2918a745f6d94ae4a7f962d2bacfea746d24776ea199b0cc913ba9cc9b5c873f

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cryostasis_PhysX_Patch.exe
Size

189.2MB
MD5

7d07729f2f0cafb33ef25289a688db3e
SHA1

6c0f75ebf589c673e7e71c2e739e85e54bbe7180
SHA256

2918a745f6d94ae4a7f962d2bacfea746d24776ea199b0cc913ba9cc9b5c873f
SHA512

57eff454564724075ac2a45b46a26f9eae6788db8b01380ca7b2620dad45a0bc2cf41861f9a853917b1b7a0c473be6876c6c1da60518d1ae1a6180d148f22ecd
SSDEEP

3145728:TzBdmr/KO9//8VxKqmABKipoWqHCTR7cAYBCnxHvH2pPa+dTmR2/YhropnO:fe/KOZ/8VxvtKQ1dwynxHvAPa+dmWYCO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4992	ISBEW64.exe

Loads dropped DLL 10 IoCs

pid	Process
2700	Cryostasis_PhysX_Patch.exe
2700	Cryostasis_PhysX_Patch.exe
2700	Cryostasis_PhysX_Patch.exe
2700	Cryostasis_PhysX_Patch.exe
2700	Cryostasis_PhysX_Patch.exe
2700	Cryostasis_PhysX_Patch.exe
2700	Cryostasis_PhysX_Patch.exe
2700	Cryostasis_PhysX_Patch.exe
2700	Cryostasis_PhysX_Patch.exe
2700	Cryostasis_PhysX_Patch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cryostasis_PhysX_Patch.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4992	2700	Cryostasis_PhysX_Patch.exe	92
PID 2700 wrote to memory of 4992	2700	Cryostasis_PhysX_Patch.exe	92

C:\Users\Admin\AppData\Local\Temp\Cryostasis_PhysX_Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Cryostasis_PhysX_Patch.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\ISBEW64.exe
  C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D2F73058-1632-4BB9-B8B0-1B07E3480B48}
  2⤵
  - Executes dropped EXE
  PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\ISBEW64.exe

Filesize
117KB

MD5
8407fc98ee367ccb196894f7cd218792

SHA1
6f280cf374fba172426b8912170b5cbafe3d88cd

SHA256
e1890e4ef7fe9c2242e1fa65da8162687c893d1a025fef254b827940d03a0d5a

SHA512
5850b48b374cb243d6eacf011f11e31050ff04118939424804a62e52da335cea6a7ea8dc363d49895ea29929b518c69dccc8320074693e7b50540580d477956c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\{DA01A022-8D25-49FF-9765-F34338A0C281}\DIFxData.ini

Filesize
86B

MD5
10baa5b67536f4433f37534b9c8bb828

SHA1
82e5c34b1279afda223b639b49078d03c52875f5

SHA256
1b9fd5c1f18357bd459be20bfcbf47ee18fa0c5d5cc42f6aed2705d5868b65f4

SHA512
49c6798ebb3b6137cafb78b88350d02094367523dcf8f9e580de1941e514b8b3df786d1d817090e5dab80ac4d0d015796b2ce28b296db31d111e0d0bbaeebb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\{DA01A022-8D25-49FF-9765-F34338A0C281}\EULA.rtf

Filesize
31KB

MD5
89a1e70fde8f2f5edbd1b3c2628f2433

SHA1
1a4a0e7e2c03116e8757419590c931922ddc17dd

SHA256
50cb2ca8317f9afdb0b474e7a0a396a6ca42d4f8d73a7cb304426f4bb2ab0523

SHA512
3a47b7c72fb99634ef314fff51c7c178b6f596d3698a9129b2612b91feb910585f07df369679c94df7be494da0298d78bef22fc026c370302f1c23631e0e6a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\{DA01A022-8D25-49FF-9765-F34338A0C281}\FontData.ini

Filesize
39B

MD5
00f313e3e007599349a0c4d81c7807c4

SHA1
f0171f15aab836a1979d3833e46b5e59e4ea32e0

SHA256
766ee687d90b0217eb41cb85aca04375bdc24db986a33536631f864b7ce1a08a

SHA512
8bb25a62c0b1640dec36403a493ed54c05f7cde7b7357c8faea785a79c4b76bbe6a3d6fe78db52b558a37abac90c2b2e8b13868a76294554d51670e9fa8764ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\{DA01A022-8D25-49FF-9765-F34338A0C281}\_ISUser.dll

Filesize
12KB

MD5
fbbf34e28c677354c00b70f96443b685

SHA1
816c77f8878614b460eedfacbb2b276d0803e54c

SHA256
a0000c157cd9aba4f76e58a385ac23e6967bad2b03668ae53794d004c3bed4d2

SHA512
e92d893475666c427a184390f1f01da20fc610a8a264da79f3b92d4a6b1b9388776c379510c0e159431cad2258593300e04f51d05abbc215b1ed8a50d36eb9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\{DA01A022-8D25-49FF-9765-F34338A0C281}\_IsRes.dll

Filesize
123KB

MD5
898515a4ae2fb9d74ae2a905cf82b074

SHA1
ed751342f4bbd131de393975e08019ea56355107

SHA256
ed38584275b7248ce51254bc34fbe247af641c416660342689d19e6559623b13

SHA512
35ab0a7082cbfd90324748b539b521791ea644eeddb6042f3a47e4d98eb22721d133442acb1b33a4c90fd72a560892ab2978c29edebe94e443a13c6116f17ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\{DA01A022-8D25-49FF-9765-F34338A0C281}\isrt.dll

Filesize
216KB

MD5
77a3125a2059f39a9bef961953a8db8d

SHA1
2ffb52f60c570d1d73caab095f3784dc8454e5e6

SHA256
d6cd68fa4468878d8bc045ea518235f7c6cbebbd525486ddcec7d1069d83f119

SHA512
00863cb19420f4764ab0f71ae0d788e22ad340d9f7aa074bda2f8fd8317012567e46335802fdfc800f671c22c1e74618819613c4adb6adeeaa2e74cd66401605

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B06F036E-90D2-4FBE-9B4A-42E17CB2B031}\{DA01A022-8D25-49FF-9765-F34338A0C281}\setup.inx

Filesize
210KB

MD5
6231e1f99daf59341f6bbc0caf5f0bc8

SHA1
cc2e10109363b1a04af70554f48ca86f0eec66c9

SHA256
8a7089e4cf9ca4644eacf895e2ffe6b04aa49a0ff3245c258a16708f68009545

SHA512
5a692d88bbc77db13561e210750c888e58abc243b153434b162c321aba0f50a53ba6f0b083593a62e09794aa165e3eed32e1bac1849e9a4dff361d646f7bc654

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FC65A50B-D938-46D2-B9D1-506614E688F8}\Disk1\ISSetup.dll

Filesize
523KB

MD5
6c48e05107eb494620ab0dc96d3c5b80

SHA1
e6ced277de082bd8e2ccbfad7a1d5cd1e9db85ab

SHA256
13223e7fbeb3dac968de77e6be974a36f86dc07884cc0e80eabf8b817ccb4a04

SHA512
983e3d3012114af3da009c5d46ce467c7a9c6023766b54afe58137654bb5a1c1eda2fd1ff4b1902102e8315b80557efa58dbcf01641dde07924285bd015a196a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FC65A50B-D938-46D2-B9D1-506614E688F8}\_Setup.dll

Filesize
324KB

MD5
200bede8248e5b0b238b8d2c89b92aaf

SHA1
916a9d3bbf46a808dec38e66b059e21edd9f8fb5

SHA256
0f5f4e003f4666ddc29a6cdd640a7d3b59687de1ccc54ad0dd30f1b701d7eb6a

SHA512
6797d64b2f4601b74b7b52e130fae7a83c0cd85654bf3de6bb41ce3f08425cc9688e6b3075510147a97e100939ee899bf6fbddc7e86f533fdd8f098369be5632

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FC65A50B-D938-46D2-B9D1-506614E688F8}\setup.ini

Filesize
546B

MD5
3a93305f98d9f7ef16a25fe89073ebce

SHA1
af52fd2c6d96782dcf0f1ca5f3e07114f3c3d8d0

SHA256
3029ae1cefd8a78fdf6d167edd9d0fa10fe31af8ad051f39053fb3fbf570afc4

SHA512
f871d465752f43df9e41ba0e53c0349ed6962887a96ce5a4f439670fd912b787fd4d0f60939444a70af7157c0715dde474004ccf4f984ee117353517ecb7528a

Download Submit
memory/2700-104-0x0000000005340000-0x00000000053C7000-memory.dmp

Filesize
540KB

Download
memory/2700-106-0x0000000002750000-0x00000000028E1000-memory.dmp

Filesize
1.6MB

Download
memory/2700-28-0x0000000002750000-0x00000000028E1000-memory.dmp

Filesize
1.6MB

Download
memory/2700-119-0x0000000005600000-0x000000000568F000-memory.dmp

Filesize
572KB

Download
memory/2700-121-0x0000000002750000-0x00000000028E1000-memory.dmp

Filesize
1.6MB

Download
memory/2700-29-0x0000000000AA0000-0x0000000000AA2000-memory.dmp

Filesize
8KB

Download
memory/2700-30-0x00000000028DF000-0x00000000028E0000-memory.dmp

Filesize
4KB

Download
memory/2700-25-0x0000000002750000-0x00000000028E1000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000002750000-0x00000000028E1000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000005340000-0x00000000053C7000-memory.dmp

Filesize
540KB

Download