Analysis
-
max time kernel
175s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 22:03
Static task
static1
Behavioral task
behavioral1
Sample
fb660cd8294a2f697bc610d746833d91.exe
Resource
win7-20231129-en
General
-
Target
fb660cd8294a2f697bc610d746833d91.exe
-
Size
760KB
-
MD5
fb660cd8294a2f697bc610d746833d91
-
SHA1
e9cfc83ec806592a49bd094e2bbc07c937e0c9e2
-
SHA256
28877275c2c938f24cd0bf43f2c0cef090c58b7a85a988b2f6dff4970660b07d
-
SHA512
10da1e75c4aeb3df811dd22a2da4528227f8d7350bfa5992ef6cc4f3f8822e2c7ffdf897040635c1476f95b0112f13376be7cb849a8dea81455db73056329c92
-
SSDEEP
12288:n0JPFOR1iusUfrhWlR7b00lfTu+PaOpGEIyl+fnbKx/Dpclca1lUSvsNdH1GXiD:KOR1iusUT0L7fTuMNuydFaYSgHcXi
Malware Config
Extracted
cryptbot
ewaisg12.top
morvay01.top
-
payload_url
http://winezo01.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3180-2-0x0000000002230000-0x0000000002311000-memory.dmp family_cryptbot behavioral2/memory/3180-3-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/3180-4-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/3180-7-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/3180-111-0x0000000002230000-0x0000000002311000-memory.dmp family_cryptbot behavioral2/memory/3180-209-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fb660cd8294a2f697bc610d746833d91.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation fb660cd8294a2f697bc610d746833d91.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fb660cd8294a2f697bc610d746833d91.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fb660cd8294a2f697bc610d746833d91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fb660cd8294a2f697bc610d746833d91.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3028 timeout.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
fb660cd8294a2f697bc610d746833d91.exepid process 3180 fb660cd8294a2f697bc610d746833d91.exe 3180 fb660cd8294a2f697bc610d746833d91.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fb660cd8294a2f697bc610d746833d91.execmd.exedescription pid process target process PID 3180 wrote to memory of 3160 3180 fb660cd8294a2f697bc610d746833d91.exe cmd.exe PID 3180 wrote to memory of 3160 3180 fb660cd8294a2f697bc610d746833d91.exe cmd.exe PID 3180 wrote to memory of 3160 3180 fb660cd8294a2f697bc610d746833d91.exe cmd.exe PID 3160 wrote to memory of 3028 3160 cmd.exe timeout.exe PID 3160 wrote to memory of 3028 3160 cmd.exe timeout.exe PID 3160 wrote to memory of 3028 3160 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\SQMDwDoW & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3180 -ip 31801⤵PID:2392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5aa2e27a974093db2cc9f63cbea655b11
SHA121b9377d8125b31bd1dae6500382dcb5faef0cf4
SHA256a12deb411c6a88676d28501da6862ad7274df7898d7c24ba181af6d70ac8024c
SHA512ded0e5f494937739f808122ea109d515eb7b2354de3ac1b06cbe739c144e8ff04ba9d13a94ce85655018cfd6652544cef3d0aa90f67cb4776e520e0a95b937f7
-
Filesize
7KB
MD59cd2433f0c5f770cca33f5ed461902b5
SHA1208fb33422f685e2c4c44ec996681af356b99c0a
SHA2563341ad6c26361160664b8db686797c8c02042f396b40a0287f6b5f680fe559f9
SHA512ec7e3a37c6ab8906a99256475afd1c9a886262e35f0bf1f24b3cbef508eb54fb76e5e29340916a573d5955d3e1ff94835c4b08060645784719c213f1cfcbed15
-
Filesize
1KB
MD5a2c0532ae7518b27a3a884449b1f9104
SHA12dc675864ae296aa44b95a843f34140a293eb177
SHA25664417d305dd47608795702e370c658c235f90fdac9c07deec067959ae09b534b
SHA512b0875b23e12dc1ad752aa172b2ea672b83955232db57c0532ac0a48ead50bdf4e8a97ab7ef23d799a9f4a4c2f8160714c1a2e863469b38385e214a58f73c6f11
-
Filesize
1KB
MD54f6237fc3d8786996d67d7f8486f2198
SHA1e7d65c7046cd2a9df765954d70438301bd6b279d
SHA256d7553df9534c4628bc6634b83dcc07bc76f3fb57fc5bef44e61e0ef580fbf63c
SHA512a77f3a5d62af925b705ee370a817594bba5e46242d3c63a03823c4fd92bb9b78f48120b5abbb6619804a7adb379c3b7bf8035f339296d0c2904a59046ea1651f
-
Filesize
4KB
MD579afed10f394fdf815c1566ce541cd29
SHA1acce8c1b6f179a47175bee1a58e17baa3d023590
SHA2567cdcd0e4d53a19da20fea0a68455dd66a38cf7b6d54c7b86ccec2621443ed81b
SHA512cf840c7be1585de45125cbdaf968522de7db182577ef9952201b271cdc2d23b67fc7273930b898588590d7ddac9c9e5fd5f194f427ca65e5f88a4166ec440bd0
-
Filesize
43KB
MD5b65dc848f26344364ca86fe2434352f9
SHA144a0a429732efdb8b5d85e78c7061650971e75db
SHA256ad76c24d90f20acf023e2212448d124a8f3b7410cf63474920623e9775e02d38
SHA51295ad1a0d49971c70caf3729d3bacd99b825974bc4506bf8e96bb4f4d3269121d0f86649050f1f84d747629f332812cd1badab0df440a748c19462898f12bfc12
-
Filesize
37KB
MD552d1b87b2f7c31618768d20b8dc56ef0
SHA19b4908763186f9c9d51c8fe65ef7476171650762
SHA256f957f176e2bb5ab3532d7e51e6d49b47cd8276187c6bfbf2f38fe3df49d0ca20
SHA5126b4752d68698a6641ecd7a19d62c78db6524de05c979cf5fed762e63e66d95959550e291e42c69842d6816821b367d3bde93b8cdc37fae7a34db046ba7293ff4
-
Filesize
1KB
MD5328ccd814ae2e1c0343394d66b9b572c
SHA13a0fb886dc1a04b7e9397ca07262f7339b769b93
SHA256169912b5be50b9a57a8b92f631a5ba7cd1de0481679ba07c1ac8791d4b3986b6
SHA512ac4c34b3bc81db900bea3e55879c95adb6396d4528f68b6b7b39eb73b7232ccf2d42e031ad13a2d0f921787b647a5cd9aef128d8c082c3a88a90ad1542216ea0
-
Filesize
4KB
MD58a4081bd9d0f60b184a6179f17f79744
SHA124034c8e1f314e0fbb655fdf44fd1a2573578930
SHA256f9ba0652c7df06584ba0454476be02083494bfcaeebe0e786119ce92fb86b359
SHA51225c49c5e2bdd0e56cc9f8b64e4f7559e3a512a87921c543d0fb110297ca406b3abce9282996f3e913f0cb331d6a149cdf021e268e179d0bb1916d99d92aafdf9
-
Filesize
7KB
MD54732e5648a67d9e5fe330d28eafdb1fa
SHA1294cf4a14136fb52116d3047163bfbf1211b85f2
SHA2567fd0bd9974427079a73388d889541601f0e16730314cddb0c7159727e9fa3405
SHA5121ee035078e91139b640c092aafeed7e6ddc96a9cfe4fabc6e1f13a18e5006ca0cfc485be4d9290b7064be2f29fe4485ee8ae8cef2c8f0b04f602dfe9d129ec76