Overview
overview
10Static
static
3setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10setup_x86_...4).exe
windows7-x64
10setup_x86_...4).exe
windows10-2004-x64
10setup_x86_...5).exe
windows7-x64
10setup_x86_...5).exe
windows10-2004-x64
10setup_x86_...6).exe
windows7-x64
10setup_x86_...6).exe
windows10-2004-x64
10setup_x86_...7).exe
windows7-x64
10setup_x86_...7).exe
windows10-2004-x64
10setup_x86_...8).exe
windows7-x64
10setup_x86_...8).exe
windows10-2004-x64
10setup_x86_...9).exe
windows7-x64
10setup_x86_...9).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10Analysis
-
max time kernel
92s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
setup_x86_x64_install (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_x86_x64_install (10).exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
setup_x86_x64_install (10).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
setup_x86_x64_install (11).exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
setup_x86_x64_install (11).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
setup_x86_x64_install (12).exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
setup_x86_x64_install (12).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
setup_x86_x64_install (13).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install (13).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
setup_x86_x64_install (14).exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
setup_x86_x64_install (14).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
setup_x86_x64_install (15).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
setup_x86_x64_install (15).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
setup_x86_x64_install (16).exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
setup_x86_x64_install (16).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
setup_x86_x64_install (17).exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
setup_x86_x64_install (17).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
setup_x86_x64_install (18).exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
setup_x86_x64_install (18).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
setup_x86_x64_install (19).exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
setup_x86_x64_install (19).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
setup_x86_x64_install (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
setup_x86_x64_install (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
setup_x86_x64_install (20).exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
setup_x86_x64_install (20).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
setup_x86_x64_install (21).exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
setup_x86_x64_install (21).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
setup_x86_x64_install (22).exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
setup_x86_x64_install (22).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
setup_x86_x64_install (23).exe
Resource
win7-20240903-en
General
-
Target
setup_x86_x64_install (16).exe
-
Size
1.8MB
-
MD5
961ed865e49001eab634e7f1d49d4865
-
SHA1
ac28f77d1b75703518ebf6df8cdafa77da9a08aa
-
SHA256
00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1
-
SHA512
8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a
-
SSDEEP
24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa
Malware Config
Signatures
-
CryptBot payload 3 IoCs
resource yara_rule behavioral16/memory/4956-24-0x0000000004A80000-0x0000000004B65000-memory.dmp family_cryptbot behavioral16/memory/4956-25-0x0000000004A80000-0x0000000004B65000-memory.dmp family_cryptbot behavioral16/memory/4956-26-0x0000000004A80000-0x0000000004B65000-memory.dmp family_cryptbot -
Cryptbot family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation setup_x86_x64_install (16).exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Pensieroso.exe.com -
Executes dropped EXE 2 IoCs
pid Process 1204 Pensieroso.exe.com 4956 Pensieroso.exe.com -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_x86_x64_install (16).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2576 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Pensieroso.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Pensieroso.exe.com -
Delays execution with timeout.exe 1 IoCs
pid Process 2816 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2576 PING.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4956 Pensieroso.exe.com 4956 Pensieroso.exe.com -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3232 wrote to memory of 2248 3232 setup_x86_x64_install (16).exe 83 PID 3232 wrote to memory of 2248 3232 setup_x86_x64_install (16).exe 83 PID 3232 wrote to memory of 2248 3232 setup_x86_x64_install (16).exe 83 PID 2248 wrote to memory of 2440 2248 cmd.exe 85 PID 2248 wrote to memory of 2440 2248 cmd.exe 85 PID 2248 wrote to memory of 2440 2248 cmd.exe 85 PID 2440 wrote to memory of 1432 2440 cmd.exe 86 PID 2440 wrote to memory of 1432 2440 cmd.exe 86 PID 2440 wrote to memory of 1432 2440 cmd.exe 86 PID 2440 wrote to memory of 1204 2440 cmd.exe 87 PID 2440 wrote to memory of 1204 2440 cmd.exe 87 PID 2440 wrote to memory of 1204 2440 cmd.exe 87 PID 2440 wrote to memory of 2576 2440 cmd.exe 88 PID 2440 wrote to memory of 2576 2440 cmd.exe 88 PID 2440 wrote to memory of 2576 2440 cmd.exe 88 PID 1204 wrote to memory of 4956 1204 Pensieroso.exe.com 89 PID 1204 wrote to memory of 4956 1204 Pensieroso.exe.com 89 PID 1204 wrote to memory of 4956 1204 Pensieroso.exe.com 89 PID 4956 wrote to memory of 2828 4956 Pensieroso.exe.com 105 PID 4956 wrote to memory of 2828 4956 Pensieroso.exe.com 105 PID 4956 wrote to memory of 2828 4956 Pensieroso.exe.com 105 PID 2828 wrote to memory of 2816 2828 cmd.exe 107 PID 2828 wrote to memory of 2816 2828 cmd.exe 107 PID 2828 wrote to memory of 2816 2828 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (16).exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (16).exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt4⤵
- System Location Discovery: System Language Discovery
PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comPensieroso.exe.com N4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\SsnMGhsa & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2816
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2576
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD52caf8e89e6a05bb30057c7c470fdf260
SHA1edb048d2d92046e97b2f991e9dbec16247ee5d8c
SHA256492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8
SHA5124f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a
-
Filesize
663KB
MD59fef53ec7afd145869f53138338e189f
SHA117d26e52ca0cb3de7083b5737f7b2a84a483b462
SHA256e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09
SHA512b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4
-
Filesize
894KB
MD50d1cb8e6cc1623b8a86ecabd84613e0e
SHA1353b60c29f0fb219f6b1f49b112038912ec040c8
SHA25605ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4
SHA5120af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
325B
MD51b4d94eb8f5923f889afcbe5caddd449
SHA1c613c7cfe6db911b07760a7767492de829cd37e7
SHA256812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885
SHA5126b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88
-
Filesize
42KB
MD53db1db0e32722987dbddaddb45fd59e4
SHA196239ac402974abb55127fa25fe15d9d9af4199f
SHA2565053a58094c039a1cbec3fd860ac1ecc0809578007c62fe4ccecca9aa2eeade5
SHA5126257445ce47b15500b42d21a34b8c6fd4e792284b89a577e7aba049e645e1f4b42f6976534c446c4c281642df1c2773cb012a2f80c1ded3b824ad361abed06df
-
Filesize
42KB
MD590c60eadb6a3a0a13c2b0ca110cf70ef
SHA1b255d8cf6fbc7f8de852a4f12bd33a19172d8d47
SHA256e9e888e191eba439cf4b22c6fc3db6d57c8f0b690c2a78d0abf3f8256b04c90c
SHA512a0e1131ee45f37d4a7d325fe1a14cd42750ebb906c67ea3dc555c642b26cd8343ab8f0e976abeaea585e047a8162541eda1f28e690a08f8b09b6c2c6dac3cae3
-
Filesize
7KB
MD5da0fc9d68b77c83ef87d2d3aa92ea3f6
SHA18c9a854535a7ec2b96d8e570d6d53b0a3f679681
SHA256a61c55449f760e0f86809e7da68e5b9fcf36cc5896f2810364505fe515e91662
SHA512a4ab2bbeddd09cb56d55b95ceecbbc64db67294dc33c84ceafb938f719944cf016b0eb1db25f54897032b669cfbecee3c65e673630e923666fd4ea005e22dc9f
-
Filesize
1KB
MD585783f52ca236e29bb31695871750e55
SHA185d0b898972f0fec0f0d1e3f5b738fe1ff8a2ed5
SHA2565eaf98e27534143c7f71c467a9a99cb767c4ba6e88b888373ef522c39dceef94
SHA512737b90febf4e17ce16487795bb97730d83807c71fddd0d4c1fc3a9ad6f8d8fd13ff10558b6647b54ae9a790035daf2e53d6cd234a271127ec4fefad9337e91e4
-
Filesize
2KB
MD53c6d5b61eb391e8916b9325c07217998
SHA18b832be63fb2d313cb7fab3b7474fa88057b1fdb
SHA25648d79d98c7c3257c5e88707f36f053403e3bf58a1bcf7a2c1de9b62574355e88
SHA512bb6e75df8e86792aed00c2f1035a2cbb46876ad73dc51d897e8915db76d49233433751e1f8fd284d18104f79ec8bd5c4478da09b80bc1ecba6cdc891d166bc8e
-
Filesize
4KB
MD56825516ef32542039b25bbfb3c5ef273
SHA1968a46652d70c2833cee20e7313cf11ae85fc62c
SHA2561fd7037417347cdadb56cfdae4ff119095e774e1335d3daff5f64e8da5ac903e
SHA512bc81e930c720a511879e54396b87c88bd0f1e98643cc8b30e6ee506ac0d0c246a22cc9a3694d8a88a8e5cb31e005f6226dcb59b1b7ea6ca5e334f7ff4d57c019
-
Filesize
47KB
MD50dd8b3ba5e37399add7cad430f171d27
SHA13708f4220f90eb226bb17e024ca18b87b5d06853
SHA256ede7c01ff70fd0d451975897df02b0905ccb864e0424fb7696155bc626767633
SHA512a773c39620373b735b281b94e045328013398cec3fcab2eb1b19fc7398fbbdb347ce066ed1b14e49d3a7c920f74edf3ec38346fdbd91f3484f1e575b2652602d
-
Filesize
1KB
MD51e389ea7108f88f8cd6998caafa6ea6c
SHA18cda12473510c6fb8a467c590c03719500ffe17a
SHA2561e90b544c745a3c7df817f73c030ee6c018c3a86733797474c1380f9e1714e3b
SHA5120a102b0dbcb0e6b33416d0a307591c9d1e0f01abc459d354c2013c8a0856956a9208c7a6cbd3c9df10a413b4ab3332556a7be587cca1645f79562d8f135e51e4
-
Filesize
7KB
MD50b9301f49787000b4310711e67f68f75
SHA10911039acf3465e1b6bb3aa50be5507db92d258d
SHA25623a02b8c87270d8e92c74807ab50b6427a7d5142dedac5034c2f4886b704d3a6
SHA512ab6c9565fce2c46a10790900483e90194ba4c2780d6e5caade6a9a4e2f76c03d0cb7d1d701f969b1a6bd73375d92c8d251a665f313eb0e7378af6618ed0460ce