Analysis
-
max time kernel
208s -
max time network
248s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-12-2023 19:23
Static task
static1
Behavioral task
behavioral1
Sample
f23000a51a7ac80b39bab71e83c3983a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
f23000a51a7ac80b39bab71e83c3983a.exe
Resource
win10v2004-20231215-en
General
-
Target
f23000a51a7ac80b39bab71e83c3983a.exe
-
Size
1.5MB
-
MD5
f23000a51a7ac80b39bab71e83c3983a
-
SHA1
647a3ce6cfc9e4a4f5c952678d8c7bda038a14f5
-
SHA256
bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c
-
SHA512
e7193498cea1d3a56a4a207c3f94aff45b591d4dc95b2ba67830a1252dd79560b63c8abdb36216f90e74fae22123c38f82b606953551ca54f1b015ca987ee7f3
-
SSDEEP
24576:VyEptD7sRjWDFtr9xE8OoNTtfvJeqkIftCstIt2J5CNmfh8+IED471iuejTya:jZARsFtrTRbdtw4tC0LkyqED4xiuej
Malware Config
Extracted
cryptbot
ewaqfe45.top
morjau04.top
-
payload_url
http://winhaf05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/740-28-0x00000000043B0000-0x0000000004453000-memory.dmp family_cryptbot behavioral1/memory/740-29-0x00000000043B0000-0x0000000004453000-memory.dmp family_cryptbot behavioral1/memory/740-30-0x00000000043B0000-0x0000000004453000-memory.dmp family_cryptbot behavioral1/memory/740-31-0x00000000043B0000-0x0000000004453000-memory.dmp family_cryptbot behavioral1/memory/740-249-0x00000000043B0000-0x0000000004453000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Vorra.exe.comVorra.exe.compid process 1676 Vorra.exe.com 740 Vorra.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeVorra.exe.compid process 2540 cmd.exe 1676 Vorra.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f23000a51a7ac80b39bab71e83c3983a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f23000a51a7ac80b39bab71e83c3983a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Vorra.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vorra.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Vorra.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Vorra.exe.compid process 740 Vorra.exe.com 740 Vorra.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
f23000a51a7ac80b39bab71e83c3983a.execmd.execmd.exeVorra.exe.comdescription pid process target process PID 2548 wrote to memory of 2980 2548 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2548 wrote to memory of 2980 2548 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2548 wrote to memory of 2980 2548 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2548 wrote to memory of 2980 2548 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2548 wrote to memory of 2992 2548 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2548 wrote to memory of 2992 2548 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2548 wrote to memory of 2992 2548 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2548 wrote to memory of 2992 2548 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2992 wrote to memory of 2540 2992 cmd.exe cmd.exe PID 2992 wrote to memory of 2540 2992 cmd.exe cmd.exe PID 2992 wrote to memory of 2540 2992 cmd.exe cmd.exe PID 2992 wrote to memory of 2540 2992 cmd.exe cmd.exe PID 2540 wrote to memory of 3028 2540 cmd.exe findstr.exe PID 2540 wrote to memory of 3028 2540 cmd.exe findstr.exe PID 2540 wrote to memory of 3028 2540 cmd.exe findstr.exe PID 2540 wrote to memory of 3028 2540 cmd.exe findstr.exe PID 2540 wrote to memory of 1676 2540 cmd.exe Vorra.exe.com PID 2540 wrote to memory of 1676 2540 cmd.exe Vorra.exe.com PID 2540 wrote to memory of 1676 2540 cmd.exe Vorra.exe.com PID 2540 wrote to memory of 1676 2540 cmd.exe Vorra.exe.com PID 2540 wrote to memory of 2752 2540 cmd.exe PING.EXE PID 2540 wrote to memory of 2752 2540 cmd.exe PING.EXE PID 2540 wrote to memory of 2752 2540 cmd.exe PING.EXE PID 2540 wrote to memory of 2752 2540 cmd.exe PING.EXE PID 1676 wrote to memory of 740 1676 Vorra.exe.com Vorra.exe.com PID 1676 wrote to memory of 740 1676 Vorra.exe.com Vorra.exe.com PID 1676 wrote to memory of 740 1676 Vorra.exe.com Vorra.exe.com PID 1676 wrote to memory of 740 1676 Vorra.exe.com Vorra.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /c rgmLAtaO2⤵PID:2980
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Pel.pptx2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^zhstQWiUaSsAnmkEODbzVxaWPpDrIiPtovZYFBuQSwQDdEWokoffoLwZVcgHzrklejseAhZhbHAUDOGlhxSmSAWbcqephnvOQFArhTIXpeSAlucuPrzYkLaCdUGAkPqYlMtYhCXzLUdQHchgE$" Aggiogati.pptx4⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.comVorra.exe.com o4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com o5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:740 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:2752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5f435197ac66954c9aaa768c402bb2f6e
SHA181cb16becf08ab1cb2d88c1a0d51872aac7af78f
SHA256682c0c70fdc6522a9ee445de9439348405b945ef9707b983ddf3e88c869ea576
SHA512ca39a95f003340290b4ae5037313432061c1213f976253bbda8b5149f0f1e295cacbc43dbe63fa1cc54e5336a3161eac7962f73afad775a4122ad23f0330117b
-
Filesize
733KB
MD56ef148867d1e6e66271e86d6bfab3869
SHA1589cfd4129777c088f4b53f5dc723ada5f51b302
SHA2560768633b95a60df47da99c4f6c92cb703c61e547652e6831ff918a9c48ae7720
SHA5128ba444184340843551dbe1dbec38f15a8a30aa3e97811e300b4fcae2c791254c84576d3b8d7299cca48ae0a3a8e443bbc71d0325283df7a46773747ef72b41e3
-
Filesize
487B
MD5b508376c348b13291d124eab9cce3534
SHA126e23e157da1b214a98d84c581c103a97d2f4121
SHA256a0a6240b767c17f2bbe16985044599f369fdee62ee626a4326e975edbb01a9b4
SHA512018c7dcf04180da81065647d957e4d08e40ee7e6ca93fe70ab6bfa49ab8532fcd40fe9add8ddc09816e343f04174b1d3e3dc16ba4cd7c93545814fc1992256b8
-
Filesize
4KB
MD5c6e5a1d0da965a5ed6605f2eaca6e918
SHA12ebecfc4f3b2edc02bc25fa24a414c184c2c5760
SHA256a42591d455e0b68a748c3a54a72e15472a6b06af4d365dab85930667c530ff37
SHA5126231a9f4b2d5bbcee2700eea3918fa0b75098815fb7df00cd5969100ec87bb5d25e8c186452a809302592b3c90c622e8715872ca8ea719a31e150e4bfc34b79a
-
Filesize
559KB
MD5e52d61a48f6c2d88d56e32f7f179af22
SHA140528a208c8c7aa08ec77f7ef01b5c974aaef81e
SHA2569e4f89678b542437ab9cc34f03259cf919d527080127d329f2adea791a941c77
SHA512b6dc043becaebdc8522599e30013fe965c77fd0282f14f4e8fb2e7d8ce566246b8abfa64eb7b91d1e1ee20f3d9e41884f831412c2c87946a101764ef5d05d77f
-
Filesize
258KB
MD531662157265f51845f857ad681c410af
SHA123e8ebfd96153bfda00feb0aec56486dea629301
SHA256942626b1dc77ad7e4d41757a880e22c4dcbb081d66784467b92f2e5149242508
SHA5120761fa13ef1d961608d56d43e860bae18554426e2b5a8922e893b90bd4fb564c3f753e05a048bf19301e2c1f1b9a123d918671e64fea764fa0328b829529dc49
-
Filesize
37KB
MD57f95421e322c952ebc00ea00a8576680
SHA159c6d1a62531a67cfc155373e18f3cac44154d63
SHA256068b9e5f7a69c754862ddc3bdbbfdf26e8318adf43a35fec229498aceca66d77
SHA512230270b844fdbf9f496636757c03e84a695150f9b0477f394d81a59b22f44aa6e33c701ebfd035bc1beb21e1ffc2d39204864b518f8392124c6a87e5d8ba65aa
-
Filesize
7KB
MD563b8c275ba1b16740bacdcb0116b608c
SHA1d3789337ca56a0d4b28bbf1d17bebd11593a7e6a
SHA256a981c50c80d55a657faa13c375cca86b4d47cc5e26b5c032ac3b03ceb21b7bf1
SHA512569a186f38463fbb1cda8787c0090957e1d12ed2a3566a3cddc394c2761ebb5fd91f9fa59fa7b19b7932a2a2e02506a55b58f2f33979204b7eaa1d03f44e72c7
-
Filesize
44KB
MD55a3655df80d79ad2cfc5780b782549b6
SHA13fae3b923541f44db2364eb8ec0a8a4f7495d451
SHA256154857838c9e008cccb9ed66bc39dabb330d05cecbb4da2f9a9ed341e92ba8bf
SHA512d4f6613ef3bf0b69bad12a30342fc0f7c9465648502a865bba922095d7f325a5b55d7845b6d4b7201912e4e7016c89bb24e8b4117811c163fb909965e28b4bfb
-
Filesize
8KB
MD57d9c91bbf6ee5d1117e9d0e577253b18
SHA178bbab80bca6c77f66bd426a03490ae142cfe07b
SHA256dc4b4295e16882d1a919c2fede2d5c7c26e859ae4251fb5e224999d569c89916
SHA512a237ccbafeff51fd734dbd1b16967230685f99bca19ddada9382014af4764eea24e166d9a6ef4dd00897a5466d531355e03ba073b2b2ca178397a5ab214e227c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
750KB
MD550fd168f651c65df15ad848a893a996a
SHA1d32e115599c92937cd71da551dbf9575838abdca
SHA256f13b6bd774ddaa3a3ce2d51eaeb9a325785bd7f335ed09897b8d85cfc98cc797
SHA51280ef663885602a2cfd7e1d77a648a902bd695a3b1b5f65dc23a83105544f2becbd26e40045e7f03acec0f7631def205095650ec94b925ced00f2ad4db78a288f