Overview
overview
10Static
static
3setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10setup_x86_...4).exe
windows7-x64
10setup_x86_...4).exe
windows10-2004-x64
10setup_x86_...5).exe
windows7-x64
10setup_x86_...5).exe
windows10-2004-x64
10setup_x86_...6).exe
windows7-x64
10setup_x86_...6).exe
windows10-2004-x64
10setup_x86_...7).exe
windows7-x64
10setup_x86_...7).exe
windows10-2004-x64
10setup_x86_...8).exe
windows7-x64
10setup_x86_...8).exe
windows10-2004-x64
10setup_x86_...9).exe
windows7-x64
10setup_x86_...9).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10Analysis
-
max time kernel
93s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
setup_x86_x64_install (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_x86_x64_install (10).exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
setup_x86_x64_install (10).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
setup_x86_x64_install (11).exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
setup_x86_x64_install (11).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
setup_x86_x64_install (12).exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
setup_x86_x64_install (12).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
setup_x86_x64_install (13).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install (13).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
setup_x86_x64_install (14).exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
setup_x86_x64_install (14).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
setup_x86_x64_install (15).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
setup_x86_x64_install (15).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
setup_x86_x64_install (16).exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
setup_x86_x64_install (16).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
setup_x86_x64_install (17).exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
setup_x86_x64_install (17).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
setup_x86_x64_install (18).exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
setup_x86_x64_install (18).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
setup_x86_x64_install (19).exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
setup_x86_x64_install (19).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
setup_x86_x64_install (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
setup_x86_x64_install (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
setup_x86_x64_install (20).exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
setup_x86_x64_install (20).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
setup_x86_x64_install (21).exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
setup_x86_x64_install (21).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
setup_x86_x64_install (22).exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
setup_x86_x64_install (22).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
setup_x86_x64_install (23).exe
Resource
win7-20240903-en
General
-
Target
setup_x86_x64_install (20).exe
-
Size
1.8MB
-
MD5
961ed865e49001eab634e7f1d49d4865
-
SHA1
ac28f77d1b75703518ebf6df8cdafa77da9a08aa
-
SHA256
00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1
-
SHA512
8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a
-
SSDEEP
24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa
Malware Config
Signatures
-
CryptBot payload 3 IoCs
resource yara_rule behavioral26/memory/3320-24-0x00000000040B0000-0x0000000004195000-memory.dmp family_cryptbot behavioral26/memory/3320-25-0x00000000040B0000-0x0000000004195000-memory.dmp family_cryptbot behavioral26/memory/3320-26-0x00000000040B0000-0x0000000004195000-memory.dmp family_cryptbot -
Cryptbot family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation setup_x86_x64_install (20).exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Pensieroso.exe.com -
Executes dropped EXE 2 IoCs
pid Process 3988 Pensieroso.exe.com 3320 Pensieroso.exe.com -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_x86_x64_install (20).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5052 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Pensieroso.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Pensieroso.exe.com -
Delays execution with timeout.exe 1 IoCs
pid Process 3412 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5052 PING.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3320 Pensieroso.exe.com 3320 Pensieroso.exe.com -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1608 wrote to memory of 2264 1608 setup_x86_x64_install (20).exe 83 PID 1608 wrote to memory of 2264 1608 setup_x86_x64_install (20).exe 83 PID 1608 wrote to memory of 2264 1608 setup_x86_x64_install (20).exe 83 PID 2264 wrote to memory of 2840 2264 cmd.exe 85 PID 2264 wrote to memory of 2840 2264 cmd.exe 85 PID 2264 wrote to memory of 2840 2264 cmd.exe 85 PID 2840 wrote to memory of 1264 2840 cmd.exe 86 PID 2840 wrote to memory of 1264 2840 cmd.exe 86 PID 2840 wrote to memory of 1264 2840 cmd.exe 86 PID 2840 wrote to memory of 3988 2840 cmd.exe 87 PID 2840 wrote to memory of 3988 2840 cmd.exe 87 PID 2840 wrote to memory of 3988 2840 cmd.exe 87 PID 2840 wrote to memory of 5052 2840 cmd.exe 88 PID 2840 wrote to memory of 5052 2840 cmd.exe 88 PID 2840 wrote to memory of 5052 2840 cmd.exe 88 PID 3988 wrote to memory of 3320 3988 Pensieroso.exe.com 89 PID 3988 wrote to memory of 3320 3988 Pensieroso.exe.com 89 PID 3988 wrote to memory of 3320 3988 Pensieroso.exe.com 89 PID 3320 wrote to memory of 3284 3320 Pensieroso.exe.com 105 PID 3320 wrote to memory of 3284 3320 Pensieroso.exe.com 105 PID 3320 wrote to memory of 3284 3320 Pensieroso.exe.com 105 PID 3284 wrote to memory of 3412 3284 cmd.exe 107 PID 3284 wrote to memory of 3412 3284 cmd.exe 107 PID 3284 wrote to memory of 3412 3284 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (20).exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (20).exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt4⤵
- System Location Discovery: System Language Discovery
PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comPensieroso.exe.com N4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\SsnMGhsa & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3412
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5052
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD52caf8e89e6a05bb30057c7c470fdf260
SHA1edb048d2d92046e97b2f991e9dbec16247ee5d8c
SHA256492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8
SHA5124f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a
-
Filesize
663KB
MD59fef53ec7afd145869f53138338e189f
SHA117d26e52ca0cb3de7083b5737f7b2a84a483b462
SHA256e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09
SHA512b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4
-
Filesize
894KB
MD50d1cb8e6cc1623b8a86ecabd84613e0e
SHA1353b60c29f0fb219f6b1f49b112038912ec040c8
SHA25605ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4
SHA5120af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
325B
MD51b4d94eb8f5923f889afcbe5caddd449
SHA1c613c7cfe6db911b07760a7767492de829cd37e7
SHA256812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885
SHA5126b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88
-
Filesize
42KB
MD58e51e2542d613a458f666df38f9e5c20
SHA1b0f106f88acf3091ce091a761ded7672f51baa4d
SHA256f2c1581da26cd7faea8c6967b00bfb2cd9b9420e337dec528a4f0ebb70fda94d
SHA51293b73ab5928473499f09361303e230e27de3489c298df0054446078d466de0a989b4f49928b8c984fd5fbd7fbd0d9c299202e67a2b03c0e199755350f1276307
-
Filesize
42KB
MD56ca65865bf6f1642b500a47f1c3043c5
SHA1c9885c1f0b96ef0ee3dcee6dcfd9d1ebd914199a
SHA256086a1f4ca3304496ba0a4db570fe1e59c1a31cb1ab8e0fce7436e1de3d4fec77
SHA5121d5b36af464dea4b2c0b0fadee485b44d110eacae46b099c82f3d5cdcef29a7288ea88155a19b6460aa100b4d1f0a17c1aa192aba8f5704f505d7187f4cfde4e
-
Filesize
7KB
MD5c9103916178d1e25a90d45a836cb7552
SHA110e475e68a968e242f616d5f594768069e345993
SHA256dae3b26e3c5697b2e9f3bd6801b3153f4209ea5929619c5512eb8b4269a87ec8
SHA5122fdd97ba134768a26d3c2fef15ef5e0a2705c32f7a16ac16a7662407eb0179ac5853f149994a3ace0e28a66c0f580a3a7c4241910893a0b69ab1fc5ee85fd9f8
-
Filesize
1KB
MD53f2667ba21516db47b4b4f4fb0c0c1e9
SHA105ed524e2319f718e1d693a63f6a7dffb93c1139
SHA2560a2ffee60ab205062f4270e5d913b085ae5f2c093bf247af986b6a9539d170ad
SHA512daff8322a94edfaa3d9174515037998c8c9b798f6c521b1ecd1bd19a083782ebdce3660eef25ec0bbfaa80e6fcc846ab6b0b31902c0f23e943cd2109b23bf5e4
-
Filesize
2KB
MD5c56ef400cc9fcd0221371425775a1249
SHA1e5bb2459b7d85ea89a4c25446bae39d4b70befe0
SHA256118d5b0ed9a9855e178bab3fdc5cc2a463be9ce3971923415b080fb69b9b4add
SHA5126036cb1aada627830d597b7937bf43083dcefdf72e871a7b79dd958ac15b3f8dcdd54f0005b714a842a7e68ac50bbfd4ad89eabcc096d2a48762548fc44a2c86
-
Filesize
3KB
MD53f385ce2e1b5df2a6455ff552e5e3a29
SHA1d6ea16acc4902523776ec0ec6e4b1b49cf7189b0
SHA2565b560fc3b29e28c4acbd55fba6949c1fa06529a3741d3bdd18330584f45f5fec
SHA51298ae961134f910a7a4c7f285cec0a8133f31410dbe4806a764c83a9152d298b485cc1497f370338ec864947f83fadfb470cc69c937958a17b765607de2afadfc
-
Filesize
4KB
MD5a8b8c231ad6dded852e1295bc29138eb
SHA13e6de8a8e0dd5a0a0f3c97597683892670f06dbe
SHA256cac99409abb1a47b0eebb13c31f7fcbcda079841cc1965eba58e51335a98495e
SHA512f6d106b6761f62c4443c59f99d4493babc6e1da328c6f6b13eb35f0b418bbe238d71e29d1fa7f8f0782f55443e6c730a6ff8e6798022225c013d51ec4bf964e2
-
Filesize
47KB
MD5d0d9d848ccdfc6d806adfa6ddc530f70
SHA1b87a05e411e1e5e2c43b1a2b0a4b17f7650fc75b
SHA256065e199696e13fd013a964182aec3f9d2923042a117242268abc66f6f3f0b1dc
SHA51240c04abbf9420b887bf5580743d0159b40bda2460d71cf490d06652b04d5f604ebe245d9a5580059b4ecfe5cd56bd37fc7938087ab95ae82e603cfbe0fd9eca1
-
Filesize
1KB
MD508949fb2d4c70c590984a88d84825977
SHA1dbea925fb2692ff2b29e729e586453915f2bae55
SHA25660961187a3a39db4fc4d1a704f86ab63a9f3d5df888b0745c14cc452f2939720
SHA51280b042079a684926d9105e4da1cfa8bcc0c6692eaabb2cd273cb373e10ef517c9cf2f6a79d6910224ff53bb205618a49dae32d07e119029fcfc8a6955c2e5a6c
-
Filesize
1KB
MD5086e03662fe749290872018f9fd9b474
SHA1b213a6c84370f65bbbfcd6880ad280dfd93d3890
SHA25667882230fc230464ba72f4c636c1c47a8b0e5dc3dfbc8c9ebc0f4a2cebedd230
SHA512b69711a84f333361a310c974a6dc938d63e18e7b92e03c25513b5586cc7c5ad4b5e7f1a6f64f1100a687d172c87810a4b39db07d5ba120493a19db3d4d53f227
-
Filesize
7KB
MD5a79c8036ae510720529c5c104361b822
SHA151c631c4ef1e1b4eb5228c8bc97f9e125d244dc3
SHA2567d50397d84867fe51b2cba019327b2223cab6005b8407c8de91ab880e559fb95
SHA512a43961407df04c2d5ee63d6618ac804e8070b87be01ff46a8055731484250fe7ed9f732a86a0a15ce578d53c212ad6d89bf7d226cad2ac634de529f201f53594