Analysis Overview
SHA256
3c929d7c2dfe5638f93422aa26f6b6ef06624d0f8daa49887db9aac351d7b9d4
Threat Level: Known bad
The file Cryptor.rar was found to be: Known bad.
Malicious Activity Summary
Luca Stealer
Quasar family
Luca Stealer payload
Lucastealer family
Quasar payload
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
UPX packed file
Command and Scripting Interpreter: PowerShell
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-28 05:25
Signatures
Luca Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lucastealer family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-28 05:25
Reported
2024-12-28 05:26
Platform
win10ltsc2021-20241211-en
Max time kernel
31s
Max time network
32s
Command Line
Signatures
Luca Stealer
Luca Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lucastealer family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Cryptor\Cryptor.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Cryptor\Cryptor.exe | N/A |
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1720 wrote to memory of 1396 | N/A | C:\Users\Admin\Desktop\Cryptor\Cryptor.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1720 wrote to memory of 1396 | N/A | C:\Users\Admin\Desktop\Cryptor\Cryptor.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3912 wrote to memory of 1292 | N/A | C:\Users\Admin\Desktop\Cryptor\Cryptor.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3912 wrote to memory of 1292 | N/A | C:\Users\Admin\Desktop\Cryptor\Cryptor.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cryptor.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Cryptor\Cryptor.exe
"C:\Users\Admin\Desktop\Cryptor\Cryptor.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
C:\Users\Admin\Desktop\Cryptor\Cryptor.exe
"C:\Users\Admin\Desktop\Cryptor\Cryptor.exe" C:\Users\Admin\Desktop\Cryptor\Client-built.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.61.93:443 | checkappexec.microsoft.com | tcp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.74.47.205:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\Cryptor\Cryptor.exe
| MD5 | be8d7f63ae91ef58a4853e9c5de5a5ff |
| SHA1 | 939236b40db18617f1dc9c603d50338f1145fdf7 |
| SHA256 | 8f992b2af11e47c2bb264da9ee9089a90b9aa3566513d8e9128a4d0972d99724 |
| SHA512 | bfac67fd683ef0dc433c42cfce0066933344f728fe93b4cc9aeec30af27402f959534fb04fd5ca0fc2e4bfa87732091368b96b3340730c210dae6e480d0c1262 |
memory/1720-6-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgzyeir3.hyl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1396-16-0x00000295341B0000-0x00000295341D2000-memory.dmp
memory/1720-32-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp
memory/3912-34-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 82f4c2ce7d9fb1714ec9b06631f0918d |
| SHA1 | e478fe32dfd808710fafb4d6f133c3407a3785af |
| SHA256 | b1adc5a78a6738a79ef24c29995d264b530fd90404be9bdf234a276052ac6725 |
| SHA512 | 4a9ba37946ac4de4993f8793b0018c0e5100cfa62e141bd8a62c4ee14419a963f1bca88d66d2316d857afe2e70168eb16c2f73eec3d19c2a4a9f4c3bdbfe9498 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | abb7b6fba8cbdcba40db2056955cc206 |
| SHA1 | 456f4a46b019a71a086225fb1dc52229fbd3effd |
| SHA256 | 4c7d520ae2c83ed9b3f190ea62bd99a2063d4a1a85293caca12562dee265ac7c |
| SHA512 | fb29412580cbd07b99d6e328db9f6d991e6997adb2180929ef4833c6035df43dbac47bf4cc7c4499c6b95bb71c9561cdccc2d857fa638f325325655afd3a52e5 |
C:\Users\Admin\AppData\Local\Temp\sensfiles.zip
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\fEvu4xLkb6uKUbRQt8RLiyslNWf8se\user_info.txt
| MD5 | 292f271780eb6fef5c0befdb6f2be912 |
| SHA1 | e489f8f862213dbcd31e74f9142f4b9480dca757 |
| SHA256 | 4ce4ce91124e321c9de4a308ed55598af3212aa53412d08d1a5262664c647c6b |
| SHA512 | 37ef595a954f8065164b08bdc67f7661cbec88b58b17f400e29ccb03626348c69f0bd54181aa23a0f1a0cf79192ea296a1331825b92d578a4eb837d01a4cd12a |
C:\Users\Admin\AppData\Local\Temp\out.zip
| MD5 | f0ef5e9c625ecdf89c54af870e4022e4 |
| SHA1 | c6c50555011c73ac580b9a28413692e80975b1d2 |
| SHA256 | 13a9783a48c17175cbfcfbbecd222534b4ec605a2669b25a5807e43946809539 |
| SHA512 | 4d0731b3fc0eabe8f7aa6565c0f396204fcd865e45c4fade9ae1c5240acc34e3c759a442a6e9d872558f45438f9fcf208a43f4ffa6e8d4a8f405f6c867c96c0b |
memory/3912-62-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp