Overview
overview
10Static
static
3setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10setup_x86_...4).exe
windows7-x64
10setup_x86_...4).exe
windows10-2004-x64
10setup_x86_...5).exe
windows7-x64
10setup_x86_...5).exe
windows10-2004-x64
10setup_x86_...6).exe
windows7-x64
10setup_x86_...6).exe
windows10-2004-x64
10setup_x86_...7).exe
windows7-x64
10setup_x86_...7).exe
windows10-2004-x64
10setup_x86_...8).exe
windows7-x64
10setup_x86_...8).exe
windows10-2004-x64
10setup_x86_...9).exe
windows7-x64
10setup_x86_...9).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10Analysis
-
max time kernel
92s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
setup_x86_x64_install (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_x86_x64_install (10).exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
setup_x86_x64_install (10).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
setup_x86_x64_install (11).exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
setup_x86_x64_install (11).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
setup_x86_x64_install (12).exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
setup_x86_x64_install (12).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
setup_x86_x64_install (13).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install (13).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
setup_x86_x64_install (14).exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
setup_x86_x64_install (14).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
setup_x86_x64_install (15).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
setup_x86_x64_install (15).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
setup_x86_x64_install (16).exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
setup_x86_x64_install (16).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
setup_x86_x64_install (17).exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
setup_x86_x64_install (17).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
setup_x86_x64_install (18).exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
setup_x86_x64_install (18).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
setup_x86_x64_install (19).exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
setup_x86_x64_install (19).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
setup_x86_x64_install (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
setup_x86_x64_install (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
setup_x86_x64_install (20).exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
setup_x86_x64_install (20).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
setup_x86_x64_install (21).exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
setup_x86_x64_install (21).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
setup_x86_x64_install (22).exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
setup_x86_x64_install (22).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
setup_x86_x64_install (23).exe
Resource
win7-20240903-en
General
-
Target
setup_x86_x64_install (2).exe
-
Size
1.8MB
-
MD5
961ed865e49001eab634e7f1d49d4865
-
SHA1
ac28f77d1b75703518ebf6df8cdafa77da9a08aa
-
SHA256
00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1
-
SHA512
8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a
-
SSDEEP
24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa
Malware Config
Signatures
-
CryptBot payload 3 IoCs
resource yara_rule behavioral24/memory/2032-24-0x00000000005C0000-0x00000000006A5000-memory.dmp family_cryptbot behavioral24/memory/2032-25-0x00000000005C0000-0x00000000006A5000-memory.dmp family_cryptbot behavioral24/memory/2032-26-0x00000000005C0000-0x00000000006A5000-memory.dmp family_cryptbot -
Cryptbot family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation setup_x86_x64_install (2).exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Pensieroso.exe.com -
Executes dropped EXE 2 IoCs
pid Process 2544 Pensieroso.exe.com 2032 Pensieroso.exe.com -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_x86_x64_install (2).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3404 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Pensieroso.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Pensieroso.exe.com -
Delays execution with timeout.exe 1 IoCs
pid Process 1012 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3404 PING.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2032 Pensieroso.exe.com 2032 Pensieroso.exe.com -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3100 wrote to memory of 2688 3100 setup_x86_x64_install (2).exe 84 PID 3100 wrote to memory of 2688 3100 setup_x86_x64_install (2).exe 84 PID 3100 wrote to memory of 2688 3100 setup_x86_x64_install (2).exe 84 PID 2688 wrote to memory of 4068 2688 cmd.exe 86 PID 2688 wrote to memory of 4068 2688 cmd.exe 86 PID 2688 wrote to memory of 4068 2688 cmd.exe 86 PID 4068 wrote to memory of 1452 4068 cmd.exe 87 PID 4068 wrote to memory of 1452 4068 cmd.exe 87 PID 4068 wrote to memory of 1452 4068 cmd.exe 87 PID 4068 wrote to memory of 2544 4068 cmd.exe 88 PID 4068 wrote to memory of 2544 4068 cmd.exe 88 PID 4068 wrote to memory of 2544 4068 cmd.exe 88 PID 4068 wrote to memory of 3404 4068 cmd.exe 89 PID 4068 wrote to memory of 3404 4068 cmd.exe 89 PID 4068 wrote to memory of 3404 4068 cmd.exe 89 PID 2544 wrote to memory of 2032 2544 Pensieroso.exe.com 90 PID 2544 wrote to memory of 2032 2544 Pensieroso.exe.com 90 PID 2544 wrote to memory of 2032 2544 Pensieroso.exe.com 90 PID 2032 wrote to memory of 2384 2032 Pensieroso.exe.com 100 PID 2032 wrote to memory of 2384 2032 Pensieroso.exe.com 100 PID 2032 wrote to memory of 2384 2032 Pensieroso.exe.com 100 PID 2384 wrote to memory of 1012 2384 cmd.exe 102 PID 2384 wrote to memory of 1012 2384 cmd.exe 102 PID 2384 wrote to memory of 1012 2384 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (2).exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (2).exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt4⤵
- System Location Discovery: System Language Discovery
PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comPensieroso.exe.com N4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1012
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3404
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD52caf8e89e6a05bb30057c7c470fdf260
SHA1edb048d2d92046e97b2f991e9dbec16247ee5d8c
SHA256492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8
SHA5124f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a
-
Filesize
663KB
MD59fef53ec7afd145869f53138338e189f
SHA117d26e52ca0cb3de7083b5737f7b2a84a483b462
SHA256e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09
SHA512b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4
-
Filesize
894KB
MD50d1cb8e6cc1623b8a86ecabd84613e0e
SHA1353b60c29f0fb219f6b1f49b112038912ec040c8
SHA25605ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4
SHA5120af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
325B
MD51b4d94eb8f5923f889afcbe5caddd449
SHA1c613c7cfe6db911b07760a7767492de829cd37e7
SHA256812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885
SHA5126b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88
-
Filesize
364KB
MD539c6e91fa883a4e312d7e900b4f2af09
SHA14bf314ea3ecf1250f4ac7657a4210cbfa53edb92
SHA2561fd1b9d820e818e133388bfd7a346ea0ece4ceb602bd6d2e6c57386ca047d97a
SHA51247d5393fe4812b5f5d872bcb456cb1462d06aa1f5dc9bb772e51a143f7ce1cf66f4f94c342c822a818dec89725e03cf41b31a834a9cdf4cf96a5c319cbe7c0e4
-
Filesize
364KB
MD53d83a53677a182676e3e3a99c72143a0
SHA1af9764eff551c191efe8dac2ebce3a0bec22a544
SHA256349aea2d80ed7f33b2f7ad500fe4b1293f66feede29d2c8234c33fd3e17ba153
SHA5127f162906414d22ad0a19002fa023cc7b16b5af4411cecc6586902f7e489b45136c2fea448be5817749d054103160dbe7eae5a32b48f67a16243f4be1e3afdbf1
-
Filesize
319KB
MD51ee0264370ad118064c30046239c8f02
SHA18466dcf5793042b1d0a9a0c053f0c6659d61d2a6
SHA25679ceccc17a0e2e6dd7eb88215ad9177ce59b652a79ae9663437cd9f1dd34acf4
SHA512dbe899c2ede0dd12a632f46d80e8873c16071a5b5fd8f387edd26054ae8934c6ebf074effd75e310396f1b8edaf2aa9f01fb2d1a35338847dc8efd8cae3f603e
-
Filesize
7KB
MD52e19ee48306df24026bdf1873f47ddb5
SHA1978ed486fe41392fdb23cd1439f1872525f066c4
SHA256a77958258dd1bfcf86e9067407de87ab9853a1a20881ec987cea87d94ab4b0a4
SHA5121eb53df167ed44d9ea260ad6f7b9f700ad50860b7a08abba630d235260b5b53c15d5dd72cd09e31f099587393e71287149e674c7b3b231c1f32d9d6520804b63
-
Filesize
1KB
MD59b4b9c3ee6a90f683e4d9f765761aedc
SHA12237a21c4361fc98a6e3339813a92122ff65d6df
SHA256c445b455d9847af2cde224e2432b0084376a0a56076aa40dab27fa664051f0a7
SHA51207251bf558d74e4bdecedf089955b4c8faad830f894ce57419b084fc39f1f686f147e51f42f238b164891fd091d0002611e27559229d88a6be36ac173aeb1065
-
Filesize
3KB
MD50014c520ffed30af701112a36cd6efdd
SHA1fd79c6649f028b7736518ef84f9473e583c7036c
SHA2566241388a758aa7421bc85249c32275e07d05a576735529dac5685d16e7e32701
SHA5120edc5b56556dd008dacfc13ec3eb345b7af06da16b9fcf9553a39e42fffa30b3085f8e3cf099f01b35ecfcc8fa8ee1eabfbc1266ef1c36d60adfcf38907898b8
-
Filesize
4KB
MD53da8455a99cc49e5d966ed055250310f
SHA1889616671873321074322b7700cd5802d232c058
SHA256238ce7e5d69efcdc80af34b050dafdcf31d5583e5adda2300e274b356d5cc3a6
SHA512eb0c956dc6b1281b7334cf101685b4a921443cfeeb5801a357b436aae3e7a156f842d2ae1fe26b88544c92e3b2d6d4d9892788dbd8015041fe3803f5d2942e57
-
Filesize
50KB
MD515db660dd75266f357349deda50e9964
SHA12bf974a051f7d158da560c2586c51a1179940bdc
SHA256ae94d08bd104e3e1fd16cf73f1742ae9b2cbf57e04284c1df3f1ddc01252f578
SHA512e1da9605b7acb344bb7d553153fec97d5d2e824ac27563076b964d91293c653d7e28d98bb411933955a07220d81c8a54386e9b871947adfe68f910339084741c
-
Filesize
1KB
MD53a7bd07b9f043376517f54cf766d9bc7
SHA170ab2e944ca3fb85479e62efb1bbeb9c9dae1f90
SHA256b95f8696b85d61aa74d21b23a3f336b5c38740424e672c914c9d027576c4825c
SHA5124a916e1951b361c9b3ec91b6d01d3b187b06775169e5986514f0e1f8fed929b50af355592679848bd4de327d42c3df36b934daa68d06787b5835b0afa92f4873
-
Filesize
7KB
MD50f940c9e341b7dbc92a86a60760f82c7
SHA1ef4f03c13a2ee3198a7a96a36c99d79615c9a50c
SHA256bd152af10ecb6b158d7e3353e5a18c07551363d4decb25e6ba7fc1c32e0fda33
SHA51274ceee727336a2613b6878d3de8c629c927c3f6ae31b8e61b3d106ea5dd6f06d4dc91348ca6233f53df08433401a01f3aacd6c05e3fe7053b3f267721d2b16e9