Analysis
-
max time kernel
5s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 08:49
Static task
static1
Behavioral task
behavioral1
Sample
2fa9185ceeb1d25e8bde77a4cf3f70d4.exe
Resource
win7-20231215-en
General
-
Target
2fa9185ceeb1d25e8bde77a4cf3f70d4.exe
-
Size
750KB
-
MD5
2fa9185ceeb1d25e8bde77a4cf3f70d4
-
SHA1
8106940df3869cbea44a8221a6ac313c054090b0
-
SHA256
d4036c235fca73a67732d884564991184b7a8ea148784f0cd70fa07adbd8e160
-
SHA512
2f0845ce6d19abf16300ffb599fc2b90f150114031e9cea21050792d302a5714108b1bdf42fa8ca499d2c3834e8dd7281e0a0dd3836b06e06f596e278d74ac5e
-
SSDEEP
12288:SpeJF5qwAux8iLen10DKWU2T94IAvhvQ6EIobNILiqUZXhaDZXHfhFN:t5qwA84EKWU2x29Qp0Oha1XHx
Malware Config
Extracted
cryptbot
smarew72.top
moriwi07.top
-
payload_url
http://guruzo10.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3980-2-0x0000000002110000-0x00000000021F1000-memory.dmp family_cryptbot behavioral2/memory/3980-3-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/3980-213-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/3980-221-0x0000000002110000-0x00000000021F1000-memory.dmp family_cryptbot behavioral2/memory/3980-220-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2868 3980 WerFault.exe 2fa9185ceeb1d25e8bde77a4cf3f70d4.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2fa9185ceeb1d25e8bde77a4cf3f70d4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2fa9185ceeb1d25e8bde77a4cf3f70d4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2fa9185ceeb1d25e8bde77a4cf3f70d4.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2920 timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"1⤵
- Checks processor information in registry
PID:3980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 16562⤵
- Program crash
PID:2868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\IflgAoZb & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"2⤵PID:992
-
C:\Windows\SysWOW64\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
PID:2920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3980 -ip 39801⤵PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD54acf52d8e7aeb6431a490e496629b00f
SHA13f9685780ca99e785a5c3a091bdab8fe9a1276ed
SHA2564a0ff175f19c61c4022e007561604675ea25421c50b8481be29c3c70e73aa30a
SHA512c1f85f5e2d3e0c5dae8fdc55d5b28621821604b2ca423613c1ad5d2683e312364fbd55f72927694eca388c006016b408ed12dbab5cfb96375353f4a1aa7a14db
-
Filesize
7KB
MD5d973f047917ebc78b4dda4b0a85bc8ef
SHA1a8b454c7fa725626e4699f6fe02f12125963188a
SHA256f6b916c122279ac258028787de809314dbadde0b583bfd404a0fb85ab2b6948f
SHA512cdeab64234c5bbb7a24bb0e96eb79af98d1563839b8dc7432c77c0c1c369926af1618e59e241a6d7f3118acae5eea3053b464bd8fb5433031535b3382aaf5c60
-
Filesize
48KB
MD5c98befb5e2e7dd6f642156a48dbcc01b
SHA1780c50dc484fd7dca4b89527cd62aa23039df521
SHA2566b9c28a21f16a94fcc05afebad9d84f4253a1f247e784c736c3169ea87b7e8d2
SHA51213e4818e2821c41d97f060bd5939ad5dcc310753da0408466fc10cabece16411bc5e9690d0da3f8ad6fd465bb54614b3ed9d2d98cbf0dffd2c2fefca62035b81
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
7KB
MD51feed4f2f2047d7403cf74f3871ba012
SHA153d3d012f60144d862525d88da2d41fa418b7129
SHA25638e63575621ac99235c7faaadcd6dc55fa2c36a45a98e0ad68e6691696098be7
SHA5129df2bff8634f51d8015373e9bf02b437095ef4fde31a2cc917a836c0c330fde83831baa7c86b5367fe3c1a0fdefe2f3063ba9f1e40c705e082b87032ef03d4fb
-
Filesize
4KB
MD531452b021289566b8db2b97bcd38c0ca
SHA144773d79aac77efb76fb00b36b2752ef29a72f79
SHA256d6f1e03b48dd1d7f8d35e07a60f84f05ab8d7c229d233937497b29b60217bf78
SHA51239432c57a532fa73fbe0c3c6d9bcb67fd630ce77e07b2f17695068ce43b923db0186555a5c75284801400c5641b33075fb29b7103bf45fa62b39f9565ecb8c45