Overview
overview
10Static
static
3setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10setup_x86_...4).exe
windows7-x64
10setup_x86_...4).exe
windows10-2004-x64
10setup_x86_...5).exe
windows7-x64
10setup_x86_...5).exe
windows10-2004-x64
10setup_x86_...6).exe
windows7-x64
10setup_x86_...6).exe
windows10-2004-x64
10setup_x86_...7).exe
windows7-x64
10setup_x86_...7).exe
windows10-2004-x64
10setup_x86_...8).exe
windows7-x64
10setup_x86_...8).exe
windows10-2004-x64
10setup_x86_...9).exe
windows7-x64
10setup_x86_...9).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...0).exe
windows7-x64
10setup_x86_...0).exe
windows10-2004-x64
10setup_x86_...1).exe
windows7-x64
10setup_x86_...1).exe
windows10-2004-x64
10setup_x86_...2).exe
windows7-x64
10setup_x86_...2).exe
windows10-2004-x64
10setup_x86_...3).exe
windows7-x64
10setup_x86_...3).exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
setup_x86_x64_install (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_x86_x64_install (10).exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
setup_x86_x64_install (10).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
setup_x86_x64_install (11).exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
setup_x86_x64_install (11).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
setup_x86_x64_install (12).exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
setup_x86_x64_install (12).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
setup_x86_x64_install (13).exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install (13).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
setup_x86_x64_install (14).exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
setup_x86_x64_install (14).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
setup_x86_x64_install (15).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
setup_x86_x64_install (15).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
setup_x86_x64_install (16).exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
setup_x86_x64_install (16).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
setup_x86_x64_install (17).exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
setup_x86_x64_install (17).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
setup_x86_x64_install (18).exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
setup_x86_x64_install (18).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
setup_x86_x64_install (19).exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
setup_x86_x64_install (19).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
setup_x86_x64_install (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
setup_x86_x64_install (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
setup_x86_x64_install (20).exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
setup_x86_x64_install (20).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
setup_x86_x64_install (21).exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
setup_x86_x64_install (21).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
setup_x86_x64_install (22).exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
setup_x86_x64_install (22).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
setup_x86_x64_install (23).exe
Resource
win7-20240903-en
General
-
Target
setup_x86_x64_install (22).exe
-
Size
1.8MB
-
MD5
961ed865e49001eab634e7f1d49d4865
-
SHA1
ac28f77d1b75703518ebf6df8cdafa77da9a08aa
-
SHA256
00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1
-
SHA512
8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a
-
SSDEEP
24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa
Malware Config
Signatures
-
CryptBot payload 3 IoCs
resource yara_rule behavioral30/memory/3252-24-0x00000000047C0000-0x00000000048A5000-memory.dmp family_cryptbot behavioral30/memory/3252-25-0x00000000047C0000-0x00000000048A5000-memory.dmp family_cryptbot behavioral30/memory/3252-26-0x00000000047C0000-0x00000000048A5000-memory.dmp family_cryptbot -
Cryptbot family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation setup_x86_x64_install (22).exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Pensieroso.exe.com -
Executes dropped EXE 2 IoCs
pid Process 5060 Pensieroso.exe.com 3252 Pensieroso.exe.com -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_x86_x64_install (22).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pensieroso.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 224 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Pensieroso.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Pensieroso.exe.com -
Delays execution with timeout.exe 1 IoCs
pid Process 764 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 224 PING.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3252 Pensieroso.exe.com 3252 Pensieroso.exe.com -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2088 2996 setup_x86_x64_install (22).exe 83 PID 2996 wrote to memory of 2088 2996 setup_x86_x64_install (22).exe 83 PID 2996 wrote to memory of 2088 2996 setup_x86_x64_install (22).exe 83 PID 2088 wrote to memory of 3220 2088 cmd.exe 85 PID 2088 wrote to memory of 3220 2088 cmd.exe 85 PID 2088 wrote to memory of 3220 2088 cmd.exe 85 PID 3220 wrote to memory of 2040 3220 cmd.exe 86 PID 3220 wrote to memory of 2040 3220 cmd.exe 86 PID 3220 wrote to memory of 2040 3220 cmd.exe 86 PID 3220 wrote to memory of 5060 3220 cmd.exe 87 PID 3220 wrote to memory of 5060 3220 cmd.exe 87 PID 3220 wrote to memory of 5060 3220 cmd.exe 87 PID 3220 wrote to memory of 224 3220 cmd.exe 88 PID 3220 wrote to memory of 224 3220 cmd.exe 88 PID 3220 wrote to memory of 224 3220 cmd.exe 88 PID 5060 wrote to memory of 3252 5060 Pensieroso.exe.com 89 PID 5060 wrote to memory of 3252 5060 Pensieroso.exe.com 89 PID 5060 wrote to memory of 3252 5060 Pensieroso.exe.com 89 PID 3252 wrote to memory of 1640 3252 Pensieroso.exe.com 106 PID 3252 wrote to memory of 1640 3252 Pensieroso.exe.com 106 PID 3252 wrote to memory of 1640 3252 Pensieroso.exe.com 106 PID 1640 wrote to memory of 764 1640 cmd.exe 108 PID 1640 wrote to memory of 764 1640 cmd.exe 108 PID 1640 wrote to memory of 764 1640 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (22).exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (22).exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt4⤵
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comPensieroso.exe.com N4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\HwxRQCiPsangi & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:764
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:224
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD52caf8e89e6a05bb30057c7c470fdf260
SHA1edb048d2d92046e97b2f991e9dbec16247ee5d8c
SHA256492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8
SHA5124f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a
-
Filesize
663KB
MD59fef53ec7afd145869f53138338e189f
SHA117d26e52ca0cb3de7083b5737f7b2a84a483b462
SHA256e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09
SHA512b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4
-
Filesize
894KB
MD50d1cb8e6cc1623b8a86ecabd84613e0e
SHA1353b60c29f0fb219f6b1f49b112038912ec040c8
SHA25605ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4
SHA5120af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
325B
MD51b4d94eb8f5923f889afcbe5caddd449
SHA1c613c7cfe6db911b07760a7767492de829cd37e7
SHA256812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885
SHA5126b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88
-
Filesize
39KB
MD506ba30b6b6aa58e24ab517febf1ff82f
SHA1ac36b66501da49e3c23304c8701664b2129c8a2f
SHA2560dee85cc183331c27bad7cff8f1bef59021bd9eb966e686f0bda1596b73566c5
SHA51253391019b0689f7396743b218fb54a64b52562107d22f66766059de06b053818c4460cfeddb8a5be2284509b40bd19f7c620306bf5ca24a430b21997cec92187
-
Filesize
39KB
MD51a0c2422352b4fc6a7bb6f75c13b0160
SHA1416259f03da5ef1268a40a60df0f1246251baeab
SHA25683663c46a5398418eebae1c29408f68dbaa46e66da30ecad326ad72a5b0cd53b
SHA5120687264e012887728989589e6b20d800fae9f4440e191da6f964e9b6cd34c2e97cb788c1850dd5d67d4766a9f10f53cc39d8c4a5d2e0d96127f16ae0bc13fd2e
-
Filesize
7KB
MD5f175155dc1a89c32a8595e26b49220ef
SHA1a887cbd0bd5821e5c11de988de511d3490e50c5c
SHA2567f7b10d4aae9564d0e8e25dc5130a6253c1cbd28afb9a55c8a7d897e559dc770
SHA5123f24e5304a03d8305d04182ad839f3b4c7bee8c8e8bc4ebc06034a333036d3d7b3b8f4bab7ff292e456990a2365faa6ee6b307eea929ef59bc44395afbf0edf6
-
Filesize
1KB
MD52bf83068d51d5480380faef044283bf4
SHA136e258818b76cbc9059eb83a46321a496dfd78dd
SHA256a7fe37feb1fc0728848aa412a862c2984f3234c50b691481b909fb069b028620
SHA512ed5b97f098de166ae6d2adcf83e8e57a0c8c6c5137f74a840b40da1d085f39096300fade3743a43d1a6265d33a4868cd556b7143c96f6469ec1c1a50b1b534a4
-
Filesize
3KB
MD54216f2263f7d38345c50f4c5ffee18dc
SHA151aaf19eddf1a69d19ee91155b300ec953c5f800
SHA256f92d9ce7c0505f86580159d2cba2d0e73b91983fc77d9e26e9e0141206fd44b8
SHA51267909c885f2cce63d42e99b1e66fe7c88056f40d382463c09a60d8c53ccc3938d66ac815670b7c39c49e18840784da3921d7bff55df77abd9785eaf8c52456bd
-
Filesize
4KB
MD5e73fa8858d8aa1a13985995e4906c781
SHA15495c706c00e50123ba9d30202700411cf21b24a
SHA256944af467fe63a9ce5c707c62120ec6c6bda7439a2dcff63310fdb6178f083073
SHA5120292427fed7a5f86097c1794e2d524ff49b9b93996cab16c638d088ff7259b9400a643ae5282c5b459b85a78eab14d7e0b2206f6003332d17f736914386bb3bf
-
Filesize
45KB
MD514778971ddbe8856a5f9664cda9d3aea
SHA1d511701327ee9712c21a87259a6c5d38057587dc
SHA256415bb76aa416f4f2287260b5fe420450306e29831176e60277598a676fdb8b64
SHA512463a1d40bdd2bdb7397d9568696c844d6f67e31f68f02900ff88af96b0ee4d86805f5527555f9b9715d71de1dc69aa7aea28cc0878f64ff9747fc44ed3529d1a
-
Filesize
1KB
MD584cc80aab24f5effebbfc8b110baa853
SHA1e327235b3cc35b02285fad22f41f00843809ad21
SHA256f08d6f4de6724dae96104861679500668fef2c68c06dd3268483e50f811547a3
SHA512a8072ce9f0bb80598ce3b99afe7888d7099a2bc4137155d207e7bb2a303846329528d30857b56a9e6c9b702d391c04dd5e3ce9ed8f0a634324d1bf7800c067e7
-
Filesize
7KB
MD58d49c2f2eb2b40763485b33a745e6a01
SHA18e11da04a46f9c497d85177d5cf91bf674098765
SHA256d70af084fabadfb1f46843d9799dc6f5af4610c5de801de70c907e089b9ee74d
SHA512def0d6a7c1128e322895b41bd7c93b2c957d113ee2f9f30b3847f118deef87df720f236176ae347888126f33d04e7c811836f38e3150b032fd6221020bbb0e38