Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2024 21:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe

  • Size

    2.6MB

  • MD5

    9ccb508018835587a848ddaabae897d1

  • SHA1

    2d87df0d1599d652e3478bcff975109517bf29c7

  • SHA256

    2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060

  • SHA512

    3dd58ce8f7eb8b95dcb322b9d4059176dbd77617f56a00bb40608900805f03d5adea506727501f9f0862ea54004aac67905d18103514efd29f583559f89814be

  • SSDEEP

    12288:HSprXDGV/9Ji6mqUuGybDagMKaA8SFaL4OcDb70:FleZ8bahA8KVb70

Score
10/10
discoveryevasionexecutiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe
    "C:\Users\Admin\AppData\Local\Temp\2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3480
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
        PID:4888
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Users\Admin\Pictures\M9bktcxcT1eoar88LSY1f17O.exe
          "C:\Users\Admin\Pictures\M9bktcxcT1eoar88LSY1f17O.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3468
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        2⤵
          PID:1952

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhrguf23.jcl.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\Pictures\C2ez0llz7goeU9kVrqVlZFJ5.exe
        Filesize

        7KB

        MD5

        77f762f953163d7639dff697104e1470

        SHA1

        ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

        SHA256

        d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

        SHA512

        d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

        Download Submit

      • C:\Users\Admin\Pictures\M9bktcxcT1eoar88LSY1f17O.exe
        Filesize

        2.5MB

        MD5

        d539940aa61b7c6fd181cc7b8fb09cb5

        SHA1

        a70e7ad61b0c8c2a6623d0a7e306f8aa5d512c75

        SHA256

        4073aa99424390d25627881d7943519ef8748b29cb9e92ff84aceafe0c86d685

        SHA512

        43be77dfce4ad87d4ee29c187d0acefcb694c1e28e5350c682e6542cc23f2a357c00431422f38cf3153edbf820497a656fe5d420230ed127bcf4f27fb6ce44f9

        Download Submit

      • memory/2792-22-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2792-4-0x000001DBF9DD0000-0x000001DBF9E2C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2792-3-0x000001DBF84D0000-0x000001DBF84DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2792-0-0x00007FFBE2003000-0x00007FFBE2005000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2792-2-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2792-1-0x000001DBF8110000-0x000001DBF8126000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3468-44-0x0000000000400000-0x0000000000C33000-memory.dmp

        Filesize

        8.2MB

        Download

      • memory/3480-11-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3480-10-0x000001E25F210000-0x000001E25F232000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3480-16-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3480-17-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3480-21-0x00007FFBE2000000-0x00007FFBE2AC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4036-18-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download