Analysis
-
max time kernel
1s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 14:02
Static task
static1
Behavioral task
behavioral1
Sample
3906bd87156d29380e32e4aa14cdb61a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3906bd87156d29380e32e4aa14cdb61a.exe
Resource
win10v2004-20231222-en
General
-
Target
3906bd87156d29380e32e4aa14cdb61a.exe
-
Size
612KB
-
MD5
3906bd87156d29380e32e4aa14cdb61a
-
SHA1
46bae4add1c9a9c1816a3b762d9dd13a5dd102b8
-
SHA256
199bbc42e66411fd345d097585df9bddba75ff75d0b927fc27d1259348f49793
-
SHA512
d372f762d8e5753575682dbbae023657d474a0d8382298dc1f46d82588c0f5677e3c37750eabed5240c52b2223d6163e2bbee9757b4b2f68708b74ca81f07a58
-
SSDEEP
12288:BR/Myxywm00uwkZLMWfc6CcCuG3jz7nWiYeA1wdtavtVPNZMFOi2:gyxywRe49C9uGnWiT3Ef
Malware Config
Extracted
cryptbot
knudin72.top
moreag07.top
-
payload_url
http://sarafc10.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2124-2-0x0000000003CD0000-0x0000000003D70000-memory.dmp family_cryptbot behavioral1/memory/2124-3-0x0000000000400000-0x0000000002402000-memory.dmp family_cryptbot behavioral1/memory/2124-227-0x0000000000400000-0x0000000002402000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3906bd87156d29380e32e4aa14cdb61a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3906bd87156d29380e32e4aa14cdb61a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3906bd87156d29380e32e4aa14cdb61a.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
3906bd87156d29380e32e4aa14cdb61a.exepid process 2124 3906bd87156d29380e32e4aa14cdb61a.exe