Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 11:50
Static task
static1
Behavioral task
behavioral1
Sample
350d886a144175863ceed4fb8d7b0169.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
350d886a144175863ceed4fb8d7b0169.exe
Resource
win10v2004-20231215-en
General
-
Target
350d886a144175863ceed4fb8d7b0169.exe
-
Size
1.4MB
-
MD5
350d886a144175863ceed4fb8d7b0169
-
SHA1
ed6103720d1bf439bc1fceec666a9f5c688681c6
-
SHA256
776755ae4c35c3d48837ed063af2048359eb7a37abddb0157e766a66caf10395
-
SHA512
08b3deaab958b1958d2561711c1d6e6276792a3c30cf334c3403cb3931080279d2ccafeb402f7921ade29caf65b28b54f21325de22df3f2df5e6d039dc98623f
-
SSDEEP
24576:2gZodD1T96h1TiPNS8y9OJlRpyqWCqZLTLrbQZH7VK:QOzTiPNxy9upqJJLcHB
Malware Config
Extracted
cryptbot
haijwd23.top
morqoi02.top
-
payload_url
http://zelpdo03.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2608-28-0x0000000003B20000-0x0000000003BC3000-memory.dmp family_cryptbot behavioral1/memory/2608-30-0x0000000003B20000-0x0000000003BC3000-memory.dmp family_cryptbot behavioral1/memory/2608-29-0x0000000003B20000-0x0000000003BC3000-memory.dmp family_cryptbot behavioral1/memory/2608-31-0x0000000003B20000-0x0000000003BC3000-memory.dmp family_cryptbot behavioral1/memory/2608-251-0x0000000003B20000-0x0000000003BC3000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Accendeva.exe.comAccendeva.exe.compid process 2760 Accendeva.exe.com 2608 Accendeva.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeAccendeva.exe.compid process 2828 cmd.exe 2760 Accendeva.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
350d886a144175863ceed4fb8d7b0169.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 350d886a144175863ceed4fb8d7b0169.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Accendeva.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Accendeva.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Accendeva.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Accendeva.exe.compid process 2608 Accendeva.exe.com 2608 Accendeva.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
350d886a144175863ceed4fb8d7b0169.execmd.execmd.exeAccendeva.exe.comdescription pid process target process PID 860 wrote to memory of 2292 860 350d886a144175863ceed4fb8d7b0169.exe dllhost.exe PID 860 wrote to memory of 2292 860 350d886a144175863ceed4fb8d7b0169.exe dllhost.exe PID 860 wrote to memory of 2292 860 350d886a144175863ceed4fb8d7b0169.exe dllhost.exe PID 860 wrote to memory of 2292 860 350d886a144175863ceed4fb8d7b0169.exe dllhost.exe PID 860 wrote to memory of 2748 860 350d886a144175863ceed4fb8d7b0169.exe cmd.exe PID 860 wrote to memory of 2748 860 350d886a144175863ceed4fb8d7b0169.exe cmd.exe PID 860 wrote to memory of 2748 860 350d886a144175863ceed4fb8d7b0169.exe cmd.exe PID 860 wrote to memory of 2748 860 350d886a144175863ceed4fb8d7b0169.exe cmd.exe PID 2748 wrote to memory of 2828 2748 cmd.exe cmd.exe PID 2748 wrote to memory of 2828 2748 cmd.exe cmd.exe PID 2748 wrote to memory of 2828 2748 cmd.exe cmd.exe PID 2748 wrote to memory of 2828 2748 cmd.exe cmd.exe PID 2828 wrote to memory of 2840 2828 cmd.exe findstr.exe PID 2828 wrote to memory of 2840 2828 cmd.exe findstr.exe PID 2828 wrote to memory of 2840 2828 cmd.exe findstr.exe PID 2828 wrote to memory of 2840 2828 cmd.exe findstr.exe PID 2828 wrote to memory of 2760 2828 cmd.exe Accendeva.exe.com PID 2828 wrote to memory of 2760 2828 cmd.exe Accendeva.exe.com PID 2828 wrote to memory of 2760 2828 cmd.exe Accendeva.exe.com PID 2828 wrote to memory of 2760 2828 cmd.exe Accendeva.exe.com PID 2828 wrote to memory of 2860 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 2860 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 2860 2828 cmd.exe PING.EXE PID 2828 wrote to memory of 2860 2828 cmd.exe PING.EXE PID 2760 wrote to memory of 2608 2760 Accendeva.exe.com Accendeva.exe.com PID 2760 wrote to memory of 2608 2760 Accendeva.exe.com Accendeva.exe.com PID 2760 wrote to memory of 2608 2760 Accendeva.exe.com Accendeva.exe.com PID 2760 wrote to memory of 2608 2760 Accendeva.exe.com Accendeva.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe"C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:2292
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Noi.csv2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^YamAocAZkiCmbGYvdmdlLsmuyeGxMPobeaMnKkwlzveVjWJfZZEFZlOGTaxyPuhcZybtUALynyQffDUpzdxNkDbREyFsQVchpHWimExmhmuTxnsfnk$" Partissero.csv4⤵PID:2840
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.comAccendeva.exe.com x4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com x5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
317KB
MD5dfb9f86fc1aaeb0ce52b1011e097ea17
SHA19839683152bb06d4974e36eb46efb51b8779845a
SHA2564911a0e41a11183f52c232edc88b86364a0308b38cf14c4a6bf74ac250c907db
SHA512219c083cb8f356607a2fe87844ca8fe1ab022d135a73bdb280df9850ba7d820f8f503ebd5e45302ff68b66c1b52a9d9fd5812be4da76eeb94a101dd15a07853b
-
Filesize
379KB
MD538266beef9f45c06725c62a034fff972
SHA134d9ba5b8d7194fbcfc8d13efc405e2602d41982
SHA25699ca03960db2a62d4efc31c0cd33cc76fb19f012d9057cd06887db47235657a9
SHA51231c73bd82a4b1e4fdb3eacb1b3a806d4088b1194962266fe2831d91cf8b90623b734a72b6490c94d7fd74ca295eeecff9cb0e67f99b9a2773c0d15a912a0ec29
-
Filesize
462KB
MD584ef5c32a31371a65046f932e7f6a6bc
SHA1dbe4f4e2a852b50659eace92e816ed809ede5af2
SHA256b6cf98e2e77ae5e63f42c9f9c2044aa6d7f6355972d3a0ba9d1d3b824c495433
SHA51243bd9f46f21ec6e20bb881ca92ed86550930525bb66e05980d6bee69dad861886658234caa69ce8d6a61946685f3bfdcbbcba48beddae98b2690a355ad2d1b6a
-
Filesize
112KB
MD54602b6c89355b31705ec1a4b0afb11d3
SHA11b8cfc9af2b546ea174580b2be49b4c22ef23e03
SHA25607ffb6f787a34f3381afcd3bc6440d903c984a9371fa92bdcce465adc72b2821
SHA512a7ee981cc40171da691dca3b893820174f68114b9fb414fdc8fe3e93025fc0fe7599cc58809956496287b3cf7cbf4c6c4c9e9cc70dc80bbf3115172f7967431f
-
Filesize
299KB
MD5df88d8ff01f9344acf2ad0cc8ace8c65
SHA1f6797e623bba9d50e10e092006dad5b688276531
SHA25682cf4be4afe69a1cc84c79a768cd9a8cdad5bad82ad2d74c22f21cfb284913e3
SHA5128c56fa03d9c8a778064d1eae8b77af3eef27ff8d5275d5a6fd410df315eb2cdea7f684351a2e4c58b3487a0cc05af43b5665450d782752a0a6f19082fd20eb22
-
Filesize
540B
MD567f32c2840c3d4689692da04167dc66b
SHA1249b8d50c0ec618463877b185ceed2520a4583d5
SHA2565dc31062e2d78a5c11b252e52bf1c6bbc6c8a0f80c67f83dec6469718ce89fe6
SHA512f5e9170032112a3a73610c74a80b8ae48aef76cfc42e8bfaa8fa14500b966bb8d8b9ceac024861aaa99dfe3eb126bc8e8139c053c194b30d33a0c60cfdea36ab
-
Filesize
238KB
MD5d29e5058076cf0cb52e2039ec1f30523
SHA1a507324dbc5bdaad927334c892f7bc7e505c150c
SHA2560af8a283db9cceeeb8981535fa2f3e499975cb55df56bc00db650c1b62a2e3a8
SHA5125abba4de3a55d849993534585c3f77e3a00ebd25f4c283f4f43d90e9ef66a476ef431839cf20d463c3dc093c9c6542f6fe8a067a8f36c35562aee4a0622d6a04
-
Filesize
307KB
MD58c741474579c2958b04acf9444e622f6
SHA1c62d6fbf62e572d95e8e3fdae84366d720fb94cc
SHA25631992a539c0e1cb81b7b891b71fa9031918413de1c0a06957e6458a3cea6b52d
SHA5128a1004f801ca32454e5aa4fce44cd6339dee71512ba098dedd9badc9dadaf17317f6765dd3492b6404377e305a9e0c21ef89db9d6eab68c71403512d087d10f5
-
Filesize
3KB
MD526f7a0b1e279b59e7e407f642836b7a4
SHA1169845b90448be8d94f09e6a0075e41497662f13
SHA2560ab6d9020601d320813896f60e086bc777b85e304072fb426a1b0bcb956f5146
SHA512d5a2f1962d275870b400b1bdfe2161f88ef37553b7e614883f150fab0a6d4a1365599fd822f1a38d7d554b485487518208941f60941f8515b72673eaba4b82da
-
Filesize
8KB
MD515b703080ca044aeb4e6cc407e6138df
SHA1780e1f711030077e024f65c90443e236e4414e66
SHA256cc2ce5ad62c23b718647cd0bbf9a7f22b314e993ed4e3f516551edabc53f008d
SHA512051223a108808bc3bc9f9a6cef0f49d214c8d1aa4285376a3aa37fbe310964262a4c9a50eb2693113240f1aa1c88a2e26caa594bc79be07f14e04474ce2533b3
-
Filesize
44KB
MD51481635784c1b44a629b2339619ea9b4
SHA19fb6f85faa17d9a7eafe30e9335a4027478922c8
SHA2567ed5d7b9e372144ff8e31a4f4525864cfded9648aa20025c03061b65e1d93fb3
SHA5126fe880f828df1a8781e4988837c2611df0530c3163c6edcc1b934b4155bdd1a0ba8d81745279a4143c64ddb6f066c3fd0ccc1df15f4d2a749e4918229767722e
-
Filesize
8KB
MD523d847aee7366445ce04042e3f4021a4
SHA1d9b34c536102067b3798a9e8b1c4a43ba20f78a2
SHA256665408837d53c4032190f79dabd7138020aeaa778d76b87fa0055e5d4a75fa08
SHA5124e5daafcb25b6cac75a29ac7de4c1fb4235e809e45dc3d6129f732b28be7ffb8bbdc04a918e3f1319244e246c47dbcccd79347e2778218a660f59823d5084fe7
-
Filesize
37KB
MD5ff11810de937792123c43dc1f9637910
SHA19d01dccd7543625e3c637cd37363997664d9cd8a
SHA256d5b501760dc3bb379442f543dbe38de27afc5e765fc8a3f5a200f4c0ea03ff73
SHA512cfc473bc65205b1662b3235e1e5951311350b1168785a38192c28d478c6ff40f2b49d61820aa518b2aa001a5d070592f54ad7e14401e78066539bf8e74ea0c1f
-
Filesize
327KB
MD54334c0d0929ebb52cbc6b875728193d1
SHA12aaf6a084160f4743ea0d05bf0dc7be7750ccc16
SHA256b1a04a9434185091ceb1f7cb732368fc44848089d54bec081250f91d60ac4805
SHA512bd90530f8da3a2a3292bd82daa2583ef1f6422f591d274b8ac7dd66f1503e52e5a8389e7f325e8ef4862e5f5dc986923761c6ad40e7d188a83a8fb2ff73344fc
-
Filesize
309KB
MD52d337e35c5fdbaf0aa77cc05e0acadee
SHA1b2c3850ccfe3a9825a2caf0b05a02b9d02899c01
SHA256584a685e76da80f330e97116eea7c85d168f3d4160624f6e37331e1857b8fe4f
SHA512199fedd0266761f48281d8175d86296b4d30ba9087f9920c53c08a46a28341fc2a341a4a9858c7b0668c79ee1e886adccc4f4a37d76165400a2da9329814aa42