Analysis
-
max time kernel
143s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 22:26
Behavioral task
behavioral1
Sample
Creal.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Creal.exe
Resource
win10v2004-20241007-en
General
-
Target
Creal.exe
-
Size
7.3MB
-
MD5
b867469d2d9f97d98f60c9ea4302418a
-
SHA1
e67fcbb3e8043436739391efa883ec99f8eab30a
-
SHA256
381116b75b5da7f4a92f21197efceb9a202ecae7b8d852dab506fbb97e2e150c
-
SHA512
027cdfd76b942ac303258976c0f936bd5ef12f59a28bf2f165f6d1d6686bcd533dfff67bbcc4eac4d7eb2a631d80b7199a6599869419aaef90968417b2e6633f
-
SSDEEP
196608:QL1OgOCT+aj1rpnrJehwiIbZg4TIdQNm5XKCt7o5cJwDb2:QpoCT+aoqbCdQyftBJwDb2
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe Creal.exe -
Loads dropped DLL 35 IoCs
pid Process 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe 3444 Creal.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 api.ipify.org 13 api.ipify.org 23 api.ipify.org -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4032 tasklist.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Creal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Creal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4032 tasklist.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2688 wrote to memory of 3444 2688 Creal.exe 84 PID 2688 wrote to memory of 3444 2688 Creal.exe 84 PID 2688 wrote to memory of 3444 2688 Creal.exe 84 PID 3444 wrote to memory of 4196 3444 Creal.exe 88 PID 3444 wrote to memory of 4196 3444 Creal.exe 88 PID 3444 wrote to memory of 4196 3444 Creal.exe 88 PID 4196 wrote to memory of 4032 4196 cmd.exe 90 PID 4196 wrote to memory of 4032 4196 cmd.exe 90 PID 4196 wrote to memory of 4032 4196 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Creal.exe"C:\Users\Admin\AppData\Local\Temp\Creal.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\Creal.exe"C:\Users\Admin\AppData\Local\Temp\Creal.exe"2⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5db9617f8c167d0f9be9fb5fb22657c25
SHA12226fb91fbfada5020373a5396a652748c97482d
SHA2563ff968443e1c9641ea2c8931643e7ef51b12bc5a95c87be374aba3bc4411df48
SHA5129a1809da2d2e6e18c06544f571dc2aaada5d5f7ec069fe68e19af9b4fc194583953b72d9fa0185e4852d1199ef32fe9a1ff3181b9c0327f408cb44b324ee46a9
-
Filesize
9KB
MD5d841eb263c63b5e4dd9e0eaa76d10b8e
SHA15f5ef28ab4bade0725ebe723434785af80c0e8b8
SHA256f04effa6cc1eccc69edfa9325149e777df651e1a75430cda1b04e38e77b1e4f1
SHA512c160cc47403692e0075d00129d51f0d1302bfbc497cf0b9c7f27d11d31597e5786db437b836e41e2ab25734c1d4c582113632819805f05994caa9210cdf64582
-
Filesize
10KB
MD555d8c9b0f340a50ffd3b4af6d91f8558
SHA12e0fbab3798a4e9804ef90ef130231a3bc82d9cb
SHA25625f07818d785397faaf1563437fc7523e9c5faf2949292722a7b379347172ea1
SHA512f9df0ee37e71e4f2288c3e4e7ec57e1c6100a56c98d824ffd8db31dbf2738325de4b710b2de4c82a7fd47cae9c3636127dd472da336f8275a19d68862ef4b282
-
Filesize
11KB
MD535f51943c67491380a5136ce9d09ad60
SHA16b462683ae8eac284c0593caa0ed5233d77aedc7
SHA256ca65568532c1072291383ecfd5f10fd0fcfcdfb2ab04e90fbd77d3029ad61adc
SHA51207e928fc6e3cea3594491b16be7fadffa422d0dd454b10523e800352ac5605d3389815932b070b0ab60d74ee5b21a2806c6c8cabcef2fbaa8b012224ffe711db
-
Filesize
8KB
MD5343a85336768660c9fe27519ea59d4e6
SHA1dad3dd2652d1defb064d07d1c9ccb377a3e77cac
SHA2566afc2e4d986d212b2bc3a207f1c2b9522ce683042fff73e2b625cdb6288c6c1a
SHA5124688c87252e3576f540e26c51f468fed4ce1b3d49acbc7aef882ced225c40708669d81bc05e5b45fe54cd02b992544495a3d13f82773356086adafda10bdc3a3
-
Filesize
9KB
MD521d377cd15af89f9e48d0f1401a0f973
SHA12182ccd470f02fb1050b2e7778159922d249832a
SHA256bd3cff503c58dcbb5f5b51ce96196bd6a563e4d2927869507f6251cd115cc198
SHA51286cc4643a9364e1fdeede1e2b7aa70dbea6d792685669c484140b77c4b37a29dc2f8f7bfdffddd380d8e6ee28ff9c63430fcac274d43ebd173c763eb91efe70d
-
Filesize
11KB
MD518815850f5bb02f0e5dade49729271ae
SHA1b78f3221e43173f393dfee3db42e317b8984484a
SHA2563df2a9e9dbf8b1977de9284456df18f7960d4b853fae4d6f770fb0cf6d4b0f07
SHA5121fe7580f60749124e7ec605db578dbe037e91d26454a51757daffd27e9430aa90579160cdebc82224e28e54b75b53e7c97e4be36b1f5a0c72f2a07273816469b
-
Filesize
12KB
MD5ac81da346facc29fdc711e4db404ea19
SHA14776e720e25c54919d9490ac74cd119b172bbd88
SHA256157499786ee705c7cdf59249f8bd9ab5b4a73ba6020c7b04480bc8a03a14c22c
SHA5122e0379ccd261edc297c1de12634abbb6616852854f13d65b529f2397822b18ace3d669161ef30f66609328d2d70e0d660cd0dfedc09aa495aa95b04790730154
-
Filesize
14KB
MD51c93c1b17b308a72cb0c6b6905097bbc
SHA14803e4740f36a3ab828a6c99c1b7781fc7592fc0
SHA2567c1d904599569f339880c7454648c70dd9ce1f5774d0523da5ff1bef73011041
SHA512f97f6b1ea15711a37496a05bf6f378fbefada47c2281614313b4577c7c0efc325985b2da6345da09e9b58644dcd4146769e5ed93bf74fadd712d4f0239a5630b
-
Filesize
18KB
MD57f78e53eea99e8aa5d5204f7003a21fd
SHA1553e16a5a0a746d4aff36676a07dfa8d7da130db
SHA256e4d42bdd9c3c078746502e9a86f9f4ddad105adc1ac79a82b0e6dddc58356f40
SHA5129a09b40a63787a0bdd782111c80e24e1a1e81d62c3f13fbafa2b63694ac3ed53ae85e4b421f16de81cd9e28deb94647df7fd89ba67154797dfe0dd3a86cdd10a
-
Filesize
10KB
MD5da9ad98234fd66b480a5ee9e95ad8dfc
SHA169a02c117dcf7a1f8fcd1378b5ccfe277c594623
SHA256532d66b68cb106b040edb441d3279b2a9f7bad4e8a73660c1f9336908761aad4
SHA512409ccb274d4a9e54ca91d0c2431299931ba9fd761933dbdd0db7f1476ffff948bada0140dabaea7aa82b9e396940f302c92d3effc295db162478101dcded0896
-
Filesize
10KB
MD58d455bf1d01be57b45ae426d3197df7f
SHA124dd7537f6d41f94c0fe2421115e22cfc839f6ff
SHA256ef1e6f109d808de9fe25b6f2951efd0ae1ec675d76ac2f07aa34b4a9ba3ba765
SHA51298df88df2495abc197e6e60c8a32c6ae065578e3f658bfbdf7d7ea87813b6031fc3efd1e586f8116e521aeaa610800c2ffab51f85e71f372c6e7c2c128d2c8f9
-
Filesize
9KB
MD5c8ba0c5ebb188da0dbcd5f00771973e7
SHA19bc93c8781404cd24d6d6ee2c664a9de4d3fd6bb
SHA256c61089df42fed6ef32ff37de803500ea79cf3761d7de35240f86c2cc9c69939f
SHA512865cc27ea89b9c120ac676631de4db9ea0858142b6af3c7f51f561114c2c8fb3e4f9730402251256326add155b6be1bd55b9708be12e219d4af77f086a8d8bb1
-
Filesize
8KB
MD55951664724d348f7be9c497ba597e81c
SHA10dbb62b4f860d91f005de7e56f5164c7ef6a62bb
SHA256e919ccea958bc9a83f51c32ed271b64c7b5fb748267013eede05aad2c860a2f6
SHA51288961a15871d6321570f70f89b14aeb4bf234a07ab5543f0fb0e6709c705f2093ca76311f0a812503b84abf660274a2893726580d6c6f3607e4f0aba14a63698
-
Filesize
8KB
MD5d7940da21e43b5152cce28442137e984
SHA1e2692d95aa1d21fc87d43f00e19409820a7432b7
SHA2564a8494db26c07b2218142238108b61a4d4ec270668809519b8dade68d1dd02f0
SHA512ff32cde189dd00a3402ea9d659df175d403b04371fa2ee1fb13b52dc8eb8d94df46328d6aeabe5ea50fce5fd51ff29348e0e6d9de2732e5587019d087fb513aa
-
Filesize
74KB
MD531ce620cb32ac950d31e019e67efc638
SHA1eaf02a203bc11d593a1adb74c246f7a613e8ef09
SHA2561e0f8f7f13502f5cee17232e9bebca7b44dd6ec29f1842bb61033044c65b2bbf
SHA512603e8dceda4cb5b3317020e71f1951d01ace045468eaf118b422f4f44b8b6b2794f5002ea2e3fe9107c222e4cb55b932ed0d897a1871976d75f8ee10d5d12374
-
Filesize
66KB
MD5216f736db1b110548da2f8f21c381412
SHA1da3781dfe8f6b3bdacc92f82c330cc26248b6b5d
SHA256ce4f48bdc1f6144b4bcb288896392867176a2b5f10efbfbc2d5454e14cde61ce
SHA5123bea7426995833f37996468ca3d122c4c182cfcde6f6469d51c211624baa169daacd20101abb1ce8ba50b46fd9f25d1bf1f5e913ebfbea600a5d7ad557f33544
-
Filesize
100KB
MD530e16eeedd78a40498b600312d18161f
SHA1c00f657b13e0b0ab5739abf2ee7b627238cd8055
SHA25692ccf5b99a1f4553001e57fd58bbf8d843b6d6907057e31d236f913f0c51ab82
SHA51276e213afcec7c06d7fe53b674b983773da8e1d32690bf8ba4ad0aa585e7517f36e7a287d9abb108a438c8937fd0c909ed6ce69658556563648cd581f12536707
-
Filesize
43KB
MD5f9f0589c4d853060b62b1e83b3c6e8f8
SHA111d474d1a0006c0f8746187ed575d2923fdf3b01
SHA256600ff18011b09cf9d49660dd7f58601ef438a921c1732054fdc5f312425c55e1
SHA512ee3ef23cf79cd3782a84214548db2bb394e256db5f7e60d00ef6d62fad191d4654b889588ebd0da8cfbee0154ff3df362f2b1a76370e437edfcb398ba7982c69
-
Filesize
139KB
MD54a42b4f058c2e58eb3ab47e0166259cc
SHA14a55098dbffd59c651b862c2e610961b20f3b9da
SHA256adddfd498ed73729af21bc139c421411aa40fa9000da1054c1ed73be6b2c8f56
SHA512dd68e0a20a58c127a91406e7dfbb20f473635974fec15de0e678101241272c70ea7335e3e0cf990bef200d29f73adc519701989992ab55b53894c6d3133df52e
-
Filesize
23KB
MD5d105039da54edcabd7b893068c86d1ce
SHA13ce7b89011ac1311243e1935eeb3a8e49ec8bed8
SHA256214739fe1823ffd6c1d81be15c675743d08b69f73ad2699ff9d193589d8d47f7
SHA512dfcb68e285957ec3f54d7205a59f295eadc495b1d6119591fd850e8c7471cddd4c3367c68f884729486ca1f9352be8f546ea06a988e9f2d2afae9394be46d5d0
-
Filesize
63KB
MD5c7191cfe1da82b09fbedb5ea207397c5
SHA1894199e61d3aa786ce2f5f2e159e8a9d6ffc1f68
SHA256006c61209b77985aae77a8883293be2ac1e3f3913d6d436e16088311135f5bc2
SHA512c6b35f1573fdea5a51b636243f171a2021b93f29092fc46a2c0717cf2f2ce187c77598c203b3c5fa225936e01fc81d957ae684fc9b5b2ecc70bc010ef9a64f38
-
Filesize
66KB
MD5864db9d3b9a4da476a3fb06b76263eed
SHA16c77e33aab6b8095822d42c6af1c992dfb3eb956
SHA2564a208afeb6d3f8c2dbdcd710cf7670100e5244a740480f5b6991956590809b40
SHA512a0a7e1ae4f9b568028950cc8731695b9656e7e41e3b4db57516b6916203587652e2c490d411a9a57ae2ee68788f5461c51a0bbd26d99f74e6dc0fe74ccec7013
-
Filesize
133KB
MD579595e0f25d0e59d8493f4e6e3c83c64
SHA17be5783a05a9555dfb634c58453d3422bcac2f78
SHA2564f6f68fa2bc4a974b678737dff7ba97600bcbdda4cdc4cd83261401ffadd846c
SHA512ac1fb03d3cfa7c72b79e0ef13fba72fa9b913e86e7ece2094e3df634a83ee7604b0797d17b3b09c4cee63a63abaab87848df527c9ca399b2d846c286f53c14f3
-
Filesize
17KB
MD554f10c6f7f793fc393bc138c822bf918
SHA161a7cb976124e70c36dec56752e25f7d1efcc30c
SHA2569de300ca515e6c7dc1518b662ccab87f8a23d86f3a387abff71ce2e9a3e0f809
SHA5121696741d41a1d2c905cb470cb00c25c44094c121d3e93ff143b70ae49855719a723f90063e77d22b3b972f5c487bedef0238f6c2f39d5814d140c54f08013017
-
Filesize
1.0MB
MD584807afaa7eadf61165abe07bbdfcd6e
SHA1c57183993e3a63287fe26f835f43d721e7196c65
SHA256450f7d1dc5ba43d86ad0d9e47e28607214ed32321bfc81067f352dba59c86aec
SHA512dffd01410d5edaeafcf629528408544795172ddc0262e9bc286673e3eb5709a4d5572aad27c6e32155d25790dc4dc2c18c9475fb145bb744d5edd88ac88ba312
-
Filesize
2.2MB
MD531c2130f39942ac41f99c77273969cd7
SHA1540edcfcfa75d0769c94877b451f5d0133b1826c
SHA256dd55258272eeb8f2b91a85082887463d0596e992614213730000b2dbc164bcad
SHA512cb4e0b90ea86076bd5c904b46f6389d0fd4afffe0bd3a903c7ff0338c542797063870498e674f86d58764cdbb73b444d1df4b4aa64f69f99b224e86ddaf74bb5
-
Filesize
28KB
MD5bc20614744ebf4c2b8acd28d1fe54174
SHA1665c0acc404e13a69800fae94efd69a41bdda901
SHA2560c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA5120c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b
-
Filesize
531KB
MD58471e73a5594c8fbbb3a8b3df4fb7372
SHA1488772cb5bbb50f14a4a9546051edef4ae75dd20
SHA256380bb2c4ce42dd1ef77c33086cf95aa4fe50290a30849a3e77a18900141af793
SHA51224025b8f0cc076a6656eba288f5850847c75f8581c9c3e36273350db475050deee903d034ad130d56d1dede20c0d33b56b567c2ef72eb518f76d887f9254b11b
-
Filesize
3.9MB
MD587bb8d7f9f22e11d2a3c196ee9bf36a5
SHA145dfcb22987f5a20a9b32410336c0d097ca91b35
SHA2561269f15b1c8daa25af81e6ad22f9bcebfd2c76aec81c18c6d800460b7105bf98
SHA51275bb2ae36b693e2a1e5ba003503d07ba975f9436fb3da9bf3fc4087a281cb172fa9bd13ad6fc27a62f796af6cbe0c800e2a169c65949a96bd4d0e150f4858288
-
Filesize
22KB
MD50b16458372bde0b85e84ce467cfc8c95
SHA1a3ee99f69f0e5ffae36686af479ead1102c2a0a6
SHA256bc9531896aee675fd8ae0fd2805524b5e9ce921dd5365145b9f32141604082db
SHA512727cda4aa085c1af0ce3a9a3a6833057b255678666b2f00dca4f737f322a7cc02cd896ef3353bf9add02faf53b90ce6344e85860cc35da969fcee085c2f210bc
-
Filesize
1.1MB
MD5619ed191f0de16a3d0c91cd81170a75c
SHA1b5a97b57bdcc45fb65c242e948091f6911645706
SHA2565a374374fb7efd50e2d738909fe86196b895d7150747872a4db015572e66a6fc
SHA5126751528304822a377f369e4c2a604d3a88bd9694bada6669abce861ff41bbeb8061b17e946dbc13df05617d871850390d4d5c18f7fabf134bac66ea12860ac21
-
Filesize
1.1MB
MD59f0d733a0c240692270fb45ad30028df
SHA1da06251cae9c6e4c7179ec9e9a67ac6cc1691077
SHA2560c4342f33bd82f4840e293f5115ed0e87ec4409c5d8c78e43161fa3d60fa235a
SHA512c72988875256eb1cea0e95a15f3731e95d847eacb52c5cb03b65e41ddc64b2591d34ea499f6e71ed203cf37f6ee09697708acf64d9e37cc4d1d37cb86de9c52b