Analysis
-
max time kernel
84s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 11:50
Static task
static1
Behavioral task
behavioral1
Sample
350d886a144175863ceed4fb8d7b0169.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
350d886a144175863ceed4fb8d7b0169.exe
Resource
win10v2004-20231215-en
General
-
Target
350d886a144175863ceed4fb8d7b0169.exe
-
Size
1.4MB
-
MD5
350d886a144175863ceed4fb8d7b0169
-
SHA1
ed6103720d1bf439bc1fceec666a9f5c688681c6
-
SHA256
776755ae4c35c3d48837ed063af2048359eb7a37abddb0157e766a66caf10395
-
SHA512
08b3deaab958b1958d2561711c1d6e6276792a3c30cf334c3403cb3931080279d2ccafeb402f7921ade29caf65b28b54f21325de22df3f2df5e6d039dc98623f
-
SSDEEP
24576:2gZodD1T96h1TiPNS8y9OJlRpyqWCqZLTLrbQZH7VK:QOzTiPNxy9upqJJLcHB
Malware Config
Extracted
cryptbot
haijwd23.top
morqoi02.top
-
payload_url
http://zelpdo03.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4132-26-0x0000000004410000-0x00000000044B3000-memory.dmp family_cryptbot behavioral2/memory/4132-27-0x0000000004410000-0x00000000044B3000-memory.dmp family_cryptbot behavioral2/memory/4132-28-0x0000000004410000-0x00000000044B3000-memory.dmp family_cryptbot behavioral2/memory/4132-29-0x0000000004410000-0x00000000044B3000-memory.dmp family_cryptbot behavioral2/memory/4132-233-0x0000000004410000-0x00000000044B3000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Accendeva.exe.comAccendeva.exe.compid process 3428 Accendeva.exe.com 4132 Accendeva.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
350d886a144175863ceed4fb8d7b0169.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 350d886a144175863ceed4fb8d7b0169.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Accendeva.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Accendeva.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Accendeva.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Accendeva.exe.compid process 4132 Accendeva.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
350d886a144175863ceed4fb8d7b0169.execmd.execmd.exeAccendeva.exe.comdescription pid process target process PID 1064 wrote to memory of 1468 1064 350d886a144175863ceed4fb8d7b0169.exe dllhost.exe PID 1064 wrote to memory of 1468 1064 350d886a144175863ceed4fb8d7b0169.exe dllhost.exe PID 1064 wrote to memory of 1468 1064 350d886a144175863ceed4fb8d7b0169.exe dllhost.exe PID 1064 wrote to memory of 3644 1064 350d886a144175863ceed4fb8d7b0169.exe cmd.exe PID 1064 wrote to memory of 3644 1064 350d886a144175863ceed4fb8d7b0169.exe cmd.exe PID 1064 wrote to memory of 3644 1064 350d886a144175863ceed4fb8d7b0169.exe cmd.exe PID 3644 wrote to memory of 2184 3644 cmd.exe cmd.exe PID 3644 wrote to memory of 2184 3644 cmd.exe cmd.exe PID 3644 wrote to memory of 2184 3644 cmd.exe cmd.exe PID 2184 wrote to memory of 1124 2184 cmd.exe findstr.exe PID 2184 wrote to memory of 1124 2184 cmd.exe findstr.exe PID 2184 wrote to memory of 1124 2184 cmd.exe findstr.exe PID 2184 wrote to memory of 3428 2184 cmd.exe Accendeva.exe.com PID 2184 wrote to memory of 3428 2184 cmd.exe Accendeva.exe.com PID 2184 wrote to memory of 3428 2184 cmd.exe Accendeva.exe.com PID 2184 wrote to memory of 1688 2184 cmd.exe PING.EXE PID 2184 wrote to memory of 1688 2184 cmd.exe PING.EXE PID 2184 wrote to memory of 1688 2184 cmd.exe PING.EXE PID 3428 wrote to memory of 4132 3428 Accendeva.exe.com Accendeva.exe.com PID 3428 wrote to memory of 4132 3428 Accendeva.exe.com Accendeva.exe.com PID 3428 wrote to memory of 4132 3428 Accendeva.exe.com Accendeva.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe"C:\Users\Admin\AppData\Local\Temp\350d886a144175863ceed4fb8d7b0169.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:1468
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Noi.csv2⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^YamAocAZkiCmbGYvdmdlLsmuyeGxMPobeaMnKkwlzveVjWJfZZEFZlOGTaxyPuhcZybtUALynyQffDUpzdxNkDbREyFsQVchpHWimExmhmuTxnsfnk$" Partissero.csv4⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.comAccendeva.exe.com x4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accendeva.exe.com x5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4132 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
264KB
MD528465cd3f2cb238982c2210767938ba4
SHA17e91b5fb1893180acb1f2c26b6452a0be4076ade
SHA256d26526e375d9a7aec9d13d0e7295a93b540d641c525a3baf9f4fc7e0b8d1b550
SHA512ad44ed0e4bc47870bea066f94e26b807538742dd974f62872280f95d09178a197c1d70d498d35de760504feedccc574e6915cbc2f135b5ce1f531ebec0d34cb0
-
Filesize
634KB
MD5ccd1b9091c1a87886d0debc1ed8eac55
SHA1564b9bc8bf6dffa34ba284e4bde036dc3361f2fe
SHA25684828903a45ef9bd1fdb0425369bac324a138ca04f65096f8ea11df00241eba0
SHA51279064c6e8ba84dc0dcdc2cd9fe8fb30e58fb2ab5f441016101dc9c3f03efbe758ce90988d45fb7f430d4d80eacd72fb918c990a5e7cda5c6411866f950f76bc1
-
Filesize
540B
MD567f32c2840c3d4689692da04167dc66b
SHA1249b8d50c0ec618463877b185ceed2520a4583d5
SHA2565dc31062e2d78a5c11b252e52bf1c6bbc6c8a0f80c67f83dec6469718ce89fe6
SHA512f5e9170032112a3a73610c74a80b8ae48aef76cfc42e8bfaa8fa14500b966bb8d8b9ceac024861aaa99dfe3eb126bc8e8139c053c194b30d33a0c60cfdea36ab
-
Filesize
872KB
MD530a89caf23552fc1c8c9c21be8605d5a
SHA1ad75b07186e9cdbfd480a4f922e393c636481d3a
SHA2562f5e579fd818183db983bc1b9d852b3d0266290926c9483676db27d906d6e167
SHA51281816845ac57a269885095635a1602784f94b8e4b7a99e6b9b195123dcfedfdaa2554240e10c6e5ac7abc61bce0113ed94ba59558e0afbb77250c00a65b19c30
-
Filesize
1KB
MD5b524cc750303445492692ac7fd798780
SHA1e51bde4e75e0f0bf8b29a8a28a62ec7d51cfb923
SHA25629cec2ae48cbc85a343dc8ad4664810eda5acab045d7760f567e1572aaddb54d
SHA5125017907f182c603020e24205332e265676908d638c8007ba69b143ff24112a3ecace134a9a43f4570e674b0674910b90508968952be1695ce6bed9cd12228129
-
Filesize
1KB
MD552e9f980420712ec953e0a8169bd961e
SHA16792fe3441f4881d7fd7938cc59edf8b18053770
SHA2562abc235cb0ad501ead5fe2f383eb2472758d4bc1040ca1759d662701f83e8b67
SHA5129ec6dc2301407718eb22203c64512f7622255a96910c1c67f100ea2cd9e267df105f0f5b446af613a1282e5be7262c39b38ea635590fc102784eb465973ddea3
-
Filesize
4KB
MD5a10ff7b11f7b59755c73fc985bcdaeda
SHA169a2e5778a69404b4350429ec9f0243cd5277c3f
SHA256e11829144ba63112f9a8bc6aff5617b7833220ba96a17f60f7ff6a3d4b797154
SHA512cc3be2ec8f67727e2e3b76ea51b59052385ea3d10c31dcc28761f6861933f46d593dac0ea46cc2e30370472484c3e24525754ae01c1b37f9403ad0840b9c07e6
-
Filesize
5KB
MD5a2d7917fc8ce31cf2ecd3e22be4f5a44
SHA187d3ecc821b7917d2734366c0fc17e78c26b098f
SHA2563b9e901fe5571c4296262a140c4c36cb5a9e6c2c01608429607eafdf149db443
SHA51297b97197799ab5cf49c33d31482432f68b96df34db2d07ff2f48ef106449d60263d56a0015f1c7a8b9b172a2d68e4c76817634bc04aaed63ff1d0ccac8425aec
-
Filesize
49KB
MD538b6fc0a82fdd1971ea99a9a5855ff30
SHA1dfe798a0605f3d5c31c315d0f82269b6a3773d60
SHA256658a2883dbc2beae8b4e7b9cfc8ff4cd6cfbd57a0a9a576fd6cdc2b26e936eb8
SHA5129cbdab11aa831c96a9a45f04be6f1440f11d9f0604a874df5a3b560288e0ddd64cc33474909b745b3bee00931f2e103524b80282752dcd52a30ccc8003391de5
-
Filesize
1KB
MD5495e2bf307c35938acb48c92864556e3
SHA19ef9c25bc17f962b0b6b5ca4103134dfad281db9
SHA2566dab3940f078397fc077e7684ac4ff0011aee7e5ebe1e58bcbc03b007ef49a1c
SHA512dff8025a66aebe970e4b0e6de6e7dbba1c4453fe3dd3411a4cd1e3bb2afdec7e4477d2d9bf2e394dba88f7ca1d77fc0cda32de94e97df8dbe60a9bf1c2d0191f
-
Filesize
4KB
MD5d5593ca33e5d72c2d6fc65afa4651608
SHA1499f8806e074cc3591356da348bc68d667d488d7
SHA2569dc320c5224b1dd1931f166355157ba32dff5a7937bcddc9d2299f743d90ae43
SHA5120e5ec235e9bc8b2a3d6b1eaadca358c0b407a91b6d44cf7eb2dbdfee2df4386b9fa7f4d58e4fbd2c92cfd0bd588421f8d46aea985d1c8ac6b3844540911edd58