Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 23:01
Static task
static1
Behavioral task
behavioral1
Sample
fe905ed17bcf3e53a9a38f0ace182e96.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fe905ed17bcf3e53a9a38f0ace182e96.exe
Resource
win10v2004-20231222-en
General
-
Target
fe905ed17bcf3e53a9a38f0ace182e96.exe
-
Size
1.5MB
-
MD5
fe905ed17bcf3e53a9a38f0ace182e96
-
SHA1
ff1cefd1d5310c2d1aee48f770753bd7cd64e669
-
SHA256
2027a3fc488a5ecfa69e9a9057c8975e2d28cd6c937197ec69fc896c971285c3
-
SHA512
4c09285f0629ead58770238b2637abd561ec39748336526903fa943cc3a11cf51c1d5c38d5d145b8d857cfa3f3fc12a85d288797c398c284de817f51ccf087c7
-
SSDEEP
24576:fFb534xD3XpyiIkLlHpEZDsKdW4RvYijfWHaAZ0iWc7MupkAy/jLAT5FrFlPMtcm:Jh4ZdZpyDsKdWbijoT5fMupfILWlBpMt
Malware Config
Extracted
cryptbot
ewaqfe45.top
morjau04.top
-
payload_url
http://winhaf05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3380-27-0x0000000004B90000-0x0000000004C33000-memory.dmp family_cryptbot behavioral2/memory/3380-26-0x0000000004B90000-0x0000000004C33000-memory.dmp family_cryptbot behavioral2/memory/3380-25-0x0000000004B90000-0x0000000004C33000-memory.dmp family_cryptbot behavioral2/memory/3380-29-0x0000000004B90000-0x0000000004C33000-memory.dmp family_cryptbot behavioral2/memory/3380-237-0x0000000004B90000-0x0000000004C33000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Poi.exe.comPoi.exe.compid process 4560 Poi.exe.com 3380 Poi.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fe905ed17bcf3e53a9a38f0ace182e96.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fe905ed17bcf3e53a9a38f0ace182e96.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Poi.exe.comdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Poi.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Poi.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Poi.exe.compid process 3380 Poi.exe.com 3380 Poi.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
fe905ed17bcf3e53a9a38f0ace182e96.execmd.execmd.exePoi.exe.comdescription pid process target process PID 3364 wrote to memory of 468 3364 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 3364 wrote to memory of 468 3364 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 3364 wrote to memory of 468 3364 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 3364 wrote to memory of 2192 3364 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 3364 wrote to memory of 2192 3364 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 3364 wrote to memory of 2192 3364 fe905ed17bcf3e53a9a38f0ace182e96.exe cmd.exe PID 2192 wrote to memory of 400 2192 cmd.exe cmd.exe PID 2192 wrote to memory of 400 2192 cmd.exe cmd.exe PID 2192 wrote to memory of 400 2192 cmd.exe cmd.exe PID 400 wrote to memory of 4784 400 cmd.exe findstr.exe PID 400 wrote to memory of 4784 400 cmd.exe findstr.exe PID 400 wrote to memory of 4784 400 cmd.exe findstr.exe PID 400 wrote to memory of 4560 400 cmd.exe Poi.exe.com PID 400 wrote to memory of 4560 400 cmd.exe Poi.exe.com PID 400 wrote to memory of 4560 400 cmd.exe Poi.exe.com PID 400 wrote to memory of 2836 400 cmd.exe PING.EXE PID 400 wrote to memory of 2836 400 cmd.exe PING.EXE PID 400 wrote to memory of 2836 400 cmd.exe PING.EXE PID 4560 wrote to memory of 3380 4560 Poi.exe.com Poi.exe.com PID 4560 wrote to memory of 3380 4560 Poi.exe.com Poi.exe.com PID 4560 wrote to memory of 3380 4560 Poi.exe.com Poi.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\cmd.execmd /c cmd < Amo.sys2⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\cmd.execmd /c UcNzcjbM2⤵PID:468
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^fEQJhwnKKuicpzjpscwvTJMvNeQkoysJJdDVeObWsMNmmUcuUwpUoKgFSxVlkhBEObLTPduDXttuWhWTGJsiVbAZwY$" Orti.sys1⤵PID:4784
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 301⤵
- Runs ping.exe
PID:2836
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com o1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3380
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.comPoi.exe.com o1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560
-
C:\Windows\SysWOW64\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
PID:400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435B
MD566712fc92a4d05bfc412b18541a1e8df
SHA1bf4fb00e6b894338aea687cbf537c90fc255710a
SHA256750eed4b135f1ea433781bc4b9bb26029b2c49dbc647248460b3409329d30e0f
SHA512a792210dacd9018a16b3071deb823d0a9d66ec86d043d7dae5049bbec74dbf7446565d4262b01cf3acefa7088e344d15651339e7a831f96c3b68aa88e3bd8049
-
Filesize
634KB
MD554f0e73b5a88d409599b7e3e750d7b3e
SHA1505d7e828d731229a6de916484cab7dedb46b514
SHA25634ab271f23045173ce6aba259cc4a4e4c865bad16f477e6835a8bc5b7b522dbe
SHA5121c351347ba9a1a14f9d115f62e79817e33e8029eae9f41096d082d2edd3faec7ced9fb6757750cd72d300c7b10f651f2466899cbb1586e0014a308f2aa874d9a
-
Filesize
740KB
MD512ff8e0efd9f2562d16b1e80732199d6
SHA172bee424ae31db9d44af600d3ed7efe2fd302feb
SHA25604e8cb2989a65eba72595910983a478060804d0574f7601e63ca2a2019ea2f6d
SHA51231e5fb89c6b1e8cf8d5880cd7be02bd211621fa9173f2e809565d050b019ff04926e12a2520c404fbf7d4ae1df9dcb52e2c6da6d68abbbaecdff6ebc7032a489
-
Filesize
872KB
MD56204adb9ff1ab1b352c0d002898066f8
SHA1187a0baa6edf36c368228803ca848ff936d960f0
SHA256286df8487ecbacbd539fe964823253f8d0a8f515079b44938b09a1a1bee2e6ee
SHA512eb9478ff389a6e392d8db73240c0f917ad004ca685f35f74a36e5f779530b5f707eabb28f64be1c283c74e640817acf85b266508ee0d3360b43abfe08fc4ef32
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
152KB
MD51947dc50b35f5fa74d801e6e603606da
SHA13e273830197f729a0d95a04e3f468c042791feea
SHA2561a05861ffaff6a3e871203d69e21916bca3664674516d938fdc2394d2216c6f5
SHA51206b7660b32f283d8c015007d7f8b857dae18128aa357569b4e608db3c8031ea517c43d8dcaba3b3ad530cdcf4f53b32e2b25a6f3fef88d94edd2ceb52365e9a8
-
Filesize
39KB
MD51f3d3651b297133747d9fb40e815628e
SHA1a0707e4b04d1b74e62f8b29baa65820cac4793c4
SHA2562ca85bbbacbaccda2c2638e8f572566bc334f139f6dab35e37e90445c9f8f06d
SHA5126e52855ac3bd9bdd8f60f8ffa4f0390c6dc9e8666708f440efe9af1156b96d079b96024262483f19f15eda4c678c1602299c42728b18469e073254df10769beb
-
Filesize
1KB
MD5bed5729b972fc84784fee00f37b1a3ba
SHA1279d15739db61ba6b1342ac9bcc13f35f4be63ef
SHA2564a41eaed64a71d756be26ca15fdb9a8166982300f8a6f2676d6bc5a624a558a5
SHA512f637fc660c5b741d7df53b31c0b9bcdf45249d2381f0da18123a929d5c8265d28a6d5b6e94d8b601490965359a7f3f51375d99fd9cdbdc74343a576a5c1dde5e
-
Filesize
1KB
MD50a8477621b9c8e3c29af1bef6de5af4b
SHA162659149c21c4b89aaa2f5925f605ab2760a620c
SHA256d6a5deccfd9f8054c330218118c39d9a0dc3d86e07ae3b3ed028ff30b1013fee
SHA5129c49759d580af62549b0c3799b01330067dd919b1bdf9e598d03af0956c98491a6ecb5889d135246f66128dfe6eb64db82de06ca90b185fa5a4fe9546fe53b42
-
Filesize
4KB
MD5462ae8f6c55fe9f902a166e3195d26cb
SHA14aa75d7e3f59e730c1894ebb800fd7733bb558b8
SHA25612fcfe636fc86ae93c7dea0b88afd91862944da26732f96727c9e9f6738f7f1a
SHA512427d2281061f4c675ee7d331a4c3d108ede1991cdd7f33eb16c57da01726ac4461c11da267b18aace69dd39a3ea5cd04794073a97e609ab67c6929c08a245fb9
-
Filesize
45KB
MD572bd4cd78cf511412e7ff5b1e9c2cab0
SHA19506acc465154ba16a270116deef0a21d2e59671
SHA2560dd1f3acd39897d2b8014ca6f8374f9bd22d03d6e5ab8fe8f47b06a673915b5c
SHA5129a87f47576748be24adbf58f9479e16314edfd96482b1381a89e6c43e225ebf1ea570c956f912cbb1d7f27dff2850a28e6398cf9d518e1125557410771b5918c
-
Filesize
1KB
MD57f1dbdf77e6e19b6de4a449731940250
SHA18147f1e55532cb16ec18533bc96d98a4bba0b8e9
SHA2565d55f3be7f56b5c683ddcbd8bf07ce7f49ee94de8f12acf88e7886bbe2ea76ca
SHA5123d9604e6ff8e4a705a7a53276cad9a3847151b0bfda9f3c28a2766785dc8f78a6606d443463a6d3efcf668ef52c8706874ee37d0e11bac1ff9fe5e82dcd12cbe
-
Filesize
4KB
MD5388f28603075fd048569dd2193027c5a
SHA1aeadf409ddd10eae410f288679febdc8e0cecb69
SHA2568ed7d23b3cebc31f7edacdbef77c3171e9f5a54faf44cd795e019840449c05d5
SHA512e22f761ac6ee5b598ded81dfe85796254643af395e071df74df21203636040ac3c0164b84e0fa7b7c00c385e3cc40a8893e492d0b419481a9555fad13ece92ca
-
Filesize
39KB
MD5709e38c165791c0c77619cc62455707b
SHA160dbb775be4a83915bac31f669fdbda8f9db1d90
SHA2560aebb247d2ad28f347d3b90b8d4a4367cd4b644227cf96c3c1bc0295601f02f6
SHA51243464b16117f36a7c85bb75d713232303222a18b0e4503960942894562f68565432fef13e0f6e3bcaad395cac6809e7c470beee01834f5d00bd7cdfe8d01b803