Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 18:14
Static task
static1
Behavioral task
behavioral1
Sample
Cryptic Release V1.5/ByfronHook.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Cryptic Release V1.5/ByfronHook.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Cryptic Release V1.5/assets.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Cryptic Release V1.5/assets.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Cryptic Release V1.5/release.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Cryptic Release V1.5/release.exe
Resource
win10v2004-20240611-en
General
-
Target
Cryptic Release V1.5/release.exe
-
Size
8.5MB
-
MD5
f2a89cb8385047134242e5fcdfd16034
-
SHA1
6632f0a6b8e4851edf7360267e924de352e635eb
-
SHA256
1655a1e1e41125792b6e8ec88e834e61d1e5cf553308ead40d278eeba1f884d0
-
SHA512
5765346a0eb70c0d6ce2ced89c2f3fe896328394b0beed199e590008a407bc8e3222ce03bf2cfb2d815a87adc284148b8f9f556e0b7b52c15659c901ef74e231
-
SSDEEP
196608:jeYkcIRzRniyts0ZrtzvqApTjqll9HYtlFMG:6bNnisVZ9p63+tlFM
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hex.exehex.exepid process 2768 hex.exe 2556 hex.exe -
Loads dropped DLL 3 IoCs
Processes:
release.exehex.exehex.exepid process 2140 release.exe 2768 hex.exe 2556 hex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1960 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
release.exehex.exedescription pid process target process PID 2140 wrote to memory of 1960 2140 release.exe powershell.exe PID 2140 wrote to memory of 1960 2140 release.exe powershell.exe PID 2140 wrote to memory of 1960 2140 release.exe powershell.exe PID 2140 wrote to memory of 1960 2140 release.exe powershell.exe PID 2140 wrote to memory of 2768 2140 release.exe hex.exe PID 2140 wrote to memory of 2768 2140 release.exe hex.exe PID 2140 wrote to memory of 2768 2140 release.exe hex.exe PID 2140 wrote to memory of 2768 2140 release.exe hex.exe PID 2768 wrote to memory of 2556 2768 hex.exe hex.exe PID 2768 wrote to memory of 2556 2768 hex.exe hex.exe PID 2768 wrote to memory of 2556 2768 hex.exe hex.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cryptic Release V1.5\release.exe"C:\Users\Admin\AppData\Local\Temp\Cryptic Release V1.5\release.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAbQBqACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAdQBqACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUgB1AG4AIABhAHMAIABhAGQAbQBpAG4AIABpAGYAIABpAG4AagBlAGMAdABpAG8AbgAgAGYAYQBpAGwAcwAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAcAB1AHQAIwA+AA=="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\hex.exe"C:\Users\Admin\AppData\Local\Temp\hex.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\onefile_2768_133634672606382000\hex.exe"C:\Users\Admin\AppData\Local\Temp\hex.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5384349987b60775d6fc3a6d202c3e1bd
SHA1701cb80c55f859ad4a31c53aa744a00d61e467e5
SHA256f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8
SHA5126bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5
-
Filesize
8.5MB
MD5896f77cff248a1f762ccbafb4688d02c
SHA1abbc6cd2d8e370764fe884c73ff701c4226e4e04
SHA2565e5cf64a678d4cd65f1af306075947a2335b4db93bbabbe6473b003616e24fa8
SHA5128d5ee14df16ad66d920015ae6c41cb19de885280bec6f1abe4cd2cc97f7b76a630973879daa3d891b1ef5533ee830dcaa40aab25ccd68a1bb582130716da0ec6
-
Filesize
11.0MB
MD5623cec2f0d97350b67ab5e26b40ce945
SHA1d6accaefbbddf75351383b21e1c709362512ebfd
SHA256c3c01e5bda0b4f0c0222695341b59d7460510804ff64900a73a615a8314e942a
SHA5122d49fc440c45fbcdba602ae082f7cf879d84574fd275dd0b540c59fd1ad78ef287d033a3a806037505879cae6c037206d8cd5725c37287a00cb39198e0911a09