Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 11:24
Static task
static1
Behavioral task
behavioral1
Sample
3436bc5cb6d4783a01dbfac2504343cb.exe
Resource
win7-20231215-en
General
-
Target
3436bc5cb6d4783a01dbfac2504343cb.exe
-
Size
559KB
-
MD5
3436bc5cb6d4783a01dbfac2504343cb
-
SHA1
ab90b850b9eb00a034b5cbdce8c2a5abdd04b132
-
SHA256
0491af1e13f4b5d1725e5320e15d5aa0470d726418da43c6d08706d2f978d5ab
-
SHA512
2cccffb89620206653a8a48f28bebd6e62a85008346638809e743eccb40dd65058c837598a5e61fb5fdf1b62934672271c19499a4ff78b5321eaa5eac3c13eab
-
SSDEEP
12288:7KO7xpz80l/qX/nXut0dvnEUXrGvceCZwTsvsQ:9tqPn+t0dHrIceCZw
Malware Config
Extracted
cryptbot
haiezf32.top
morcyr03.top
-
payload_url
http://zelstb04.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2900-2-0x0000000000220000-0x00000000002C0000-memory.dmp family_cryptbot behavioral1/memory/2900-3-0x0000000000400000-0x0000000002CC3000-memory.dmp family_cryptbot behavioral1/memory/2900-226-0x0000000000400000-0x0000000002CC3000-memory.dmp family_cryptbot behavioral1/memory/2900-230-0x0000000000220000-0x00000000002C0000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3436bc5cb6d4783a01dbfac2504343cb.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3436bc5cb6d4783a01dbfac2504343cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3436bc5cb6d4783a01dbfac2504343cb.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
3436bc5cb6d4783a01dbfac2504343cb.exepid process 2900 3436bc5cb6d4783a01dbfac2504343cb.exe 2900 3436bc5cb6d4783a01dbfac2504343cb.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD55ed2a435c820386b08341d1ced743040
SHA1c7f57980c078e9510d5cb9209d550eee255db9ab
SHA2561f791e44b7addd8cc4ef751adad2692432632c6b90a9de814b36e6f2a0824297
SHA512bc4d94436ddbbf93bed5ceec80863f12d856b0db94d5eaef1b314aadbfd01665decef9c0a35a6f4712e399c36d05dca66c400323be4c8d29c6db8dc2707a6f79
-
Filesize
1KB
MD5a02048cb499af28c1981d35b6078a55f
SHA19c8185daf1bb3dce860aaf2d0cec28d3ade62777
SHA256a0d8213e2401c9874081b86f8f816f6d5ce381ee16a479b2a02c729438ff8ed6
SHA51235c3974796c9076e22463943d9b0d6afd1cd36c23adbb65ba3db66ef04baf8015cb205421a52fefd11c53932d9468450784dae34179dd62388fdcc6fbff96771
-
Filesize
3KB
MD5767ab2695db399bf999134ba7fe8d148
SHA162387bd21c9022d30b90d071eb86d9cdd9752945
SHA256d700b72e860d674d9ad7ffc80f356b4a9a8f22efd632e3dd470e887d01717a26
SHA51243054df74455ff3157e2f53332316e53dc2342cc798faa010edb9e7f58934614e9784b1cd8a91bfd30197db99b81836a3f6fb671656ce2dbc8b26d817f6b85b2
-
Filesize
3KB
MD57f0b1d5188942e8f94433027fa37bdf4
SHA1941e7ec2fc5de0b9db125283d6c0cb03949f4f73
SHA2563a747ae83b5f0053e027928075c9dd7d44337d905468d761e632cca4adb530e6
SHA512e6dc06a104e169cb26f174267e857907e65546c7dfce04350e9c78f54e78ae6e27c11ebb7849ef8d66fe103c430a23b6a8b19297af3ae6dc9c8ae5b3c71f6e7f
-
Filesize
4KB
MD551e79954241a81f0287a270afcd69daf
SHA1e3e5e9475d8922570693605a29cccb5f2ecfe377
SHA256c6c3b7352125967403fd3fea3b851bf02c0b2070ad397003f3342c05dfaae1f1
SHA512518e456aa71f8605c463c0054ea95f0b8c140cdc33e4edccafcaaa469d7b5b4e506959c7e00c8420744b1b8f0f3be319db1e328933f3b20bca58bb7b362b97a6
-
Filesize
41KB
MD5fed2ed01d9ee9e546355538a52c88818
SHA13dfb6c36dff1739afac3d5b5b8626e915e6c8943
SHA256d6141cb386559d412f4ba4edd548b68a91c620780706123ede3d567100c4f606
SHA5127205b6ea35e457ad013e0134b54b04c2da0c078649fc3969eac291ddf35ae2be171102524b6141b386c0c3662f8ecfb6975ee73406fe668bfad589c02e7cc9fd
-
Filesize
1KB
MD57629b76fd5c312a95da079b0130ae85f
SHA1bad1fb99aaac249d7b1bf7eb333d9d1ea19fb5ff
SHA256da972fc4a4294fd6a25a882101c60b0a7586d6db0e8f6540f2236a3b20d7ceba
SHA512105a88e742f4f66c2682d107621f6b58d794354599f272395ba3dfe47e05fbfb00a2dd226da7e54a0cc218d11c02028be11706e79c27f01eb075df07492a5e1e
-
Filesize
3KB
MD537d0fa4e08fb5d66f2aa24539f442b79
SHA1e5ace3d09fc333890576fbc54e8ed930fa912e16
SHA256a62c65ecd7588bb3733bc932a460d7aa9f9177dd976f579e39bfdc8951cf1669
SHA512adeed88eef103eb7206c543bcb3117e2e66f59a62fa489e27c95424f946aeb13d545bf6c04faa77bd3c71bdb5f4d51334265f29ca8656665b3153d8d4b90089c
-
Filesize
4KB
MD553541eca39efe99ee8348291df738a31
SHA1131054870726aa7370ab1e05bb3387a33d052753
SHA256a7e10cc4a6a05e91d61d818fc500a568b049d411d0d3611f0f65e2ded71ea7c7
SHA512c64c5283223bd14d0a25c7cd87660b327d6195dae3a959cf34892e669f7791867179a7feae4b1137902e19abd855cc1e2da488072c063d2b72ebb5274f8ee61f
-
Filesize
1.2MB
MD5ef2d5369d5fd5edcb6953b3c23d1627b
SHA1edbe80bd6c1662c86872fe8fc324218266141273
SHA2560987fd508a663c86089e6745fccc800da224edb741e9d31a10cce2fddcfb9e71
SHA512a874f24972bab1ec4ea41d1a8f6250017cedf6acb9e6ba15e136a1a8b0bc0856702ef5f97551fdd234ad1c7d877921e4c53b46df16f153abc09821b41edb7182