Overview
overview
10Static
static
3Cryptic Re....4.rar
windows10-2004-x64
3Cryptic Re...ok.dll
windows10-2004-x64
1Cryptic Re....4.exe
windows10-2004-x64
10Cryptic Re...ts.dll
windows10-2004-x64
1Cryptic Re...ch.dll
windows10-2004-x64
1Cryptic Re...ns.txt
windows10-2004-x64
1Cryptic Re...se.txt
windows10-2004-x64
1Cryptic Re...ts.txt
windows10-2004-x64
1General
-
Target
Cryptic Release V1.4.4.rar
-
Size
8.5MB
-
Sample
240621-j8592swhmk
-
MD5
64c985237b1a6594cda62bc549619d5f
-
SHA1
e5dd5aa111aff7d0bca9bfb275eb90ccf5cbebf4
-
SHA256
d9b85302923cf4d3f70ed1cc6ffd9823005c5020ab89d0bf2d7614f86e412008
-
SHA512
b3408a6fc2833211b4be54fc17b37b99493538375d4cc598f7777b5609fe2886828282140d18530f9073612b5b4538da57baf90743b38bd7d98d2e1703c5761d
-
SSDEEP
196608:FmHtN8DJTJ3170UAZ8oNqbNq95sHQWOJ98zvJd5PB1hba5Lg:FmHtOlt317xAZ8oNqxq95DWO3svJdlBd
Static task
static1
Behavioral task
behavioral1
Sample
Cryptic Release V1.4.4.rar
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
Cryptic Release V1.4.4/ByfronHook.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Cryptic Release V1.4.4/Cryptic Release V1.4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Cryptic Release V1.4.4/assets.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Cryptic Release V1.4.4/bin/autoattach.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
Cryptic Release V1.4.4/instructions.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Cryptic Release V1.4.4/license.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral8
Sample
Cryptic Release V1.4.4/workspace/Saved Scripts.txt
Resource
win10v2004-20240508-en
Malware Config
Extracted
xworm
91.92.241.69:5555
-
Install_directory
%ProgramData%
-
install_file
Windows Runtime.exe
Targets
-
-
Target
Cryptic Release V1.4.4.rar
-
Size
8.5MB
-
MD5
64c985237b1a6594cda62bc549619d5f
-
SHA1
e5dd5aa111aff7d0bca9bfb275eb90ccf5cbebf4
-
SHA256
d9b85302923cf4d3f70ed1cc6ffd9823005c5020ab89d0bf2d7614f86e412008
-
SHA512
b3408a6fc2833211b4be54fc17b37b99493538375d4cc598f7777b5609fe2886828282140d18530f9073612b5b4538da57baf90743b38bd7d98d2e1703c5761d
-
SSDEEP
196608:FmHtN8DJTJ3170UAZ8oNqbNq95sHQWOJ98zvJd5PB1hba5Lg:FmHtOlt317xAZ8oNqxq95DWO3svJdlBd
Score3/10 -
-
-
Target
Cryptic Release V1.4.4/ByfronHook.dll
-
Size
21KB
-
MD5
4e3e92823caeac1203beaa5a35d6dafc
-
SHA1
893b591d46c39e817052cd05ec969fea74da4233
-
SHA256
3811858da4b1f5e7f40d1237d7189ddca3989fa0d7b07e87c538f92975b893d2
-
SHA512
0490e800f1e5c9b38b6c9b56616290f3a7214179e6d993214e3dd742d44d1d669fe5073b5a121c588c05f3e7c0ec576798236ee94e1a9b37e1d980d1969c9d33
-
SSDEEP
384:pPLl4JbDL8XQZW8LN/4pvuBUyHVz0Ad29DtSLKZR2CF/9+8ADu/TyZdEPLe:pPh4yQZW8LNuAUyJl29DtSLKZR2m9+8m
Score1/10 -
-
-
Target
Cryptic Release V1.4.4/Cryptic Release V1.4.exe
-
Size
8.5MB
-
MD5
3be927d08df2f452185bc35ae5709617
-
SHA1
e287ba2e481f3768678317e87099afdef4186294
-
SHA256
f99d78317fe908e8f863563f5b8662c21185dd256120b534dd3a3a842557fc3c
-
SHA512
89490ed120cb8f73359a0a8f2b47957fcd55631f6b61e8ee9a7363d7792ecb3cb012270071949fd903b73792b4c83adc331dd3a02998c8789bd6198b95ee4a5f
-
SSDEEP
196608:BB8BYmuJfX5aL0o/gGuwDfsBJcXIsEIKcmc3FzVT9tdVX:B2YmqfX5yIFwATcXIsGVc1zVTjdV
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Cryptic Release V1.4.4/assets.dll
-
Size
171KB
-
MD5
bcc0b07de0a24f9701fc97d154ecd660
-
SHA1
cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d
-
SHA256
672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a
-
SHA512
18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4
-
SSDEEP
3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB
Score1/10 -
-
-
Target
Cryptic Release V1.4.4/bin/autoattach.dll
-
Size
171KB
-
MD5
bcc0b07de0a24f9701fc97d154ecd660
-
SHA1
cb5ba3b790cee940b4d18ff78e5a6cd71bdad47d
-
SHA256
672cb16128dea50e21fd2d98889e2d6a2264b654304a3f4248ebdf4c546f734a
-
SHA512
18959767986401bc877d30416e550c55e97c158f674b8f76dc9af117494e65e11d6000521f72be93c193ebd38f84d1b9578386c24911fda97507277f06ebd8e4
-
SSDEEP
3072:rN505WN505WN505WN505WN505WN505WN505WN505WN505m:rNJNJNJNJNJNJNJNJNB
Score1/10 -
-
-
Target
Cryptic Release V1.4.4/instructions.txt
-
Size
350B
-
MD5
511f8a515b7613bbb254e78afdcb1288
-
SHA1
c47040632ca1c2d55d08c1faea3f77f932aac008
-
SHA256
a4473290aa30ca151cc1ff1ea3a1d76915a1975f8461e14ae43a4ad29296bd95
-
SHA512
4613866fbfa63191c22700e72bb0c54cc20f043fce3a44bdda262f5803d0d02977df8f18a5ac75cb9e0b8b25cb9ee17ec9f97a9f648da7c7a484d9b63c0f5915
Score1/10 -
-
-
Target
Cryptic Release V1.4.4/license.txt
-
Size
6KB
-
MD5
0b09566254b011d989decf0e23a902eb
-
SHA1
3ae5cd6be73daf418b8deee9c865cf78225838c9
-
SHA256
a19d58aaab15c4d0019e569d1c073d1b5286fdd37dbeee7a58a7d1ae76045ae1
-
SHA512
4e22e58f925879306261e5993039e1d84d87f8fecc0f9fdad534da55b6fd22be77e622a4077d8d521f7734e5535f66853d581155987e2f3607e2d386938c218b
-
SSDEEP
192:uEwjuKsgA4+XYdXjA+okS63vZBCSUziJm:eNs8+QRVxBRU1
Score1/10 -
-
-
Target
Cryptic Release V1.4.4/workspace/Saved Scripts.txt
-
Size
26B
-
MD5
9aab6209b47a96431718754d4bac5bea
-
SHA1
671ae2fdf7f41befc2b7fb53a3902cd2d2f35b7f
-
SHA256
d2d792f0d9bdb064f665174877454ea83f32aa0a571d223c062fb2107352481b
-
SHA512
860afec17d9e2c88df27042ad0b027c9021ce08b737d7cae39585d3398fd6ee551f81fe0f145aed90a30bec15a07d1e0731cce9c5b5db7141a6cedd42a3a1bd1
Score1/10 -
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1