643525d2f1571fa

SHA1
9f6f5bc7ebc5f2e9d4875017d7cba76d39d48756

SHA256
6b90e9b8009e39aa66bf2180d2cea1358276694dc70a977ae552f3c7843eb712

SHA512
9eeebdcf9d96032cf9b2b99f95e4345ead588b4e0b4f122585e379f565c910976ecf4ac6fe6530da6aac1de83478f783d7bca8067a16bac0001f960730d26b51

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
Filesize
9.3MB

MD5
849cc23c87761a5ffa8bf9a08ca71aa9

SHA1
a3050abacd96fe930cf2a46638415927c9884e69

SHA256
fed3dacbfeadd601d40a2ab1a6f3d9983397d5d18f0ebe1acc214e331b0713bb

SHA512
a99febccc86a9485b517124c5fb2c41f9ff24e86afec82af8f69406efa42fd899c90d1d3cce633d3ff00854e01ad40ccfe054e47b513b421c1ed42ef8cfe7995

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
Filesize
10.1MB

MD5
bc20d03534ce6ca048a3e1d3c5f751d4

SHA1
c9538c6bb02a3468d2f761957da6b54822a3c045

SHA256
0cccc9fd15be2efcca9c03bd13220fc77be2e6f5184e5a53ff5f46152f7b9733

SHA512
7b50fc341ef075c356f5f4494d363eac05ea4a2d832eae5e668205bad045586cc7700f78bf5ca9ff1a01433b6633288378717fddfbec2dc3b374566bbceecc83

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
Filesize
22.7MB

MD5
bfc65ce21e22544286826e26a5ec45ef

SHA1
e27dc55c11a9b10ca3966f1f7fec14e064c7d717

SHA256
dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb

SHA512
9866b4573795264972abf7c31f7056cdc17edc4c249fba487a0c583866991cc168ecb2e8e95c6ed2bb3f9e31bd4f485ae7264e7d555dcccf573417b1b50fc7b3

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\cfg.ini
Filesize
167B

MD5
83ca3a223ff85522bb7089f88f7b10d0

SHA1
ab86a3dda4471691c1e7292f0449aad321cd2dc9

SHA256
00a4a5549ac1d4675e63394991d949d21bebebd0bd3dc56b822bf156a1d9bc88

SHA512
291ae1f0a23f00aee2e333d531b6a8bb7d26c0306af551832aae7b90a04a43b54bd9f8edf6114a7666f09d8fc0395c30d8657150397bac35d4bad94b5efd91cd

Download Submit
\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocx
Filesize
9.4MB

MD5
7616529da9d5295dedb3bb25aed9059b

SHA1
834fb2e43f646cf44b86f65e4644f6e3ad5d3a00

SHA256
e98550c0391c4833a787d3084b7a2789ae715acfcbbe8a4d9781856a25a05e16

SHA512
d58a73eab4a07b8e83017e0aa28f0cc299b041e44073555409a230f7b45970e6e8f0881e221e8091f1c5fcd49b7139749832c40ae4c0172a6c332762479de4de

Download Submit
\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
Filesize
8.7MB

MD5
1fd6ab22e4036dca9b0650ae7d45ef76

SHA1
9fd66ef567904e974d3fc68f456e2ad21c964a83

SHA256
c1219b7a789f8e734542c722daad67cb1ced578f2590783a75898a34846949ab

SHA512
6d6e8eb648d856ebdd220b8f5e41750050929976423409b2190d38c18e168b237f851dc927a8b46a724cca196c0172e8a82a83ee255b2b0a1f450ebd94dd3f63

Download Submit
\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
Filesize
8.9MB

MD5
00501893bb7b9d171652e7e94082d617

SHA1
736b4fb2355b71d9a62f0625e3ef2fd13ea656af

SHA256
aaf38fa41a036e797def90f55cb6cdb162795eefcd1ed3afe5b2e9ca92360eff

SHA512
838201a52fb1e7ec19465a2b518fa3374d2a809960ae4fc17a0c95eae2e5ed9d3766b15affedc4304e40160c19340d1baa6276894b0b63ff3f9b860fe2b64962

Download Submit
memory/2196-4-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2652-28-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2652-42-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download