10627f29effe5b03d5ec51ac8ad6d23116d1dca62bc39cd8014163d57e0ad504

Analysis

max time kernel
149s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
18-02-2025 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cryptic Release/Cryptic/CrypticSetup.exe
Size

1.7MB
MD5

a64517503adb2a1bb8a2f58ca8a661de
SHA1

f8a5a7f0f6a974559e63ec744402a497a45150e2
SHA256

11f4f22eabb173d8c37e80a3de3ba1d321805fb6d5adae498c6628145811ef2e
SHA512

d2abdecd68535ecb372a53d659e9a90bb219042c48d64627553a5a1e62ce0f9e88cd2bb4a2c41136bf280f1292379b936e1d0055f4111289e60ae64836f1baf3
SSDEEP

24576:27FUDowAyrTVE3U5F/jERcabKueSR0eKic6QL3E2vVsjECUAQT45deRV9RUrx:2BuZrEU0Rc8eSR0eKIy029s4C1eH9E

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1824	CrypticSetup.tmp

Loads dropped DLL 2 IoCs

pid	Process
1824	CrypticSetup.tmp
1824	CrypticSetup.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrypticSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrypticSetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 1824	3468	CrypticSetup.exe	81
PID 3468 wrote to memory of 1824	3468	CrypticSetup.exe	81
PID 3468 wrote to memory of 1824	3468	CrypticSetup.exe	81

C:\Users\Admin\AppData\Local\Temp\Cryptic Release\Cryptic\CrypticSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Cryptic Release\Cryptic\CrypticSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Users\Admin\AppData\Local\Temp\is-BG31M.tmp\CrypticSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BG31M.tmp\CrypticSetup.tmp" /SL5="$5022C,908493,832512,C:\Users\Admin\AppData\Local\Temp\Cryptic Release\Cryptic\CrypticSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-63TV0.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BG31M.tmp\CrypticSetup.tmp

Filesize
3.1MB

MD5
2f129949f1a82013642be1e44ec00cfc

SHA1
87f929752e4873b298f3e9c84521ce95cc8048b0

SHA256
9cbf6c1ddc60cf30d4a3e096373b605989a0f7d66a77ce5ea9fd5cdecf847878

SHA512
a12c5f5d251cb1fe75a23e85e94634d0c1feaf3e4534cddff9c608f875fcead14754d344d119fddb1bfaf8bc991e5e5f51487acc8e89587a919257544e8b7b37

Download Submit
memory/1824-33-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-25-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-41-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-39-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-15-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-17-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-19-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-21-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-23-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-27-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-29-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-31-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-37-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1824-35-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3468-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3468-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3468-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download