Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    12/02/2022, 01:38

General

  • Target

    a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe

  • Size

    1.6MB

  • MD5

    5ca4eb1b6296d6f6f2e118e0a2a228ba

  • SHA1

    9ae9bb0b2edc22af695974b784cd0dd3c62a7f97

  • SHA256

    a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d

  • SHA512

    c5ca3629c71e7d38e71e1eb341fafeb31dac8b34aa27dcdd8ce8c556e6167f3e4f05a3f66c7c01a2d15efa114dca6a9e8a6e8ec99d8e98a562bf8969089a2073

Malware Config

Extracted

Family

cryptbot

C2

tisatp45.top

morivm04.top

Attributes
  • payload_url

    http://danwza05.top/download.php?file=jevons.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe
    "C:\Users\Admin\AppData\Local\Temp\a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe"
    1⤵
    • Checks processor information in registry
    PID:1180
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1696
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3512

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1180-137-0x0000000000576000-0x0000000000578000-memory.dmp

          Filesize

          8KB

        • memory/1180-136-0x0000000000400000-0x00000000005B5000-memory.dmp

          Filesize

          1.7MB

        • memory/1180-138-0x0000000000A20000-0x0000000000A21000-memory.dmp

          Filesize

          4KB

        • memory/1180-139-0x0000000002270000-0x00000000022B8000-memory.dmp

          Filesize

          288KB

        • memory/1696-133-0x000002B2CEF20000-0x000002B2CEF30000-memory.dmp

          Filesize

          64KB

        • memory/1696-134-0x000002B2CF140000-0x000002B2CF150000-memory.dmp

          Filesize

          64KB

        • memory/1696-135-0x000002B2D1640000-0x000002B2D1644000-memory.dmp

          Filesize

          16KB