b15b8f5084c6f4d36a13faec27e5a9bdda32c3363c89d4fc6581ddc77b77124f

General

Target

d72b7cee304cbda22d62f3b7121e1144.exe
Size

782KB
MD5

d72b7cee304cbda22d62f3b7121e1144
SHA1

d0fffc4e213bb8d2bb8071a849e1566a58a2f64c
SHA256

b15b8f5084c6f4d36a13faec27e5a9bdda32c3363c89d4fc6581ddc77b77124f
SHA512

b41df8c485de0609402141c4623b9e4af2f4fec0f4ea12c6f37946b9d68457f3d7b51d8190573598a0178ba9986d13e1f0fe5150e5f7d0d43d074adc8c07d91c
SSDEEP

24576:hawMnT83b4O9mmdGo93+ILJed0OGAG6BlB:tMnT8LncKUAw0Lf6Bv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2532	svchost.exe
1148	d72b7cee304cbda22d62f3b7121e1144.exe
2644	crypt raider - demo.exe
2360	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
2532	svchost.exe
2532	svchost.exe
1148	d72b7cee304cbda22d62f3b7121e1144.exe
1148	d72b7cee304cbda22d62f3b7121e1144.exe
1148	d72b7cee304cbda22d62f3b7121e1144.exe
1148	d72b7cee304cbda22d62f3b7121e1144.exe
1148	d72b7cee304cbda22d62f3b7121e1144.exe
2644	crypt raider - demo.exe
2644	crypt raider - demo.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	d72b7cee304cbda22d62f3b7121e1144.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2644	crypt raider - demo.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2644	crypt raider - demo.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1148	d72b7cee304cbda22d62f3b7121e1144.exe
1148	d72b7cee304cbda22d62f3b7121e1144.exe
1148	d72b7cee304cbda22d62f3b7121e1144.exe
2644	crypt raider - demo.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2532	2056	d72b7cee304cbda22d62f3b7121e1144.exe	27
PID 2056 wrote to memory of 2532	2056	d72b7cee304cbda22d62f3b7121e1144.exe	27
PID 2056 wrote to memory of 2532	2056	d72b7cee304cbda22d62f3b7121e1144.exe	27
PID 2056 wrote to memory of 2532	2056	d72b7cee304cbda22d62f3b7121e1144.exe	27
PID 2532 wrote to memory of 1148	2532	svchost.exe	28
PID 2532 wrote to memory of 1148	2532	svchost.exe	28
PID 2532 wrote to memory of 1148	2532	svchost.exe	28
PID 2532 wrote to memory of 1148	2532	svchost.exe	28
PID 1148 wrote to memory of 2644	1148	d72b7cee304cbda22d62f3b7121e1144.exe	29
PID 1148 wrote to memory of 2644	1148	d72b7cee304cbda22d62f3b7121e1144.exe	29
PID 1148 wrote to memory of 2644	1148	d72b7cee304cbda22d62f3b7121e1144.exe	29
PID 1148 wrote to memory of 2644	1148	d72b7cee304cbda22d62f3b7121e1144.exe	29
PID 1148 wrote to memory of 2644	1148	d72b7cee304cbda22d62f3b7121e1144.exe	29
PID 1148 wrote to memory of 2644	1148	d72b7cee304cbda22d62f3b7121e1144.exe	29
PID 1148 wrote to memory of 2644	1148	d72b7cee304cbda22d62f3b7121e1144.exe	29

C:\Users\Admin\AppData\Local\Temp\d72b7cee304cbda22d62f3b7121e1144.exe
"C:\Users\Admin\AppData\Local\Temp\d72b7cee304cbda22d62f3b7121e1144.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\d72b7cee304cbda22d62f3b7121e1144.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\d72b7cee304cbda22d62f3b7121e1144.exe
    "C:\Users\Admin\AppData\Local\Temp\d72b7cee304cbda22d62f3b7121e1144.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\crypt raider - demo.exe
      "C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\crypt raider - demo.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2644

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\crypt raider - demo.exe

Filesize
837KB

MD5
11c7929ae1ca3810c75c88263eecd8bf

SHA1
8e3150822d48ae0ca2241d0fc1ec3ffa37a9e1bc

SHA256
7c9981d1c2cdd141e3201d104b84a8fe50f43e8d4214e7d63ee836ef9ac54581

SHA512
78d29b7a122f0062ac70e3f41d2d0aaf151edcca40631b5be748c2b17bbbc9b93f67b59daeab9a0cc84ea56f4ebd7e6bed7f79b50843280bce478cd12b982c55

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
345861f739ef259c33abc7ef49b81694

SHA1
3b6aff327d91e66a207c0557eac6ddefab104598

SHA256
fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948

SHA512
7b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad

Download Submit
\Users\Admin\AppData\Local\Temp\HYQVAR\UTILITY.DLL

Filesize
92KB

MD5
6f8ddb577f991476a76c3bf75bada7d5

SHA1
8649eca2ef21cba121ed732942277edd5a13aeaa

SHA256
51b0ea60d8c1930d64ec515a46cb7547353dc6e6aeef98d23137e7a49fbdd38e

SHA512
ba5895b122d8811de895b9270400b12adfdc7ca40370058b4ac77c215cec6f20505e3fd1a2deef03a6b7d13a0e13151e7f1043e186bd179b6b9e7e8ab10de2c8

Download Submit
\Users\Admin\AppData\Local\Temp\Jgl_Rt\crypt raider - demo.exe

Filesize
704KB

MD5
86aa5cb71e6ffe8055fae742e13fd07b

SHA1
148eec39d4217fcab7586a0336266d492c4acaab

SHA256
523b20c5a71c96553fbfdf79bb9e5ecb87414699a94b25ab4553b0c4c9fc9649

SHA512
91d65fb9c38fcf6177e152c64adbfbcc4b51922a4cd9c09a0fe50f217fe8b0f336c0bd5b448caa5bc8b8b41081f423ede9dfcf532911575f6977f656e4137569

Download Submit
\Users\Admin\AppData\Local\Temp\Jgl_Rt\crypt raider - demo.exe

Filesize
64KB

MD5
57b245cdd9996ae382afb20556e9b078

SHA1
cd78fdb8788fc8186ff26418b7115d1bbd575026

SHA256
d1e8b54797ebd8cdfeb066648799dc4ead607c28122b6bbe1230fc6ac508caca

SHA512
4332b1f197be9780c07bec9c8dd884fbbbcd3427002fbe5283f67fcc3e9d4381ccc3f9e86b4f6d1928df0199c0e172ba5e8a9158a11d3794e91b1e7d81f9bd5b

Download Submit
\Users\Admin\AppData\Local\Temp\Jgl_Rt\jesterrun0.dll

Filesize
22KB

MD5
3c090bac965ee3543728d16b87a4d29f

SHA1
859fbb59a7d8468100d20fd120a100d555651438

SHA256
e54391a41a9a2807f1f5117a5e2947e9bc2875ae91fa2ac8868d26a3208d7d39

SHA512
de351362ee253d63a4eea0f66cb5172bd219c51774e58186add730e6f752b94a7ae0ef4bafc22aa260532410a75bc9c01d7355c3d707168683f3e925d68a2dd8

Download Submit
\Users\Admin\AppData\Local\Temp\d72b7cee304cbda22d62f3b7121e1144.exe

Filesize
747KB

MD5
e2b0f7109b15e26932be848d47a3e931

SHA1
98aa37f694ae66593cda119b7ea8784d12522556

SHA256
79a3e0a0da3b493cc81d243877ecaf62a7b1296e46ab48366ffc6ad466e54179

SHA512
df280c0c2ff81d91cbfa1b46a1fa8aec7b3c12768c6137d547f41833ea437cc7bd8c23ae80891078d5e62c2461f0c11b19c9c30acfbd9d9261e03445104d9e1b

Download Submit
memory/1148-38-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1148-39-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1148-76-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1148-77-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2056-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2360-75-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2360-93-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2532-37-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2644-72-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing