Overview
overview
10Static
static
3setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10setup_x86_...4).exe
windows7-x64
10setup_x86_...4).exe
windows10-2004-x64
10setup_x86_...5).exe
windows7-x64
10setup_x86_...5).exe
windows10-2004-x64
10setup_x86_...6).exe
windows7-x64
10setup_x86_...6).exe
windows10-2004-x64
10setup_x86_...7).exe
windows7-x64
10setup_x86_...7).exe
windows10-2004-x64
10setup_x86_...8).exe
windows7-x64
10setup_x86_...8).exe
windows10-2004-x64
10setup_x86_...9).exe
windows7-x64
10setup_x86_...9).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
setup_x86_x64_install (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_x86_x64_install (10).exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
setup_x86_x64_install (10).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
setup_x86_x64_install (11).exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
setup_x86_x64_install (11).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
setup_x86_x64_install (12).exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
setup_x86_x64_install (12).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
setup_x86_x64_install (13).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install (13).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
setup_x86_x64_install (14).exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
setup_x86_x64_install (14).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
setup_x86_x64_install (15).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
setup_x86_x64_install (15).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
setup_x86_x64_install (16).exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
setup_x86_x64_install (16).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
setup_x86_x64_install (17).exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
setup_x86_x64_install (17).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
setup_x86_x64_install (18).exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
setup_x86_x64_install (18).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
setup_x86_x64_install (19).exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
setup_x86_x64_install (19).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
setup_x86_x64_install (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
setup_x86_x64_install (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
setup_x86_x64_install (20).exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
setup_x86_x64_install (20).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
setup_x86_x64_install (21).exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
setup_x86_x64_install (21).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
setup_x86_x64_install (22).exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
setup_x86_x64_install (22).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
setup_x86_x64_install (23).exe
Resource
win7-20240903-en
General
-
Target
setup_x86_x64_install (15).exe
-
Size
1.8MB
-
MD5
961ed865e49001eab634e7f1d49d4865
-
SHA1
ac28f77d1b75703518ebf6df8cdafa77da9a08aa
-
SHA256
00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1
-
SHA512
8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a
-
SSDEEP
24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa
Malware Config
Signatures
-
CryptBot payload 3 IoCs
resource yara_rule behavioral14/memory/760-24-0x00000000003F0000-0x00000000004D5000-memory.dmp family_cryptbot behavioral14/memory/760-25-0x00000000003F0000-0x00000000004D5000-memory.dmp family_cryptbot behavioral14/memory/760-26-0x00000000003F0000-0x00000000004D5000-memory.dmp family_cryptbot -
Cryptbot family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation setup_x86_x64_install (15).exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Pensieroso.exe.com -
Executes dropped EXE 2 IoCs
pid Process 1044 Pensieroso.exe.com 760 Pensieroso.exe.com -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_x86_x64_install (15).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4148 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Pensieroso.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Pensieroso.exe.com -
Delays execution with timeout.exe 1 IoCs
pid Process 1800 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4148 PING.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 760 Pensieroso.exe.com 760 Pensieroso.exe.com -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4868 wrote to memory of 2004 4868 setup_x86_x64_install (15).exe 83 PID 4868 wrote to memory of 2004 4868 setup_x86_x64_install (15).exe 83 PID 4868 wrote to memory of 2004 4868 setup_x86_x64_install (15).exe 83 PID 2004 wrote to memory of 4444 2004 cmd.exe 85 PID 2004 wrote to memory of 4444 2004 cmd.exe 85 PID 2004 wrote to memory of 4444 2004 cmd.exe 85 PID 4444 wrote to memory of 1972 4444 cmd.exe 86 PID 4444 wrote to memory of 1972 4444 cmd.exe 86 PID 4444 wrote to memory of 1972 4444 cmd.exe 86 PID 4444 wrote to memory of 1044 4444 cmd.exe 87 PID 4444 wrote to memory of 1044 4444 cmd.exe 87 PID 4444 wrote to memory of 1044 4444 cmd.exe 87 PID 4444 wrote to memory of 4148 4444 cmd.exe 88 PID 4444 wrote to memory of 4148 4444 cmd.exe 88 PID 4444 wrote to memory of 4148 4444 cmd.exe 88 PID 1044 wrote to memory of 760 1044 Pensieroso.exe.com 89 PID 1044 wrote to memory of 760 1044 Pensieroso.exe.com 89 PID 1044 wrote to memory of 760 1044 Pensieroso.exe.com 89 PID 760 wrote to memory of 2064 760 Pensieroso.exe.com 104 PID 760 wrote to memory of 2064 760 Pensieroso.exe.com 104 PID 760 wrote to memory of 2064 760 Pensieroso.exe.com 104 PID 2064 wrote to memory of 1800 2064 cmd.exe 106 PID 2064 wrote to memory of 1800 2064 cmd.exe 106 PID 2064 wrote to memory of 1800 2064 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (15).exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (15).exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt4⤵
- System Location Discovery: System Language Discovery
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comPensieroso.exe.com N4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1800
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4148
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD52caf8e89e6a05bb30057c7c470fdf260
SHA1edb048d2d92046e97b2f991e9dbec16247ee5d8c
SHA256492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8
SHA5124f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a
-
Filesize
663KB
MD59fef53ec7afd145869f53138338e189f
SHA117d26e52ca0cb3de7083b5737f7b2a84a483b462
SHA256e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09
SHA512b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4
-
Filesize
894KB
MD50d1cb8e6cc1623b8a86ecabd84613e0e
SHA1353b60c29f0fb219f6b1f49b112038912ec040c8
SHA25605ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4
SHA5120af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
325B
MD51b4d94eb8f5923f889afcbe5caddd449
SHA1c613c7cfe6db911b07760a7767492de829cd37e7
SHA256812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885
SHA5126b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88
-
Filesize
40KB
MD52be7fb0c4e90a900569d65143b4032f5
SHA1a743ee3385b3ed2c32ddd9def850d0d962e3a9d9
SHA256398e6095d32f9ec973e2058fa1721a6ff90b04b9e12834874f965f7517199c51
SHA5128a50f41fb3604d65a8f5326b475f9d50d915e029ba8e50c68325b686451c33c3226f67c7995eec44ba6253973178e0751eda9386448880b25f200b7708380283
-
Filesize
40KB
MD5ce4814ec30a1ea94237d6cafc95b8dac
SHA188a580da2b36edd3f54c35b8d38f7fb120088fa1
SHA256015d1252f1fbb45a013b63e609a342b7c2fc0b465b725822387bb4005897df69
SHA512c605b5766c2606e3f520935f1b51ff4a0ea25743c0d2c88592b481beafb56b6eadf26b5691d323f45657b560a5fbab305db21a41bef0265c65e217828d82dcaa
-
Filesize
7KB
MD5c031f0ea96f87bc11dd701e50e445ef8
SHA12d3b59c37bd11bc0208baa0e8ed66d06fedc114c
SHA25640544db964db2dd60ce68eb54c0ff30915790140dce5a6f72e972710c10a5eb1
SHA512524e7c33b8e599c46d262f100751d9b140b4a82699d4a23d1ce73186bbb787f320d853bb8bccc8962288dc565344c80d2417a9e16bcabc5984ad6141a1523a44
-
Filesize
1KB
MD544023d131e2530e51c3f520eb943c57c
SHA1592546c0ff33ea443cd9a43ae6837c0f91c54b7a
SHA256af16668448b4138dc4361bd4d307025e956655cdcf30fa9419d3c890ba6d80ec
SHA512c70adf1a6eb94750c10db8104c1d4d524a0d735a2ea053e692a29d1cbc6d635ca9782cc018ca077f53814011ca7c7d6505a9f15e87403cd1cc091a2635fa5b57
-
Filesize
2KB
MD5be5cc0cd5e61e397d2c0a7b25678f356
SHA14d630a07f64f73e7fd120e4b1d89057262bfd877
SHA25658e177100094dedc3bf219234e3c5e92a1eaaae8b0e39f6bab84ecd350b6797c
SHA512bbda5057e2f78d0c7e2812ffa404bd9a8d4877bbb3eba12bf18ff200c995dcafa4f8c7b5057c702fdd937bed76d0d58a0fe79cfbe121325c4c1153abd107195c
-
Filesize
3KB
MD5b58589a192145fc3648204c0a9377452
SHA1aa59aefdadc0986732d60a84ee7b68d05fa15f83
SHA256d3a34393fc8e9b991c00edaf2708bd6bd89537394f3c268b8f69816c0bdd7256
SHA5120ed0b4d9b5258a47c43f819e7a2fca60af4ae08e5dbb26c0935415ee5be89d505424ad52c283bae1b15108c7e636e39cf401ebbb9f4ac7ef8e9ab453425467b6
-
Filesize
4KB
MD56a85835b2a09d01aad688555a11d5678
SHA161b7257e1e3b670dcc44d88693e4bfd356e8ba44
SHA2567ec287792f908e1ced52bae94f8d3e5d0b0553eb776dc264689186f5546b201a
SHA512e15c0b2083dd5c8b769bce3528908ec25a50ed783d7cbceb5de400d3a9aa2ef249f4a1b693018353b365d814d1d8c66de7ce3dff2181bc61451f49d41af4886e
-
Filesize
46KB
MD5173616f7b0d894492640c61951db618c
SHA17e045ad76e579448dc25847141f4e27036fa44e7
SHA2562c54bfab368afa40a1556e090260b9c1a580c32c044bd580e8a41279cc75c71e
SHA512f474efa312614c37fc7471d8bf67d20d6913144b5e30f5034952f9de8889ed30699554e8841c8233a013082736a86bc334426136e63af7bf9b5904e1af67d202
-
Filesize
7KB
MD55fdb75d520b240e28e9c807429f0830c
SHA19d06418fb1b07b72908640cacf697b0ac31c255a
SHA2564e6a68f21c97e13736d27b3484ff705d2284290f5472f3dc214508828d9203aa
SHA512425ffae341da52ad9d24d03728c21eab5e78d9b2edcab81f07668f74d3eb31c676e8496bb2d84e951d771f9b73ae32c900c5713165c5c56647737950253f98bb