Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 23:01

General

  • Target

    fe905ed17bcf3e53a9a38f0ace182e96.exe

  • Size

    1.5MB

  • MD5

    fe905ed17bcf3e53a9a38f0ace182e96

  • SHA1

    ff1cefd1d5310c2d1aee48f770753bd7cd64e669

  • SHA256

    2027a3fc488a5ecfa69e9a9057c8975e2d28cd6c937197ec69fc896c971285c3

  • SHA512

    4c09285f0629ead58770238b2637abd561ec39748336526903fa943cc3a11cf51c1d5c38d5d145b8d857cfa3f3fc12a85d288797c398c284de817f51ccf087c7

  • SSDEEP

    24576:fFb534xD3XpyiIkLlHpEZDsKdW4RvYijfWHaAZ0iWc7MupkAy/jLAT5FrFlPMtcm:Jh4ZdZpyDsKdWbijoT5fMupfILWlBpMt

Malware Config

Extracted

Family

cryptbot

C2

ewaqfe45.top

morjau04.top

Attributes
  • payload_url

    http://winhaf05.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe
    "C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c UcNzcjbM
      2⤵
        PID:1948
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Amo.sys
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2960
    • C:\Windows\SysWOW64\cmd.exe
      cmd
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\SysWOW64\PING.EXE
        ping localhost -n 30
        2⤵
        • Runs ping.exe
        PID:2700
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
        Poi.exe.com o
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com o
          3⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious use of FindShellTrayWindow
          PID:2888
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V /R "^fEQJhwnKKuicpzjpscwvTJMvNeQkoysJJdDVeObWsMNmmUcuUwpUoKgFSxVlkhBEObLTPduDXttuWhWTGJsiVbAZwY$" Orti.sys
        2⤵
          PID:2756

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amo.sys

        Filesize

        435B

        MD5

        66712fc92a4d05bfc412b18541a1e8df

        SHA1

        bf4fb00e6b894338aea687cbf537c90fc255710a

        SHA256

        750eed4b135f1ea433781bc4b9bb26029b2c49dbc647248460b3409329d30e0f

        SHA512

        a792210dacd9018a16b3071deb823d0a9d66ec86d043d7dae5049bbec74dbf7446565d4262b01cf3acefa7088e344d15651339e7a831f96c3b68aa88e3bd8049

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellato.sys

        Filesize

        460KB

        MD5

        a19f25da97e5d39ef4ce2251eb5814ab

        SHA1

        afda12d873a40cecd1cb51422cd71efb41372072

        SHA256

        6638a728543e9ed47f24925f30dc491332736a9a42e7ba0270a87db57a134523

        SHA512

        4793da9fe84158d914fafcae92d41ecf39b904ebff7e0c1b62c7c9a6d31e33e2be7d71e2c5dcc7725718e494c863f97a53806fa0753d86b6c3e50a3de1860dca

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.sys

        Filesize

        44KB

        MD5

        05e66b1939889acce5eecc4cf792d683

        SHA1

        31f073c4ff06b7fa89a54fb0313af2acc4088642

        SHA256

        a7532f39d502044bbc668cfd4d4a479d8c38fed9eeb0eccdcc2b3de286ee8a94

        SHA512

        d873b1353d4ee94de13f81653ae5b6738bcfbddc44c6fb6b1d2354adf8844b6ce9a8a2e5a0fd5f7e1570691f8468f1137398e979704a30dff7795e21c37de320

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Orti.sys

        Filesize

        477KB

        MD5

        e2547dcf55d47ffb69ae8badf09571ac

        SHA1

        b11e27e5e436e34929b5d84deb29972de1e4495b

        SHA256

        5298a1ae13f4409c8ef3e019692338b3d6545a494f813f6d35c88cdbd2c9ebc1

        SHA512

        5ed197d9301e0fc615eadb12af5d8eb1ea735f0f84c21bc7a88dcb41f146c9db8213c9679ddf08346af3899a56919f23085ee2e8e7286fdcbb661cca806d349d

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

        Filesize

        15KB

        MD5

        a47c61ddcbe27461e7eafcf45f98aed7

        SHA1

        c458e780c0d157cf65abd4174a96f4dc855af01c

        SHA256

        9e9d18b35a520d4d2beb61c6fed7a2438e3a15fd3c6b05692a7bbfc75d95d5c3

        SHA512

        c9741d765564c9dd259a443cdc4b9e8d38acf9f085174825ac66cfe7c315a9cd192e7975a04ba8348700e60ea7cd18dc6455ba3dd0096a27e730c2655cb7a56f

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

        Filesize

        524KB

        MD5

        d75189a31a054571e9d3c4e289ab5de0

        SHA1

        e210cb44dfc18de4ba14a7177d97545759ea32b5

        SHA256

        6b9181fdd9783c22f06a07d48c256a7e1e61b6dea96b9dbfe7fba073dc226192

        SHA512

        427ea62044db3cd9b68afc6862aad3395f1920e847b70869175cdeb287d40c1a878f016d72e66146ca56e1aeb739d6cbb1b17899d09cd68a12a3e73cd8debf09

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

        Filesize

        420KB

        MD5

        24aba0addcef79e931696f40a65f22b8

        SHA1

        efe8ae3a32dac73d4f60518b879d1be8c2119916

        SHA256

        de4ac324ac73d439e9ec7d2f1e31d592e036bd8400299549569967f5d619232f

        SHA512

        2d1a2a765b099180e81725798e0aca118885004a34a231ae8236c36ed53f50cde15220121368d2fbf1666b9e51115e2f3a5d453b6eef37418e3ab6234d287fb1

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o

        Filesize

        280KB

        MD5

        ce6561957aa2ff202a8fd131dcc2865b

        SHA1

        1f3a5b9cd166f72539e45e3b3cb4302c3569f8e8

        SHA256

        787682588d67b0de45595288ce9e39b37023b1a1573118155e9f2691d59c083f

        SHA512

        d6701afc6d20211d7fdf2741c91024f9edbf787e8566d2011a1c47a72d3b5bfec24f21847fdffbb56f221258efa6c15ce5944e9b1c7c010458eae6a3af56cf6a

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\LWnvpACPGyWrwu.zip

        Filesize

        33KB

        MD5

        32b9f026d02bd7ac6d2ecb09c286351c

        SHA1

        370b322cbb15ef49ef9a50e190df89d784219848

        SHA256

        4dae7532d66c035509af4ac0b2a3f52394d414ef5c674413d43ced351fb84249

        SHA512

        ec83a43ee35addb761912b445566efd965f9f299c06a4d99cd9b5787acd10543470d3292a5cd80b89813d135226ef34c5c58d0ed9562bb105f2f0f3888c95dba

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt

        Filesize

        6KB

        MD5

        ab076fcf100fce5f09c71ef0b866a00f

        SHA1

        ca1a0c85a5e7c9f5ee158d84e8fbd9538ea1bb12

        SHA256

        d9add941d40fbbb19624e7f04498dc335485949421e6e95c9272b8b08283bc24

        SHA512

        10be64488502a21af5e488be525816cd9b58ae40a2a8176c4d85baf6498ec606540571b8e95275fbb92e8230e8c0b2ccb4ec5844ad6fc66dbdc8100aff0e4098

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt

        Filesize

        1KB

        MD5

        2eb97898ea7b5ba70a54b48e116ebc5e

        SHA1

        dd1f77c1b084b638ed9d7a9764bd3e5137fe9192

        SHA256

        4296a005ee525c2e9fae850f95f8b022d7613db797ec9a88ff6af0939059787d

        SHA512

        724dc735e439a103de9fa7ca92ffb858c332d62084edcc0d6bfb14f6c33415ad48e24850c77e43d7198e65da955f4b8a2a8d8865613205dee2d80986a615d476

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt

        Filesize

        3KB

        MD5

        505eb04cba71c5b64c28c90775164605

        SHA1

        07969d39187c7c1ac18ce66bb3e9a244c9583d8e

        SHA256

        ced40fbc5bc5d15212ebbd1688801ef4448254d9e78be974a59f8ac32271c8ce

        SHA512

        aa708ecdd659f02814f47761885dcd068bf4ff6cc28e6710d1dd25e4e7ed62fa3d85444111f4624a925638eedd6dac6d33fbf9cc93cdcad24872623c3b9edc4a

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt

        Filesize

        5KB

        MD5

        8a2dcc256282bc2e83af7bd38c1c3e26

        SHA1

        d854a11599532f7eb2c084051817b45b02418807

        SHA256

        c66e222beabcf3e575b79d1f8e1f209bc5689579bd120076626d8885d835d86d

        SHA512

        af08c1263d06c4e2beee05157d9ee6f469f71316b3407ff742c7dcad5ded55ca0605435b3c195fa8d3a58eee1215c047020d85f110c7f3cc14dff8448d210fa2

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Screen_Desktop.jpeg

        Filesize

        40KB

        MD5

        0cc1ba97471bdd798850320490346a89

        SHA1

        ea5ae006cb80e16e33a8fcbe9d6cb24394be589f

        SHA256

        e26bf2e797121b4602be9a517604fdb59dcfaa5d778843d4d3ec1ee836b78334

        SHA512

        b25242f517588f5d2b0b145c209fe13199d89c7a7df9f35051329b6535e26ff63ca86e2f885e0770e1d343b06528bfb68de945a55018fecd4a7356d9f2b16dda

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

        Filesize

        1KB

        MD5

        bef5842ff3438a6d7db4fae5749f5400

        SHA1

        266d53bd91ab1a08a813ae12e3830c534f04400c

        SHA256

        999978604573788d308a43faac42a0f73f3b89f2d4594c607494a8a59cbb9193

        SHA512

        f920c030e3c530f259dabf3b14fd0099584d86cece828d2f30f43252705da61e50efbc828401c51f0c0f757dabc49c5526066eae80aa4fe8ec164ef5c21adb7f

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

        Filesize

        1KB

        MD5

        78de8c73a6192a07859b85d12ba75674

        SHA1

        b13f5055f141a49aa69c0738a95e7cfa857f9452

        SHA256

        aa31fa5d173a25de2981456705d28440ac7d8599defc838ce86e00f88920fc27

        SHA512

        120383574de8a0ca7bb6c19b0bc0ba12938d2ba39e9d0e47762db2dfb72055a9915751f81a69d9767766c0461390928e38771aecb5a95809ce16d7536f53f032

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

        Filesize

        3KB

        MD5

        9ec3aa377780a9f88cf728cc3d50f8ec

        SHA1

        8e3d24b8725f0f0c64bae65e2ea8abf6845a1ffd

        SHA256

        3983ffa8e35af2358b7dd50addec054ce5132feb595ed51b7ca1b7f6c17c2003

        SHA512

        f686ece883d7d0f4a1984b3a0c626d424d66892c26224848809dcbffb3aeb9141b6de2e133f74d4dc5ece315b4036d128e57c0e74969c9813d319c3a6e3acca5

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

        Filesize

        3KB

        MD5

        00272f530355ed9a808822cd5004f36e

        SHA1

        ee2f54c1d1a85f243891a03f66f9bff91509ceec

        SHA256

        a335153f5ca25fdcbe0b8f41225f26f2189876121af0df9efc023a9faff04572

        SHA512

        afeda1fd0f4df247555a1ca3bb5e2ed439d4a2428130e34650090695bcb3de63d1c9e885efbe6d3cb30cbabc8a39d9dcf5f12178fedd6d245b963f5e3af0ec52

      • C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

        Filesize

        4KB

        MD5

        bc24221700edfc74ca9d6217a9635108

        SHA1

        c763992ed47c122607a6ef6eb75e29b08c7cf084

        SHA256

        deec0cf52e37a9bb05c0131438c1817f64b423d9b45ec767997587c32bf00b7e

        SHA512

        f942f35811bf1cc75dd7c7477370a543eb9f85464886567a26b23f981a18f837122a4319a9ca4bc25334bcb4c72e323ef778f8110cb86858e38616fdcb8d3a49

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

        Filesize

        50KB

        MD5

        9c6ac7039da46878db35990a4494fad4

        SHA1

        c70b26005f1195a3ec96afb9b2e2a311e8865f5e

        SHA256

        73c9c1f3ea716234fd8946a99d32ad420699776af5df36803c396e63cf1a044b

        SHA512

        88d0a81ddc03b01bea0f0866b5be4f8a66440afb1249b6a3414df34d0b8598d9ae683c5b49e43e0c3103b34a2abb874817673b115bc6df9bad8aa825fe401ec8

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

        Filesize

        392KB

        MD5

        68e2367febb72a998b89e4afff55e5a7

        SHA1

        30754bf92feb3fab87cf307dcdfbd354edfee270

        SHA256

        c80dac88e33e54a15bcc1cf8c0da425317cc2ec59522799933133ee702c4e379

        SHA512

        1756fe5cbb3cef53362ae1fe44386c4177206a8be673375d26bbe9f0a486f6957de3219485a027f1d6862c90f09e29ab802904a79ab5a572aad2ffc568c82efb

      • memory/2888-29-0x0000000003890000-0x0000000003933000-memory.dmp

        Filesize

        652KB

      • memory/2888-32-0x0000000001230000-0x0000000001231000-memory.dmp

        Filesize

        4KB

      • memory/2888-30-0x0000000003890000-0x0000000003933000-memory.dmp

        Filesize

        652KB

      • memory/2888-25-0x0000000003890000-0x0000000003933000-memory.dmp

        Filesize

        652KB

      • memory/2888-27-0x0000000003890000-0x0000000003933000-memory.dmp

        Filesize

        652KB

      • memory/2888-26-0x0000000003890000-0x0000000003933000-memory.dmp

        Filesize

        652KB

      • memory/2888-24-0x0000000000150000-0x0000000000151000-memory.dmp

        Filesize

        4KB

      • memory/2888-28-0x0000000003890000-0x0000000003933000-memory.dmp

        Filesize

        652KB

      • memory/2888-251-0x0000000003890000-0x0000000003933000-memory.dmp

        Filesize

        652KB

      • memory/2888-31-0x0000000003890000-0x0000000003933000-memory.dmp

        Filesize

        652KB

      • memory/2888-253-0x0000000001230000-0x0000000001231000-memory.dmp

        Filesize

        4KB