5e1d2df7f53950d309ece9fc6f2b6659697e72d3257eee1fb69fe152d936d4f8

Analysis

max time kernel
141s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 06:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cryle.exe
Size

3.1MB
MD5

aa8884aea3a2544309886a82281695cf
SHA1

f5d7370e4cba9fd88368187764eaa434629ae792
SHA256

1315e4e375f81c1cc237e3bd1ce3f2d48f1e3248ca0e3ed6660a12dec135898c
SHA512

0ae2f1767ef49d180c3b09d6e1514030583dabd508571c892fe73a052d2393dee28a8ff537b999f7ce7527187e9e168d685d2ee0d795cdccd091bf584abd5984
SSDEEP

49152:J2z6xGMRJNkgINzXN4JeeKN34F/rdrbMGTC7wVvAMZ55z85w/4GoGEzZZA9S:cz6UMRJNEFN4jrdrNw0J5a5nGo5z0s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
448	is-7141M.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 448	4012	cryle.exe	82
PID 4012 wrote to memory of 448	4012	cryle.exe	82
PID 4012 wrote to memory of 448	4012	cryle.exe	82

C:\Users\Admin\AppData\Local\Temp\cryle.exe
"C:\Users\Admin\AppData\Local\Temp\cryle.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Users\Admin\AppData\Local\Temp\is-HCTS6.tmp\is-7141M.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HCTS6.tmp\is-7141M.tmp" /SL4 $C0066 "C:\Users\Admin\AppData\Local\Temp\cryle.exe" 2936685 52736
  2⤵
  - Executes dropped EXE
  PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-HCTS6.tmp\is-7141M.tmp

Filesize
657KB

MD5
3dafb498bb15d5260cb2c12b391a0d48

SHA1
c775ae9fdf18ab0ce38a8adffabe378f461e79a1

SHA256
c5d5f5f814c5bc4989d691442051e5e78cf1971eb9b773a7a26b438e58a73d7a

SHA512
a42f39a73bd4615490c6e33c017fa09f9992e3327d244b050b6634ad696d421170fd63ec5d5e66e92d112dc804eabd0bcd56494c9499d78fad8b46fe2ef32a31

Download Submit
memory/448-12-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/448-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4012-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4012-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4012-13-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download