Extracted

Extracted

• • Target

    Crypted.exe

  • Size

    50KB

  • MD5

    5dd57385d3af83d5a7160e9c14aa09f5

  • SHA1

    64aabb5a9d77cbb8768779c7f3d0231465ea29f0

  • SHA256

    1f465a7b1dac4223346ba3070599d95dcdaa071d31d0e0a301322ee4433b4b7a

  • SHA512

    05eb789f336fe6d4280b085d86774bdc6e818e822a42a9165102dcbd478d16168dbceadd786783547db37f7635a5451211daea3fd008557a1d3f0533326e9ea5

  • SSDEEP

    1536:5GuV08a0ep7+bYrVNXUsyWSBY99w399hVkrf1t0:bYrVOsyWSBY99kq5W

  Score

  10^/10

  discoveryevasionexecutionpersistencer77credential_accessprivilege_escalationrootkitspywarestealertrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • r77

    r77 is an open-source, userland rootkit.

    rootkitr77

  • r77 rootkit payload

    Detects the payload of the r77 rootkit.

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Event Triggered Execution: AppInit DLLs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation

  • Manipulates Digital Signatures

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Legitimate hosting services abused for malware hosting/C2

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  behavioral1behavioral2