Analysis

  • max time kernel
    5s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 08:49

General

  • Target

    2fa9185ceeb1d25e8bde77a4cf3f70d4.exe

  • Size

    750KB

  • MD5

    2fa9185ceeb1d25e8bde77a4cf3f70d4

  • SHA1

    8106940df3869cbea44a8221a6ac313c054090b0

  • SHA256

    d4036c235fca73a67732d884564991184b7a8ea148784f0cd70fa07adbd8e160

  • SHA512

    2f0845ce6d19abf16300ffb599fc2b90f150114031e9cea21050792d302a5714108b1bdf42fa8ca499d2c3834e8dd7281e0a0dd3836b06e06f596e278d74ac5e

  • SSDEEP

    12288:SpeJF5qwAux8iLen10DKWU2T94IAvhvQ6EIobNILiqUZXhaDZXHfhFN:t5qwA84EKWU2x29Qp0Oha1XHx

Malware Config

Extracted

Family

cryptbot

C2

smarew72.top

moriwi07.top

Attributes
  • payload_url

    http://guruzo10.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe
    "C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"
    1⤵
    • Checks processor information in registry
    PID:3980
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1656
      2⤵
      • Program crash
      PID:2868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\IflgAoZb & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"
      2⤵
        PID:992
    • C:\Windows\SysWOW64\timeout.exe
      timeout 3
      1⤵
      • Delays execution with timeout.exe
      PID:2920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3980 -ip 3980
      1⤵
        PID:1528

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IflgAoZb\_Files\_Information.txt

        Filesize

        4KB

        MD5

        4acf52d8e7aeb6431a490e496629b00f

        SHA1

        3f9685780ca99e785a5c3a091bdab8fe9a1276ed

        SHA256

        4a0ff175f19c61c4022e007561604675ea25421c50b8481be29c3c70e73aa30a

        SHA512

        c1f85f5e2d3e0c5dae8fdc55d5b28621821604b2ca423613c1ad5d2683e312364fbd55f72927694eca388c006016b408ed12dbab5cfb96375353f4a1aa7a14db

      • C:\Users\Admin\AppData\Local\Temp\IflgAoZb\_Files\_Information.txt

        Filesize

        7KB

        MD5

        d973f047917ebc78b4dda4b0a85bc8ef

        SHA1

        a8b454c7fa725626e4699f6fe02f12125963188a

        SHA256

        f6b916c122279ac258028787de809314dbadde0b583bfd404a0fb85ab2b6948f

        SHA512

        cdeab64234c5bbb7a24bb0e96eb79af98d1563839b8dc7432c77c0c1c369926af1618e59e241a6d7f3118acae5eea3053b464bd8fb5433031535b3382aaf5c60

      • C:\Users\Admin\AppData\Local\Temp\IflgAoZb\_Files\_Screen_Desktop.jpeg

        Filesize

        48KB

        MD5

        c98befb5e2e7dd6f642156a48dbcc01b

        SHA1

        780c50dc484fd7dca4b89527cd62aa23039df521

        SHA256

        6b9c28a21f16a94fcc05afebad9d84f4253a1f247e784c736c3169ea87b7e8d2

        SHA512

        13e4818e2821c41d97f060bd5939ad5dcc310753da0408466fc10cabece16411bc5e9690d0da3f8ad6fd465bb54614b3ed9d2d98cbf0dffd2c2fefca62035b81

      • C:\Users\Admin\AppData\Local\Temp\IflgAoZb\files_\SCREEN~1.JPG

        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • C:\Users\Admin\AppData\Local\Temp\IflgAoZb\files_\SYSTEM~1.TXT

        Filesize

        7KB

        MD5

        1feed4f2f2047d7403cf74f3871ba012

        SHA1

        53d3d012f60144d862525d88da2d41fa418b7129

        SHA256

        38e63575621ac99235c7faaadcd6dc55fa2c36a45a98e0ad68e6691696098be7

        SHA512

        9df2bff8634f51d8015373e9bf02b437095ef4fde31a2cc917a836c0c330fde83831baa7c86b5367fe3c1a0fdefe2f3063ba9f1e40c705e082b87032ef03d4fb

      • C:\Users\Admin\AppData\Local\Temp\IflgAoZb\files_\system_info.txt

        Filesize

        4KB

        MD5

        31452b021289566b8db2b97bcd38c0ca

        SHA1

        44773d79aac77efb76fb00b36b2752ef29a72f79

        SHA256

        d6f1e03b48dd1d7f8d35e07a60f84f05ab8d7c229d233937497b29b60217bf78

        SHA512

        39432c57a532fa73fbe0c3c6d9bcb67fd630ce77e07b2f17695068ce43b923db0186555a5c75284801400c5641b33075fb29b7103bf45fa62b39f9565ecb8c45

      • memory/3980-2-0x0000000002110000-0x00000000021F1000-memory.dmp

        Filesize

        900KB

      • memory/3980-3-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

      • memory/3980-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

        Filesize

        1024KB

      • memory/3980-213-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB

      • memory/3980-221-0x0000000002110000-0x00000000021F1000-memory.dmp

        Filesize

        900KB

      • memory/3980-220-0x0000000000400000-0x00000000004E5000-memory.dmp

        Filesize

        916KB