Analysis
-
max time kernel
168s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 10:57
Static task
static1
Behavioral task
behavioral1
Sample
335f90c29d9255fa1239707c5beb9600.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
335f90c29d9255fa1239707c5beb9600.exe
Resource
win10v2004-20231215-en
General
-
Target
335f90c29d9255fa1239707c5beb9600.exe
-
Size
1.4MB
-
MD5
335f90c29d9255fa1239707c5beb9600
-
SHA1
9fd4fe27fb41c97bd3288c29fc30af778302443c
-
SHA256
5a1a8ce59103a53a79bab7db80b55ade80805711dad05d3e974d8f252bf53e2b
-
SHA512
1df0f37f8014865fc7a4caf1c3335a355a17679fab612a30f82dcac87184be9f395b0060b95cef84a41b2a554834306171395e46c6d7e55a9c95ffdee254b765
-
SSDEEP
24576:nfTe/ii2PVr6CtkgXpfWwRzyT3oDv3x0JkG8mmJFsPIhQRfVmaRFE2RxC0hkH:f2ii2Nr6afXVW4OT3CvymVr6DRf4aPE4
Malware Config
Extracted
cryptbot
ewazqx71.top
moraiw07.top
-
payload_url
http://winfyn10.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2656-26-0x00000000047D0000-0x0000000004873000-memory.dmp family_cryptbot behavioral2/memory/2656-27-0x00000000047D0000-0x0000000004873000-memory.dmp family_cryptbot behavioral2/memory/2656-28-0x00000000047D0000-0x0000000004873000-memory.dmp family_cryptbot behavioral2/memory/2656-29-0x00000000047D0000-0x0000000004873000-memory.dmp family_cryptbot behavioral2/memory/2656-30-0x00000000047D0000-0x0000000004873000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Ottobre.exe.comOttobre.exe.compid process 3248 Ottobre.exe.com 2656 Ottobre.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
335f90c29d9255fa1239707c5beb9600.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 335f90c29d9255fa1239707c5beb9600.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Ottobre.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ottobre.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Ottobre.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Ottobre.exe.compid process 2656 Ottobre.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
335f90c29d9255fa1239707c5beb9600.execmd.execmd.exeOttobre.exe.comdescription pid process target process PID 3264 wrote to memory of 1612 3264 335f90c29d9255fa1239707c5beb9600.exe dllhost.exe PID 3264 wrote to memory of 1612 3264 335f90c29d9255fa1239707c5beb9600.exe dllhost.exe PID 3264 wrote to memory of 1612 3264 335f90c29d9255fa1239707c5beb9600.exe dllhost.exe PID 3264 wrote to memory of 944 3264 335f90c29d9255fa1239707c5beb9600.exe cmd.exe PID 3264 wrote to memory of 944 3264 335f90c29d9255fa1239707c5beb9600.exe cmd.exe PID 3264 wrote to memory of 944 3264 335f90c29d9255fa1239707c5beb9600.exe cmd.exe PID 944 wrote to memory of 1116 944 cmd.exe cmd.exe PID 944 wrote to memory of 1116 944 cmd.exe cmd.exe PID 944 wrote to memory of 1116 944 cmd.exe cmd.exe PID 1116 wrote to memory of 4328 1116 cmd.exe findstr.exe PID 1116 wrote to memory of 4328 1116 cmd.exe findstr.exe PID 1116 wrote to memory of 4328 1116 cmd.exe findstr.exe PID 1116 wrote to memory of 3248 1116 cmd.exe Ottobre.exe.com PID 1116 wrote to memory of 3248 1116 cmd.exe Ottobre.exe.com PID 1116 wrote to memory of 3248 1116 cmd.exe Ottobre.exe.com PID 1116 wrote to memory of 2152 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 2152 1116 cmd.exe PING.EXE PID 1116 wrote to memory of 2152 1116 cmd.exe PING.EXE PID 3248 wrote to memory of 2656 3248 Ottobre.exe.com Ottobre.exe.com PID 3248 wrote to memory of 2656 3248 Ottobre.exe.com Ottobre.exe.com PID 3248 wrote to memory of 2656 3248 Ottobre.exe.com Ottobre.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:1612
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Immobilita.jpeg2⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^mumoPPZWGBimmUlaTguxGjzvRKrMQXdfkNTRNxDOmizugKidJWVUULLjMedyLjuIlRhMwaFmKaVnTjoiCMeTevxAwGtKrnejqKVvvxfd$" Deposto.jpeg4⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.comOttobre.exe.com U4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com U5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2656 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:2152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD59c785807d7df67e25292763e4cb1f4f7
SHA1befa1c8bba817d1b56d6383cdbc4177cd9c3e550
SHA25612c551302118d893bff89bcb45e915ada5d4a5f2467cacde9e5f163d2dcd1d79
SHA5128f1849c72120de2d8235c6d3d4f389055a262069e9e4692b8de83b2229e66b3e7233cd0817bf79b122027e44fd9f5ed86def8076cee45ec9f191c3e54806f1cb
-
Filesize
503B
MD53611fe089bdb6afb3fe4d4ec09e47d22
SHA1724b400e99ca66d5f18e98d227913cd793151bda
SHA256a26dd7ee53256d1a72ed01f1f109ef192e142a05b3d26e7ce9afe025d2fd4a56
SHA5128335d51cf9ddc87f837ace6e204d5d64ef51004d02b764fba1d06fb4cd238c33ae8bd8bbf7b9463c9f49bbcabca9c8c8e196ddf105501778f1e3a7320eecc2bf
-
Filesize
634KB
MD5ce77273cb63c3f4999b6c7966071de93
SHA122c58f53c6c60b889f8f770cb7b86b4a7953671e
SHA2564dff952a57883347535439e6830cc8fbc4579e61f502ed72aaa512acb3edb84f
SHA5125e585bf47168c0c4f2b1818428c60f7e3df88f8500afcf5afad0378a4a32bd6091565a4410de842c34af7e448e3fb4c9e59ddbdc0dcf0ceb5d3e4c04898d2773
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
666KB
MD59d4c1ce3dde66558c9ce5023839040b0
SHA197f0f1bad1e0a562a24d325b90f9b7e50ea04822
SHA256288326dbe1707422ae6164402f9c118c35d9f1ea39ba42b7881a0032cbe514ed
SHA51250c8d573177c1f6902e407833e9d9f32bc46228dc209008f0acb40d6a3a7fee0e4530a8cbec9e53ca7cbca114e3a5ae2505146b1f87bbf804f3f429e8627a05b