Analysis
-
max time kernel
28s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09-01-2024 18:30
Static task
static1
Behavioral task
behavioral1
Sample
f23000a51a7ac80b39bab71e83c3983a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
f23000a51a7ac80b39bab71e83c3983a.exe
Resource
win10v2004-20231222-en
General
-
Target
f23000a51a7ac80b39bab71e83c3983a.exe
-
Size
1.5MB
-
MD5
f23000a51a7ac80b39bab71e83c3983a
-
SHA1
647a3ce6cfc9e4a4f5c952678d8c7bda038a14f5
-
SHA256
bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c
-
SHA512
e7193498cea1d3a56a4a207c3f94aff45b591d4dc95b2ba67830a1252dd79560b63c8abdb36216f90e74fae22123c38f82b606953551ca54f1b015ca987ee7f3
-
SSDEEP
24576:VyEptD7sRjWDFtr9xE8OoNTtfvJeqkIftCstIt2J5CNmfh8+IED471iuejTya:jZARsFtrTRbdtw4tC0LkyqED4xiuej
Malware Config
Extracted
cryptbot
ewaqfe45.top
morjau04.top
-
payload_url
http://winhaf05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2996-28-0x00000000039F0000-0x0000000003A93000-memory.dmp family_cryptbot behavioral1/memory/2996-30-0x00000000039F0000-0x0000000003A93000-memory.dmp family_cryptbot behavioral1/memory/2996-29-0x00000000039F0000-0x0000000003A93000-memory.dmp family_cryptbot behavioral1/memory/2996-31-0x00000000039F0000-0x0000000003A93000-memory.dmp family_cryptbot behavioral1/memory/2996-251-0x00000000039F0000-0x0000000003A93000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Vorra.exe.comVorra.exe.compid process 2168 Vorra.exe.com 2996 Vorra.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeVorra.exe.compid process 2036 cmd.exe 2168 Vorra.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f23000a51a7ac80b39bab71e83c3983a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f23000a51a7ac80b39bab71e83c3983a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Vorra.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vorra.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Vorra.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Vorra.exe.compid process 2996 Vorra.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
f23000a51a7ac80b39bab71e83c3983a.execmd.execmd.exeVorra.exe.comdescription pid process target process PID 3060 wrote to memory of 3056 3060 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 3060 wrote to memory of 3056 3060 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 3060 wrote to memory of 3056 3060 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 3060 wrote to memory of 3056 3060 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 3060 wrote to memory of 3004 3060 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 3060 wrote to memory of 3004 3060 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 3060 wrote to memory of 3004 3060 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 3060 wrote to memory of 3004 3060 f23000a51a7ac80b39bab71e83c3983a.exe cmd.exe PID 3004 wrote to memory of 2036 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 2036 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 2036 3004 cmd.exe cmd.exe PID 3004 wrote to memory of 2036 3004 cmd.exe cmd.exe PID 2036 wrote to memory of 3028 2036 cmd.exe findstr.exe PID 2036 wrote to memory of 3028 2036 cmd.exe findstr.exe PID 2036 wrote to memory of 3028 2036 cmd.exe findstr.exe PID 2036 wrote to memory of 3028 2036 cmd.exe findstr.exe PID 2036 wrote to memory of 2168 2036 cmd.exe Vorra.exe.com PID 2036 wrote to memory of 2168 2036 cmd.exe Vorra.exe.com PID 2036 wrote to memory of 2168 2036 cmd.exe Vorra.exe.com PID 2036 wrote to memory of 2168 2036 cmd.exe Vorra.exe.com PID 2036 wrote to memory of 1324 2036 cmd.exe PING.EXE PID 2036 wrote to memory of 1324 2036 cmd.exe PING.EXE PID 2036 wrote to memory of 1324 2036 cmd.exe PING.EXE PID 2036 wrote to memory of 1324 2036 cmd.exe PING.EXE PID 2168 wrote to memory of 2996 2168 Vorra.exe.com Vorra.exe.com PID 2168 wrote to memory of 2996 2168 Vorra.exe.com Vorra.exe.com PID 2168 wrote to memory of 2996 2168 Vorra.exe.com Vorra.exe.com PID 2168 wrote to memory of 2996 2168 Vorra.exe.com Vorra.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd /c rgmLAtaO2⤵PID:3056
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Pel.pptx2⤵
- Suspicious use of WriteProcessMemory
PID:3004
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 301⤵
- Runs ping.exe
PID:1324
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com o1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2996
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.comVorra.exe.com o1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^zhstQWiUaSsAnmkEODbzVxaWPpDrIiPtovZYFBuQSwQDdEWokoffoLwZVcgHzrklejseAhZhbHAUDOGlhxSmSAWbcqephnvOQFArhTIXpeSAlucuPrzYkLaCdUGAkPqYlMtYhCXzLUdQHchgE$" Aggiogati.pptx1⤵PID:3028
-
C:\Windows\SysWOW64\cmd.execmd1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
487B
MD5b508376c348b13291d124eab9cce3534
SHA126e23e157da1b214a98d84c581c103a97d2f4121
SHA256a0a6240b767c17f2bbe16985044599f369fdee62ee626a4326e975edbb01a9b4
SHA512018c7dcf04180da81065647d957e4d08e40ee7e6ca93fe70ab6bfa49ab8532fcd40fe9add8ddc09816e343f04174b1d3e3dc16ba4cd7c93545814fc1992256b8