dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb

General

Target

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe
Size

22.7MB
MD5

bfc65ce21e22544286826e26a5ec45ef
SHA1

e27dc55c11a9b10ca3966f1f7fec14e064c7d717
SHA256

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb
SHA512

9866b4573795264972abf7c31f7056cdc17edc4c249fba487a0c583866991cc168ecb2e8e95c6ed2bb3f9e31bd4f485ae7264e7d555dcccf573417b1b50fc7b3
SSDEEP

393216:4CniWcrE+N29tz2cDhctoqfv42GhoxAq8kZ/Pnin2um6h/rhg03X1nqW4A0ySQyG:fniWc4+N8tkv42GhoxAcs/rhtXdN4wp

Score

9^/10

cryptone discovery evasion packer trojan

Malware Config

Signatures

CryptOne packer 3 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe	cryptone
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe	cryptone
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocx	cryptone

Executes dropped EXE 1 IoCs

Processes:

MiniClient.exe

pid process

1680 MiniClient.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MiniClient.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MiniClient.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3912 1680 WerFault.exe MiniClient.exe

pid	process
1680	MiniClient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MiniClient.exe

pid	pid_target	process	target process
3912	1680	WerFault.exe	MiniClient.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MiniClient.exedbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MiniClient.exe = "9999"	MiniClient.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe = "9999"	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe

pid	process
1456	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe
1456	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

MiniClient.exe

pid process

1680 MiniClient.exe
1680 MiniClient.exe

pid	process
1680	MiniClient.exe
1680	MiniClient.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe

description	pid	process	target process
PID 1456 wrote to memory of 1680	1456	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe	MiniClient.exe
PID 1456 wrote to memory of 1680	1456	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe	MiniClient.exe
PID 1456 wrote to memory of 1680	1456	dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe	MiniClient.exe

C:\Users\Admin\AppData\Local\Temp\dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe
"C:\Users\Admin\AppData\Local\Temp\dbea63a5288ad81e108db81ab75b9b78f60469facb9fe7ef768c6a3f7710d5eb.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 2224
3⤵
- Program crash
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1680 -ip 1680
1⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GH_28FF.tmp
Filesize
893B

MD5
388aa031ce9226133d436591bf387a1c

SHA1
87de6709cafd46ca946a784dfe57811aa20ca02b

SHA256
cf8be59a9eb914c8248ab07bafdd3ecc45cec0e2206dd093673029c324d4a505

SHA512
945a256376dbc28f8b7dc37ec36b0279d45baee265497fc9eff9dcc558023880ee30e24c5433240d3926672114afd53e3cc44c324210249cfffd4d5aa329b8a3

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\Flash32_29_0_0_171.ocx
Filesize
2.5MB

MD5
b49a64e9aa251a9163042f6663e953d9

SHA1
ace2d5eea00cd79acebe372ebe3967a800681795

SHA256
043091e41185ead31210cdbebacb8c157684066d3dad029db1f43887382601ca

SHA512
45f3363b1363507b471d0521fd822afe0326758a65233e36364412be6f521fe8cfa730c4e3cb5646c6fe191bf6d078c82ad5de269523b125b92813bdc6a68411

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
Filesize
3.4MB

MD5
aae39698110de18685290209183c3f6b

SHA1
3730fb9b16cd2f4c9ca3c4861a878dfceefe56eb

SHA256
7d5d1936fe81a64186de73fc1bdb9cd94a03fc01276999180a52d53dc872b268

SHA512
8bbeb7a105bb3e1f111bec280b16603fcf565ae0804963657199f1c96496fe2894c0de122a987ec5fc7cada3850eb0c665cf83da9b05f6d6ec01fd36019add17

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\MiniClient.exe
Filesize
3.3MB

MD5
8c3fdb46057b75e49c49af0e425bd227

SHA1
51e4c40df8c520ace32b50099de1f210599612a7

SHA256
b1a3d95dabc64ed9cf5fee49b7b2fd0a106d197a6a5c10f573404028101c5837

SHA512
f433cccc51b5399f889ad671e7f008bd02bca4fc084cfd376e711a47cdf0a6f7d04f40c507e2627c08fbdca235fa8185f4a64a983c8221511f72dc9af929d556

Download Submit
C:\Users\Admin\AppData\Roaming\WanWD-xfq-3dmgame\cfg.ini
Filesize
167B

MD5
83ca3a223ff85522bb7089f88f7b10d0

SHA1
ab86a3dda4471691c1e7292f0449aad321cd2dc9

SHA256
00a4a5549ac1d4675e63394991d949d21bebebd0bd3dc56b822bf156a1d9bc88

SHA512
291ae1f0a23f00aee2e333d531b6a8bb7d26c0306af551832aae7b90a04a43b54bd9f8edf6114a7666f09d8fc0395c30d8657150397bac35d4bad94b5efd91cd

Download Submit
memory/1456-4-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download
memory/1680-26-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/1680-39-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads