Analysis
-
max time kernel
117s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14/06/2022, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe
Resource
win7-20220414-en
General
-
Target
2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe
-
Size
1.8MB
-
MD5
fc858cc2dc379c90ce729dcd4b58a4a4
-
SHA1
e5fa397a9053ac198b08aba3da3ada0304b94b32
-
SHA256
2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e
-
SHA512
3f925fecb3a0d6748e0475fe7be238394cbff453d9dae65db2863e59b01a8202de216e4181a03d1d5aa612f978212dda29120271e8170fae9a763ff5f141496f
Malware Config
Extracted
cryptbot
geobau75.top
moryce07.top
-
payload_url
http://rogkjs10.top/download.php?file=lv.exe
Signatures
-
CryptBot Payload 3 IoCs
resource yara_rule behavioral2/memory/3912-147-0x0000000000630000-0x0000000000A63000-memory.dmp family_cryptbot behavioral2/memory/3912-148-0x0000000000630000-0x0000000000A63000-memory.dmp family_cryptbot behavioral2/memory/3912-150-0x0000000000630000-0x0000000000715000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
pid Process 4032 Oggi.exe.com 3912 Oggi.exe.com -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Oggi.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Oggi.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Oggi.exe.com -
Delays execution with timeout.exe 1 IoCs
pid Process 3840 timeout.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4552 PING.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3912 Oggi.exe.com 3912 Oggi.exe.com -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1708 wrote to memory of 4480 1708 2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe 79 PID 1708 wrote to memory of 4480 1708 2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe 79 PID 1708 wrote to memory of 4480 1708 2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe 79 PID 4480 wrote to memory of 3832 4480 cmd.exe 81 PID 4480 wrote to memory of 3832 4480 cmd.exe 81 PID 4480 wrote to memory of 3832 4480 cmd.exe 81 PID 3832 wrote to memory of 4572 3832 cmd.exe 82 PID 3832 wrote to memory of 4572 3832 cmd.exe 82 PID 3832 wrote to memory of 4572 3832 cmd.exe 82 PID 3832 wrote to memory of 4032 3832 cmd.exe 83 PID 3832 wrote to memory of 4032 3832 cmd.exe 83 PID 3832 wrote to memory of 4032 3832 cmd.exe 83 PID 3832 wrote to memory of 4552 3832 cmd.exe 84 PID 3832 wrote to memory of 4552 3832 cmd.exe 84 PID 3832 wrote to memory of 4552 3832 cmd.exe 84 PID 4032 wrote to memory of 3912 4032 Oggi.exe.com 85 PID 4032 wrote to memory of 3912 4032 Oggi.exe.com 85 PID 4032 wrote to memory of 3912 4032 Oggi.exe.com 85 PID 3912 wrote to memory of 3376 3912 Oggi.exe.com 93 PID 3912 wrote to memory of 3376 3912 Oggi.exe.com 93 PID 3912 wrote to memory of 3376 3912 Oggi.exe.com 93 PID 3376 wrote to memory of 3840 3376 cmd.exe 95 PID 3376 wrote to memory of 3840 3376 cmd.exe 95 PID 3376 wrote to memory of 3840 3376 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe"C:\Users\Admin\AppData\Local\Temp\2cae5c8eaa0285cc0761d93758b9830945981116b5d0306639d84af6d518a55e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Lui.xltx2⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd3⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^DLJyiWOjFRXkEfehEjtbrnPYMsFWnKxNWzEcSkYjeoxprDGXReUaPfptWLzQdSNVbpgkKGxzhRxVtGUpLIyvPwYGpmmiSoWlx$" Estate.xltx4⤵PID:4572
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.comOggi.exe.com t4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com t5⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\AGGflPSZyCRb & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Oggi.exe.com"6⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:3840
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:4552
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
894KB
MD53fbfca6a122bc342d3ddcee17303db89
SHA17ada094aba1b5861b25d937285814e84b220564f
SHA256d286dc81f29d1f9473a6da25597fb3bed4ac923360e7b1fbfe22752b39d22cbe
SHA51262f75af73a289975abfc2d8a314e616742db69229f705a96e6e62a0c81853f0aec79c358047bb86d6ff56242c3adfcd03bc99d12913e68e1f005a3488695cd0b
-
Filesize
872KB
MD5f90146ea7b535f5818cfbe015d0b0dbd
SHA1c9e85c4a87e8d8dff2cfff62c1936a920232d6e0
SHA25616e970c4f84b633bc0df5fc6d2dffecb0781a514fe52a45b25e479073efb5ad6
SHA5123f16c5e7136c65ef90c87788653fb9c177b49b22363f2ae24aa3105718c3a67d247b16de507dbf9bcd7e17f7079ad6c7678a19e40b6cc208725cb2451e6f8914
-
Filesize
329B
MD56c789bc49e35af75b40caf1bd6da59cb
SHA1fd1504f2f8676250072bb59c1513ed3ad25ce348
SHA256d9969d44961356fae2d7b6c6a4758b7c4dbea557886e00a42e57c68cdc168b79
SHA51207748b08ab50f98584e4223486c71cdf41b1f945cbe0ed1b2c0c45f4eaa649ffa5fc58f2c5b4024bced44d81f23a3c7f5b8256c9389f4b9d57b5699ecd949001
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
682KB
MD5b01e4db185b6b980945c1ea329ab6e49
SHA1112fe8a2f68bf0d9076e2b648bbb1ba5e7f8f476
SHA256db1d912a64e47e2928ebe436286e136c6d7b1b2eb6bfc0c8058e33c57386d592
SHA512ced411bcdcdb8345fb4a796cba181750181a438e42214be4aee0890af8706f0da05781c4d75f772d7bd4d95fe94b0cd2caaeaadd88a5460c0a5c1ce6d71f5893
-
Filesize
682KB
MD5b01e4db185b6b980945c1ea329ab6e49
SHA1112fe8a2f68bf0d9076e2b648bbb1ba5e7f8f476
SHA256db1d912a64e47e2928ebe436286e136c6d7b1b2eb6bfc0c8058e33c57386d592
SHA512ced411bcdcdb8345fb4a796cba181750181a438e42214be4aee0890af8706f0da05781c4d75f772d7bd4d95fe94b0cd2caaeaadd88a5460c0a5c1ce6d71f5893
-
Filesize
20KB
MD5055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
Filesize
41KB
MD50928e1e40f0d3247a8f4249ee9600a87
SHA1b46cbceef92898b4129416d7013a0da20139e7d3
SHA2568341f7d3943b4ddf615afa7f36adef2f80fc40ea980c18f02f1487ca6f55349a
SHA512beceb6b15eb4942bd5a54015ba9a3dc092a21bf651a0276c8d3ecbd9296527972583d67f040540a5b32e4b4ac163296992a6985c1c61583f48a768b93cce2d2f
-
Filesize
88KB
MD58ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
88KB
MD58ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
Filesize
41KB
MD51b4ac758a37cd9701e0dc6babecf42bd
SHA1dc4d067a0ac92271d900cb2dc0b52200e94f7486
SHA256fdbfb86b151718f764bce4e9a6b9e2cb230e1fcac7d842772feb6a6ecefc7991
SHA512eff197b7b43bca20263f4aa558e928bd424f98a3c28a87e568c1fd8cc22aca8cdf5c06218c167f42de3a63536dd16fe4bfdea867e43807411346caf98a2166f4
-
Filesize
6KB
MD58e236ad39926201a69d5d7c3c49bbfa7
SHA1bc0ba62bcd0004d7b7fe7b3dea4d4326ed617445
SHA2562ea066aaab633d3643d3233cc254c8f25f01f6f1c429f2e84af9d35b63ca41b9
SHA5120fc0b8c2cef60b57938ce703496df56d3c8b3db0541f3cc6c2b83d0f9a2c7a5be75e0d1f4fde5555bb7131c02532603e13968f698653ce137654d8f4efa5ce8d
-
Filesize
47KB
MD5db78776d595cb03c3a39cf554eb81053
SHA1163fa20c9c98ed0ff349f523db97f517dea00efe
SHA256dbcfc3836b2bf203f667353ac7012414f39c98fbdaa325951b150130c2b98dc2
SHA512de2a33c051940bf43dcf83d8f08fd1336a63c913b68478f50ca707612351409d548ff07d31d50d2057f44b633cea4c77fa0e2fbc964e38e999a88b1287666e4d
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
47KB
MD5db78776d595cb03c3a39cf554eb81053
SHA1163fa20c9c98ed0ff349f523db97f517dea00efe
SHA256dbcfc3836b2bf203f667353ac7012414f39c98fbdaa325951b150130c2b98dc2
SHA512de2a33c051940bf43dcf83d8f08fd1336a63c913b68478f50ca707612351409d548ff07d31d50d2057f44b633cea4c77fa0e2fbc964e38e999a88b1287666e4d
-
Filesize
6KB
MD5858ebb1562d6ad6acd030f0c5f25c491
SHA1b21d498fb938721199765ad2ee692518284e8187
SHA2562b1a47f986676458a350a31c21f66d5468967bea97b8d16ddf8ab3a058ace01c
SHA512f2a072f5e70245df5e628d3ce4ba92d9a9498555d45cca783d9e5c6047b20b04ff89baa02dc9adada11bd156c0905825b7ab74a7ccf327f1b08c3e921c1977a4
-
Filesize
20KB
MD5055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a