Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 19:23
Static task
static1
Behavioral task
behavioral1
Sample
f23000a51a7ac80b39bab71e83c3983a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
f23000a51a7ac80b39bab71e83c3983a.exe
Resource
win10v2004-20231215-en
General
-
Target
f23000a51a7ac80b39bab71e83c3983a.exe
-
Size
1.5MB
-
MD5
f23000a51a7ac80b39bab71e83c3983a
-
SHA1
647a3ce6cfc9e4a4f5c952678d8c7bda038a14f5
-
SHA256
bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c
-
SHA512
e7193498cea1d3a56a4a207c3f94aff45b591d4dc95b2ba67830a1252dd79560b63c8abdb36216f90e74fae22123c38f82b606953551ca54f1b015ca987ee7f3
-
SSDEEP
24576:VyEptD7sRjWDFtr9xE8OoNTtfvJeqkIftCstIt2J5CNmfh8+IED471iuejTya:jZARsFtrTRbdtw4tC0LkyqED4xiuej
Malware Config
Extracted
cryptbot
ewaqfe45.top
morjau04.top
-
payload_url
http://winhaf05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2868-25-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot behavioral2/memory/2868-26-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot behavioral2/memory/2868-27-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot behavioral2/memory/2868-29-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot behavioral2/memory/2868-242-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Vorra.exe.comVorra.exe.compid process 3628 Vorra.exe.com 2868 Vorra.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f23000a51a7ac80b39bab71e83c3983a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f23000a51a7ac80b39bab71e83c3983a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Vorra.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vorra.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Vorra.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Vorra.exe.compid process 2868 Vorra.exe.com 2868 Vorra.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
f23000a51a7ac80b39bab71e83c3983a.execmd.execmd.exeVorra.exe.comdescription pid process target process PID 2732 wrote to memory of 3872 2732 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2732 wrote to memory of 3872 2732 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2732 wrote to memory of 3872 2732 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2732 wrote to memory of 1240 2732 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2732 wrote to memory of 1240 2732 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 2732 wrote to memory of 1240 2732 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 1240 wrote to memory of 1252 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1252 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1252 1240 cmd.exe cmd.exe PID 1252 wrote to memory of 4136 1252 cmd.exe findstr.exe PID 1252 wrote to memory of 4136 1252 cmd.exe findstr.exe PID 1252 wrote to memory of 4136 1252 cmd.exe findstr.exe PID 1252 wrote to memory of 3628 1252 cmd.exe Vorra.exe.com PID 1252 wrote to memory of 3628 1252 cmd.exe Vorra.exe.com PID 1252 wrote to memory of 3628 1252 cmd.exe Vorra.exe.com PID 1252 wrote to memory of 116 1252 cmd.exe PING.EXE PID 1252 wrote to memory of 116 1252 cmd.exe PING.EXE PID 1252 wrote to memory of 116 1252 cmd.exe PING.EXE PID 3628 wrote to memory of 2868 3628 Vorra.exe.com Vorra.exe.com PID 3628 wrote to memory of 2868 3628 Vorra.exe.com Vorra.exe.com PID 3628 wrote to memory of 2868 3628 Vorra.exe.com Vorra.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd /c cmd < Pel.pptx2⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\cmd.execmd /c rgmLAtaO2⤵PID:3872
-
C:\Windows\SysWOW64\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 302⤵
- Runs ping.exe
PID:116 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.comVorra.exe.com o2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^zhstQWiUaSsAnmkEODbzVxaWPpDrIiPtovZYFBuQSwQDdEWokoffoLwZVcgHzrklejseAhZhbHAUDOGlhxSmSAWbcqephnvOQFArhTIXpeSAlucuPrzYkLaCdUGAkPqYlMtYhCXzLUdQHchgE$" Aggiogati.pptx2⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com o1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5f435197ac66954c9aaa768c402bb2f6e
SHA181cb16becf08ab1cb2d88c1a0d51872aac7af78f
SHA256682c0c70fdc6522a9ee445de9439348405b945ef9707b983ddf3e88c869ea576
SHA512ca39a95f003340290b4ae5037313432061c1213f976253bbda8b5149f0f1e295cacbc43dbe63fa1cc54e5336a3161eac7962f73afad775a4122ad23f0330117b
-
Filesize
487B
MD5b508376c348b13291d124eab9cce3534
SHA126e23e157da1b214a98d84c581c103a97d2f4121
SHA256a0a6240b767c17f2bbe16985044599f369fdee62ee626a4326e975edbb01a9b4
SHA512018c7dcf04180da81065647d957e4d08e40ee7e6ca93fe70ab6bfa49ab8532fcd40fe9add8ddc09816e343f04174b1d3e3dc16ba4cd7c93545814fc1992256b8
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
785KB
MD5f8c1704e198600846e523ded289572aa
SHA1070a19acd704141b393dd7ae10683173a0d7006f
SHA256755d602d3d1d77fe98f6287a17dc7c4ad70486ef2264ed4c84bb5c5f951ba9d9
SHA512e2e2e5a62b05590c37315268361a737f5f6edd8d43d786a7be460d90dbab4e7ea09bcde0709523219d4e94d2bb27651abcd1f5a821098479dbd9842ca0a5707d
-
Filesize
745KB
MD56b4364950e66f6bc2e3c0e626344420b
SHA1367460cda5692d82802999b0ee358d401acff294
SHA2562a94b8c796d9dc175199377b3d5e4053820c56e1d02ced3c72b9f16728d8f778
SHA5126a386f4131124d06c40f370b5cb8b401c04542062f3f90f9830d0dd05a114e8f0493fe95d1b57ad503357dc2d9b770f9eb3687693d0a3d4cb9170a27c1971e7a
-
Filesize
1KB
MD5d9a21089e1b3b0016a0b68acab575ca8
SHA11cd7a023cc4e44a731bdf8c8a387a9065b7c305b
SHA256590eb8e782638f8a44108ec4a41ea5429955571b44b11ad0cafa4e35da099568
SHA5123ecf349823c4a36bff8536ecb93ac58cef537d55cc45b0b974c50d5e3df1fa29344e7664f5f13d91351670f99edeea178869ed612746fb226bacefbd409bd0ab
-
Filesize
3KB
MD588a9e70aeff1eee9acc0375eabdd48e5
SHA14bfc396229e910341b62ad38119e935ca49dd98c
SHA256a111a5c380334907042e1e1be9c0571f5e4d7e67cf97523af0af53916af3e286
SHA5129677d22e15f8766c7ed6d2ccba53582f91cda1b52ce86d7d690cd81334a060be1daf7cf8dd9bed03503fc81a7a6687d1316036e8ecb55181f3e8895f0e6f840c
-
Filesize
4KB
MD57e4cabf86ad2deb9632764ab2101eba7
SHA19629c0880c9ab664df56f4d72442ff1759099a72
SHA256a830b8d7201733d5fdd12479d605e49459496f69ce2066bbc49174311451abe8
SHA512c7e4770e48d8ddaed31dcb59429f0fa09d376fbceae0c4018534d021db65bb6838f1ea788b0cd9e7a553c991cb2a97058b74f55a1a712efa378e43145ae24218
-
Filesize
45KB
MD5d99ccc7c33d77c38248d324171200f9f
SHA165cf21860a5df51d7f18c25c6c2495ab4d7a3334
SHA256b5664e06bb8453201a8b8cdf149cf77b3b72a395f1da91061abdfad9c887e1de
SHA51287341e040ffe92ed7a8a1bba3c96a3081fcd6f60bcf21514a3808d9a019d7c0b37f93662b2821bbf42729621b5ef8c23d4c5c5296ed363606b02c18f926703e8
-
Filesize
1KB
MD54b41c02d15b1d0e2cc5b06ace64fd013
SHA1680a85f72fd6aaff4af8e523af60b33f09b95e3f
SHA2562fe7f5e60c67db0dcdb4c810c7a464c1e34c4c575e792eb70824ba7bc69db1d1
SHA512623ba98b3a90844ffe33306d5055cd728c8d0938b79e3c960e2357567c1a15f69156df59b8fddf31dc083ccf7d92ca8a5248e352ce179aef13b0ad91f91e549b
-
Filesize
4KB
MD58833c7116e88c4b7e4c57773e8d1d796
SHA100c311ea509f1d913b5a374884062c9349cfa76f
SHA256ad06f5e2d084a0b919b9a1b7af1584c7156b5297924f46e9b98d128c20e29953
SHA51266dfd2de1c447d458b2edbbba5afa225b0789e5a969f77dae513873142237135a51785f82d2f259dd5f64d4ea6d4e9bb9069708aab9eb84eeebf8b5940c1eeaf