Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 10:57
Static task
static1
Behavioral task
behavioral1
Sample
335f90c29d9255fa1239707c5beb9600.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
335f90c29d9255fa1239707c5beb9600.exe
Resource
win10v2004-20231215-en
General
-
Target
335f90c29d9255fa1239707c5beb9600.exe
-
Size
1.4MB
-
MD5
335f90c29d9255fa1239707c5beb9600
-
SHA1
9fd4fe27fb41c97bd3288c29fc30af778302443c
-
SHA256
5a1a8ce59103a53a79bab7db80b55ade80805711dad05d3e974d8f252bf53e2b
-
SHA512
1df0f37f8014865fc7a4caf1c3335a355a17679fab612a30f82dcac87184be9f395b0060b95cef84a41b2a554834306171395e46c6d7e55a9c95ffdee254b765
-
SSDEEP
24576:nfTe/ii2PVr6CtkgXpfWwRzyT3oDv3x0JkG8mmJFsPIhQRfVmaRFE2RxC0hkH:f2ii2Nr6afXVW4OT3CvymVr6DRf4aPE4
Malware Config
Extracted
cryptbot
ewazqx71.top
moraiw07.top
-
payload_url
http://winfyn10.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2992-28-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot behavioral1/memory/2992-29-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot behavioral1/memory/2992-30-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot behavioral1/memory/2992-31-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot behavioral1/memory/2992-251-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Ottobre.exe.comOttobre.exe.compid process 2784 Ottobre.exe.com 2992 Ottobre.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeOttobre.exe.compid process 2780 cmd.exe 2784 Ottobre.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
335f90c29d9255fa1239707c5beb9600.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 335f90c29d9255fa1239707c5beb9600.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Ottobre.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ottobre.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Ottobre.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Ottobre.exe.compid process 2992 Ottobre.exe.com 2992 Ottobre.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
335f90c29d9255fa1239707c5beb9600.execmd.execmd.exeOttobre.exe.comdescription pid process target process PID 2496 wrote to memory of 2388 2496 335f90c29d9255fa1239707c5beb9600.exe dllhost.exe PID 2496 wrote to memory of 2388 2496 335f90c29d9255fa1239707c5beb9600.exe dllhost.exe PID 2496 wrote to memory of 2388 2496 335f90c29d9255fa1239707c5beb9600.exe dllhost.exe PID 2496 wrote to memory of 2388 2496 335f90c29d9255fa1239707c5beb9600.exe dllhost.exe PID 2496 wrote to memory of 284 2496 335f90c29d9255fa1239707c5beb9600.exe cmd.exe PID 2496 wrote to memory of 284 2496 335f90c29d9255fa1239707c5beb9600.exe cmd.exe PID 2496 wrote to memory of 284 2496 335f90c29d9255fa1239707c5beb9600.exe cmd.exe PID 2496 wrote to memory of 284 2496 335f90c29d9255fa1239707c5beb9600.exe cmd.exe PID 284 wrote to memory of 2780 284 cmd.exe cmd.exe PID 284 wrote to memory of 2780 284 cmd.exe cmd.exe PID 284 wrote to memory of 2780 284 cmd.exe cmd.exe PID 284 wrote to memory of 2780 284 cmd.exe cmd.exe PID 2780 wrote to memory of 2792 2780 cmd.exe findstr.exe PID 2780 wrote to memory of 2792 2780 cmd.exe findstr.exe PID 2780 wrote to memory of 2792 2780 cmd.exe findstr.exe PID 2780 wrote to memory of 2792 2780 cmd.exe findstr.exe PID 2780 wrote to memory of 2784 2780 cmd.exe Ottobre.exe.com PID 2780 wrote to memory of 2784 2780 cmd.exe Ottobre.exe.com PID 2780 wrote to memory of 2784 2780 cmd.exe Ottobre.exe.com PID 2780 wrote to memory of 2784 2780 cmd.exe Ottobre.exe.com PID 2780 wrote to memory of 2996 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2996 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2996 2780 cmd.exe PING.EXE PID 2780 wrote to memory of 2996 2780 cmd.exe PING.EXE PID 2784 wrote to memory of 2992 2784 Ottobre.exe.com Ottobre.exe.com PID 2784 wrote to memory of 2992 2784 Ottobre.exe.com Ottobre.exe.com PID 2784 wrote to memory of 2992 2784 Ottobre.exe.com Ottobre.exe.com PID 2784 wrote to memory of 2992 2784 Ottobre.exe.com Ottobre.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:2388
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Immobilita.jpeg2⤵
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^mumoPPZWGBimmUlaTguxGjzvRKrMQXdfkNTRNxDOmizugKidJWVUULLjMedyLjuIlRhMwaFmKaVnTjoiCMeTevxAwGtKrnejqKVvvxfd$" Deposto.jpeg4⤵PID:2792
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.comOttobre.exe.com U4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com U5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD59c785807d7df67e25292763e4cb1f4f7
SHA1befa1c8bba817d1b56d6383cdbc4177cd9c3e550
SHA25612c551302118d893bff89bcb45e915ada5d4a5f2467cacde9e5f163d2dcd1d79
SHA5128f1849c72120de2d8235c6d3d4f389055a262069e9e4692b8de83b2229e66b3e7233cd0817bf79b122027e44fd9f5ed86def8076cee45ec9f191c3e54806f1cb
-
Filesize
503B
MD53611fe089bdb6afb3fe4d4ec09e47d22
SHA1724b400e99ca66d5f18e98d227913cd793151bda
SHA256a26dd7ee53256d1a72ed01f1f109ef192e142a05b3d26e7ce9afe025d2fd4a56
SHA5128335d51cf9ddc87f837ace6e204d5d64ef51004d02b764fba1d06fb4cd238c33ae8bd8bbf7b9463c9f49bbcabca9c8c8e196ddf105501778f1e3a7320eecc2bf
-
Filesize
634KB
MD5ce77273cb63c3f4999b6c7966071de93
SHA122c58f53c6c60b889f8f770cb7b86b4a7953671e
SHA2564dff952a57883347535439e6830cc8fbc4579e61f502ed72aaa512acb3edb84f
SHA5125e585bf47168c0c4f2b1818428c60f7e3df88f8500afcf5afad0378a4a32bd6091565a4410de842c34af7e448e3fb4c9e59ddbdc0dcf0ceb5d3e4c04898d2773
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
413KB
MD5bf9fec647d0748586dc52008b3f78c33
SHA1d20976cf9d5000106f2010c32a925fa59930a9b5
SHA256908a2b93831f8c76e3d1ce3fe1d8a549e849450d28c88ddfcfc8099735ca269b
SHA512d9b009a8ff1a69dd9b34593cab880d2b8a4f838f2a5d95fce3e5351422086d662e55f2065bb3a54afd53505503bf856d558135483440976589aa694c5841ef3d
-
Filesize
412KB
MD5240a0895de29e5cddcab5307c548ea31
SHA14658d15fd986b01894ed5768f0d6593433ca18c2
SHA2566af382092a3fc0bc5b1887e3967868160fcfc7c7825dab0b55ca8705cb5193f7
SHA512a67539ce0996f24e9872a8bbf3da4508dee0f0bab93a3aaa468d50d66b64fa5a899a1a6bae01eb823cd1269a485332f0418ce6115c9659ca1853152ef580d318
-
Filesize
666KB
MD59d4c1ce3dde66558c9ce5023839040b0
SHA197f0f1bad1e0a562a24d325b90f9b7e50ea04822
SHA256288326dbe1707422ae6164402f9c118c35d9f1ea39ba42b7881a0032cbe514ed
SHA51250c8d573177c1f6902e407833e9d9f32bc46228dc209008f0acb40d6a3a7fee0e4530a8cbec9e53ca7cbca114e3a5ae2505146b1f87bbf804f3f429e8627a05b