Overview
overview
7Static
static
3Cryptic Re...ok.dll
windows7-x64
1Cryptic Re...ok.dll
windows10-2004-x64
1Cryptic Re....4.exe
windows7-x64
7Cryptic Re....4.exe
windows10-2004-x64
7Cryptic Re...ts.dll
windows7-x64
1Cryptic Re...ts.dll
windows10-2004-x64
1Cryptic Re...ch.dll
windows7-x64
1Cryptic Re...ch.dll
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
Cryptic Release V1.4.4/ByfronHook.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Cryptic Release V1.4.4/ByfronHook.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Cryptic Release V1.4.4/Cryptic Release V1.4.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Cryptic Release V1.4.4/Cryptic Release V1.4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Cryptic Release V1.4.4/assets.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
Cryptic Release V1.4.4/assets.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Cryptic Release V1.4.4/bin/autoattach.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Cryptic Release V1.4.4/bin/autoattach.dll
Resource
win10v2004-20240508-en
General
-
Target
Cryptic Release V1.4.4/Cryptic Release V1.4.exe
-
Size
8.5MB
-
MD5
3be927d08df2f452185bc35ae5709617
-
SHA1
e287ba2e481f3768678317e87099afdef4186294
-
SHA256
f99d78317fe908e8f863563f5b8662c21185dd256120b534dd3a3a842557fc3c
-
SHA512
89490ed120cb8f73359a0a8f2b47957fcd55631f6b61e8ee9a7363d7792ecb3cb012270071949fd903b73792b4c83adc331dd3a02998c8789bd6198b95ee4a5f
-
SSDEEP
196608:BB8BYmuJfX5aL0o/gGuwDfsBJcXIsEIKcmc3FzVT9tdVX:B2YmqfX5yIFwATcXIsGVc1zVTjdV
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hex.exehex.exepid process 2652 hex.exe 2776 hex.exe -
Loads dropped DLL 3 IoCs
Processes:
Cryptic Release V1.4.exehex.exehex.exepid process 1724 Cryptic Release V1.4.exe 2652 hex.exe 2776 hex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1668 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Cryptic Release V1.4.exehex.exedescription pid process target process PID 1724 wrote to memory of 1668 1724 Cryptic Release V1.4.exe powershell.exe PID 1724 wrote to memory of 1668 1724 Cryptic Release V1.4.exe powershell.exe PID 1724 wrote to memory of 1668 1724 Cryptic Release V1.4.exe powershell.exe PID 1724 wrote to memory of 1668 1724 Cryptic Release V1.4.exe powershell.exe PID 1724 wrote to memory of 2652 1724 Cryptic Release V1.4.exe hex.exe PID 1724 wrote to memory of 2652 1724 Cryptic Release V1.4.exe hex.exe PID 1724 wrote to memory of 2652 1724 Cryptic Release V1.4.exe hex.exe PID 1724 wrote to memory of 2652 1724 Cryptic Release V1.4.exe hex.exe PID 2652 wrote to memory of 2776 2652 hex.exe hex.exe PID 2652 wrote to memory of 2776 2652 hex.exe hex.exe PID 2652 wrote to memory of 2776 2652 hex.exe hex.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cryptic Release V1.4.4\Cryptic Release V1.4.exe"C:\Users\Admin\AppData\Local\Temp\Cryptic Release V1.4.4\Cryptic Release V1.4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAaAB4ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAZwBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcALgBHAEcALwBDAFIAWQBQAFQASQBDAFMAJwAsACcAJwAsACcATwBLACcALAAnAFcAYQByAG4AaQBuAGcAJwApADwAIwBwAGcAeQAjAD4A"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\hex.exe"C:\Users\Admin\AppData\Local\Temp\hex.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\onefile_2652_133634316414482000\hex.exe"C:\Users\Admin\AppData\Local\Temp\hex.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5384349987b60775d6fc3a6d202c3e1bd
SHA1701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA5126bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5
-
Filesize
8.5MB
MD59b21bdd0a71fa719388923513b4b5527
SHA162111bac05573f689c5098b4a902c5a68dfd8fd7
SHA25633b1633d1caa4f584a23604d0313c1832d67c29fb46a735b60a353afae898e3d
SHA512d2006df7e81fefea2ae8a52367e7f439299e9277dfaf7018e4f2dbb5b2e600308fb159bbb1bd5ab843ef2716be2c145fd0a8af0c67d295dd6a7411252c56dc24
-
Filesize
11.0MB
MD57206826cbefb2418f63d26c4a63a0425
SHA13d3532fc1afe8b288344c7ac863ca87e78235155
SHA256552e34c38a39d4d2dcf0db1bd20fa8b85723acbf157de6c91b046dfef1d10a88
SHA5120f695b64c4199be8717dc00f58371bd319122bb942a0b29cdc9f360b37e3c9d0617dc638ca9c2318ce0d714242845a482eb95ce96b064191008053160ac44fe9