Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-12-2023 23:01
Static task
static1
Behavioral task
behavioral1
Sample
fe905ed17bcf3e53a9a38f0ace182e96.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fe905ed17bcf3e53a9a38f0ace182e96.exe
Resource
win10v2004-20231222-en
General
-
Target
fe905ed17bcf3e53a9a38f0ace182e96.exe
-
Size
1.5MB
-
MD5
fe905ed17bcf3e53a9a38f0ace182e96
-
SHA1
ff1cefd1d5310c2d1aee48f770753bd7cd64e669
-
SHA256
2027a3fc488a5ecfa69e9a9057c8975e2d28cd6c937197ec69fc896c971285c3
-
SHA512
4c09285f0629ead58770238b2637abd561ec39748336526903fa943cc3a11cf51c1d5c38d5d145b8d857cfa3f3fc12a85d288797c398c284de817f51ccf087c7
-
SSDEEP
24576:fFb534xD3XpyiIkLlHpEZDsKdW4RvYijfWHaAZ0iWc7MupkAy/jLAT5FrFlPMtcm:Jh4ZdZpyDsKdWbijoT5fMupfILWlBpMt
Malware Config
Extracted
cryptbot
ewaqfe45.top
morjau04.top
-
payload_url
http://winhaf05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2888-30-0x0000000003890000-0x0000000003933000-memory.dmp family_cryptbot behavioral1/memory/2888-29-0x0000000003890000-0x0000000003933000-memory.dmp family_cryptbot behavioral1/memory/2888-28-0x0000000003890000-0x0000000003933000-memory.dmp family_cryptbot behavioral1/memory/2888-31-0x0000000003890000-0x0000000003933000-memory.dmp family_cryptbot behavioral1/memory/2888-251-0x0000000003890000-0x0000000003933000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Poi.exe.comPoi.exe.compid process 2764 Poi.exe.com 2888 Poi.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exePoi.exe.compid process 3040 cmd.exe 2764 Poi.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fe905ed17bcf3e53a9a38f0ace182e96.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fe905ed17bcf3e53a9a38f0ace182e96.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Poi.exe.comdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Poi.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Poi.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Poi.exe.compid process 2888 Poi.exe.com 2888 Poi.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
fe905ed17bcf3e53a9a38f0ace182e96.execmd.execmd.exePoi.exe.comdescription pid process target process PID 1848 wrote to memory of 1948 1848 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 1848 wrote to memory of 1948 1848 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 1848 wrote to memory of 1948 1848 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 1848 wrote to memory of 1948 1848 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 1848 wrote to memory of 2960 1848 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 1848 wrote to memory of 2960 1848 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 1848 wrote to memory of 2960 1848 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 1848 wrote to memory of 2960 1848 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 2960 wrote to memory of 3040 2960 cmd.exe cmd.exe PID 2960 wrote to memory of 3040 2960 cmd.exe cmd.exe PID 2960 wrote to memory of 3040 2960 cmd.exe cmd.exe PID 2960 wrote to memory of 3040 2960 cmd.exe cmd.exe PID 3040 wrote to memory of 2756 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 2756 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 2756 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 2756 3040 cmd.exe findstr.exe PID 3040 wrote to memory of 2764 3040 cmd.exe Poi.exe.com PID 3040 wrote to memory of 2764 3040 cmd.exe Poi.exe.com PID 3040 wrote to memory of 2764 3040 cmd.exe Poi.exe.com PID 3040 wrote to memory of 2764 3040 cmd.exe Poi.exe.com PID 3040 wrote to memory of 2700 3040 cmd.exe PING.EXE PID 3040 wrote to memory of 2700 3040 cmd.exe PING.EXE PID 3040 wrote to memory of 2700 3040 cmd.exe PING.EXE PID 3040 wrote to memory of 2700 3040 cmd.exe PING.EXE PID 2764 wrote to memory of 2888 2764 Poi.exe.com Poi.exe.com PID 2764 wrote to memory of 2888 2764 Poi.exe.com Poi.exe.com PID 2764 wrote to memory of 2888 2764 Poi.exe.com Poi.exe.com PID 2764 wrote to memory of 2888 2764 Poi.exe.com Poi.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.execmd /c UcNzcjbM2⤵PID:1948
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Amo.sys2⤵
- Suspicious use of WriteProcessMemory
PID:2960
-
C:\Windows\SysWOW64\cmd.execmd1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 302⤵
- Runs ping.exe
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.comPoi.exe.com o2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com o3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2888 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^fEQJhwnKKuicpzjpscwvTJMvNeQkoysJJdDVeObWsMNmmUcuUwpUoKgFSxVlkhBEObLTPduDXttuWhWTGJsiVbAZwY$" Orti.sys2⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435B
MD566712fc92a4d05bfc412b18541a1e8df
SHA1bf4fb00e6b894338aea687cbf537c90fc255710a
SHA256750eed4b135f1ea433781bc4b9bb26029b2c49dbc647248460b3409329d30e0f
SHA512a792210dacd9018a16b3071deb823d0a9d66ec86d043d7dae5049bbec74dbf7446565d4262b01cf3acefa7088e344d15651339e7a831f96c3b68aa88e3bd8049
-
Filesize
460KB
MD5a19f25da97e5d39ef4ce2251eb5814ab
SHA1afda12d873a40cecd1cb51422cd71efb41372072
SHA2566638a728543e9ed47f24925f30dc491332736a9a42e7ba0270a87db57a134523
SHA5124793da9fe84158d914fafcae92d41ecf39b904ebff7e0c1b62c7c9a6d31e33e2be7d71e2c5dcc7725718e494c863f97a53806fa0753d86b6c3e50a3de1860dca
-
Filesize
44KB
MD505e66b1939889acce5eecc4cf792d683
SHA131f073c4ff06b7fa89a54fb0313af2acc4088642
SHA256a7532f39d502044bbc668cfd4d4a479d8c38fed9eeb0eccdcc2b3de286ee8a94
SHA512d873b1353d4ee94de13f81653ae5b6738bcfbddc44c6fb6b1d2354adf8844b6ce9a8a2e5a0fd5f7e1570691f8468f1137398e979704a30dff7795e21c37de320
-
Filesize
477KB
MD5e2547dcf55d47ffb69ae8badf09571ac
SHA1b11e27e5e436e34929b5d84deb29972de1e4495b
SHA2565298a1ae13f4409c8ef3e019692338b3d6545a494f813f6d35c88cdbd2c9ebc1
SHA5125ed197d9301e0fc615eadb12af5d8eb1ea735f0f84c21bc7a88dcb41f146c9db8213c9679ddf08346af3899a56919f23085ee2e8e7286fdcbb661cca806d349d
-
Filesize
15KB
MD5a47c61ddcbe27461e7eafcf45f98aed7
SHA1c458e780c0d157cf65abd4174a96f4dc855af01c
SHA2569e9d18b35a520d4d2beb61c6fed7a2438e3a15fd3c6b05692a7bbfc75d95d5c3
SHA512c9741d765564c9dd259a443cdc4b9e8d38acf9f085174825ac66cfe7c315a9cd192e7975a04ba8348700e60ea7cd18dc6455ba3dd0096a27e730c2655cb7a56f
-
Filesize
524KB
MD5d75189a31a054571e9d3c4e289ab5de0
SHA1e210cb44dfc18de4ba14a7177d97545759ea32b5
SHA2566b9181fdd9783c22f06a07d48c256a7e1e61b6dea96b9dbfe7fba073dc226192
SHA512427ea62044db3cd9b68afc6862aad3395f1920e847b70869175cdeb287d40c1a878f016d72e66146ca56e1aeb739d6cbb1b17899d09cd68a12a3e73cd8debf09
-
Filesize
420KB
MD524aba0addcef79e931696f40a65f22b8
SHA1efe8ae3a32dac73d4f60518b879d1be8c2119916
SHA256de4ac324ac73d439e9ec7d2f1e31d592e036bd8400299549569967f5d619232f
SHA5122d1a2a765b099180e81725798e0aca118885004a34a231ae8236c36ed53f50cde15220121368d2fbf1666b9e51115e2f3a5d453b6eef37418e3ab6234d287fb1
-
Filesize
280KB
MD5ce6561957aa2ff202a8fd131dcc2865b
SHA11f3a5b9cd166f72539e45e3b3cb4302c3569f8e8
SHA256787682588d67b0de45595288ce9e39b37023b1a1573118155e9f2691d59c083f
SHA512d6701afc6d20211d7fdf2741c91024f9edbf787e8566d2011a1c47a72d3b5bfec24f21847fdffbb56f221258efa6c15ce5944e9b1c7c010458eae6a3af56cf6a
-
Filesize
33KB
MD532b9f026d02bd7ac6d2ecb09c286351c
SHA1370b322cbb15ef49ef9a50e190df89d784219848
SHA2564dae7532d66c035509af4ac0b2a3f52394d414ef5c674413d43ced351fb84249
SHA512ec83a43ee35addb761912b445566efd965f9f299c06a4d99cd9b5787acd10543470d3292a5cd80b89813d135226ef34c5c58d0ed9562bb105f2f0f3888c95dba
-
Filesize
6KB
MD5ab076fcf100fce5f09c71ef0b866a00f
SHA1ca1a0c85a5e7c9f5ee158d84e8fbd9538ea1bb12
SHA256d9add941d40fbbb19624e7f04498dc335485949421e6e95c9272b8b08283bc24
SHA51210be64488502a21af5e488be525816cd9b58ae40a2a8176c4d85baf6498ec606540571b8e95275fbb92e8230e8c0b2ccb4ec5844ad6fc66dbdc8100aff0e4098
-
Filesize
1KB
MD52eb97898ea7b5ba70a54b48e116ebc5e
SHA1dd1f77c1b084b638ed9d7a9764bd3e5137fe9192
SHA2564296a005ee525c2e9fae850f95f8b022d7613db797ec9a88ff6af0939059787d
SHA512724dc735e439a103de9fa7ca92ffb858c332d62084edcc0d6bfb14f6c33415ad48e24850c77e43d7198e65da955f4b8a2a8d8865613205dee2d80986a615d476
-
Filesize
3KB
MD5505eb04cba71c5b64c28c90775164605
SHA107969d39187c7c1ac18ce66bb3e9a244c9583d8e
SHA256ced40fbc5bc5d15212ebbd1688801ef4448254d9e78be974a59f8ac32271c8ce
SHA512aa708ecdd659f02814f47761885dcd068bf4ff6cc28e6710d1dd25e4e7ed62fa3d85444111f4624a925638eedd6dac6d33fbf9cc93cdcad24872623c3b9edc4a
-
Filesize
5KB
MD58a2dcc256282bc2e83af7bd38c1c3e26
SHA1d854a11599532f7eb2c084051817b45b02418807
SHA256c66e222beabcf3e575b79d1f8e1f209bc5689579bd120076626d8885d835d86d
SHA512af08c1263d06c4e2beee05157d9ee6f469f71316b3407ff742c7dcad5ded55ca0605435b3c195fa8d3a58eee1215c047020d85f110c7f3cc14dff8448d210fa2
-
Filesize
40KB
MD50cc1ba97471bdd798850320490346a89
SHA1ea5ae006cb80e16e33a8fcbe9d6cb24394be589f
SHA256e26bf2e797121b4602be9a517604fdb59dcfaa5d778843d4d3ec1ee836b78334
SHA512b25242f517588f5d2b0b145c209fe13199d89c7a7df9f35051329b6535e26ff63ca86e2f885e0770e1d343b06528bfb68de945a55018fecd4a7356d9f2b16dda
-
Filesize
1KB
MD5bef5842ff3438a6d7db4fae5749f5400
SHA1266d53bd91ab1a08a813ae12e3830c534f04400c
SHA256999978604573788d308a43faac42a0f73f3b89f2d4594c607494a8a59cbb9193
SHA512f920c030e3c530f259dabf3b14fd0099584d86cece828d2f30f43252705da61e50efbc828401c51f0c0f757dabc49c5526066eae80aa4fe8ec164ef5c21adb7f
-
Filesize
1KB
MD578de8c73a6192a07859b85d12ba75674
SHA1b13f5055f141a49aa69c0738a95e7cfa857f9452
SHA256aa31fa5d173a25de2981456705d28440ac7d8599defc838ce86e00f88920fc27
SHA512120383574de8a0ca7bb6c19b0bc0ba12938d2ba39e9d0e47762db2dfb72055a9915751f81a69d9767766c0461390928e38771aecb5a95809ce16d7536f53f032
-
Filesize
3KB
MD59ec3aa377780a9f88cf728cc3d50f8ec
SHA18e3d24b8725f0f0c64bae65e2ea8abf6845a1ffd
SHA2563983ffa8e35af2358b7dd50addec054ce5132feb595ed51b7ca1b7f6c17c2003
SHA512f686ece883d7d0f4a1984b3a0c626d424d66892c26224848809dcbffb3aeb9141b6de2e133f74d4dc5ece315b4036d128e57c0e74969c9813d319c3a6e3acca5
-
Filesize
3KB
MD500272f530355ed9a808822cd5004f36e
SHA1ee2f54c1d1a85f243891a03f66f9bff91509ceec
SHA256a335153f5ca25fdcbe0b8f41225f26f2189876121af0df9efc023a9faff04572
SHA512afeda1fd0f4df247555a1ca3bb5e2ed439d4a2428130e34650090695bcb3de63d1c9e885efbe6d3cb30cbabc8a39d9dcf5f12178fedd6d245b963f5e3af0ec52
-
Filesize
4KB
MD5bc24221700edfc74ca9d6217a9635108
SHA1c763992ed47c122607a6ef6eb75e29b08c7cf084
SHA256deec0cf52e37a9bb05c0131438c1817f64b423d9b45ec767997587c32bf00b7e
SHA512f942f35811bf1cc75dd7c7477370a543eb9f85464886567a26b23f981a18f837122a4319a9ca4bc25334bcb4c72e323ef778f8110cb86858e38616fdcb8d3a49
-
Filesize
50KB
MD59c6ac7039da46878db35990a4494fad4
SHA1c70b26005f1195a3ec96afb9b2e2a311e8865f5e
SHA25673c9c1f3ea716234fd8946a99d32ad420699776af5df36803c396e63cf1a044b
SHA51288d0a81ddc03b01bea0f0866b5be4f8a66440afb1249b6a3414df34d0b8598d9ae683c5b49e43e0c3103b34a2abb874817673b115bc6df9bad8aa825fe401ec8
-
Filesize
392KB
MD568e2367febb72a998b89e4afff55e5a7
SHA130754bf92feb3fab87cf307dcdfbd354edfee270
SHA256c80dac88e33e54a15bcc1cf8c0da425317cc2ec59522799933133ee702c4e379
SHA5121756fe5cbb3cef53362ae1fe44386c4177206a8be673375d26bbe9f0a486f6957de3219485a027f1d6862c90f09e29ab802904a79ab5a572aad2ffc568c82efb