Analysis
-
max time kernel
1s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09-01-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe
Resource
win10v2004-20231215-en
General
-
Target
ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe
-
Size
1.6MB
-
MD5
ecb1af6d6c9818c93ffb5c9a54ea9a8a
-
SHA1
c74e20b6423d7536429ff8593c45ab6b999e473b
-
SHA256
7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8
-
SHA512
4f5f1276b260face9b05a1c51eca4ec2d277303ffba6208ead7ed901299555705de8b50cff4dca4f2bd874d756e41a813503943c415e528d28607327b079037d
-
SSDEEP
49152:1YNosFaoyKxdY4nT+kWQZQtZOby7D/YPBVQ3IBbiLoSG:1K5a6dJPWQQtZO2PmBVQ3I1iLoZ
Malware Config
Extracted
cryptbot
-
payload_url
http://ewsjasew03.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-30-0x00000000037B0000-0x0000000003893000-memory.dmp family_cryptbot behavioral1/memory/2604-31-0x00000000037B0000-0x0000000003893000-memory.dmp family_cryptbot behavioral1/memory/2604-29-0x00000000037B0000-0x0000000003893000-memory.dmp family_cryptbot behavioral1/memory/2604-32-0x00000000037B0000-0x0000000003893000-memory.dmp family_cryptbot behavioral1/memory/2604-35-0x00000000037B0000-0x0000000003893000-memory.dmp family_cryptbot -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ecb1af6d6c9818c93ffb5c9a54ea9a8a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ecb1af6d6c9818c93ffb5c9a54ea9a8a.execmd.exedescription pid process target process PID 2500 wrote to memory of 2064 2500 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 2500 wrote to memory of 2064 2500 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 2500 wrote to memory of 2064 2500 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 2500 wrote to memory of 2064 2500 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 2500 wrote to memory of 2344 2500 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 2500 wrote to memory of 2344 2500 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 2500 wrote to memory of 2344 2500 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 2500 wrote to memory of 2344 2500 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 2344 wrote to memory of 2776 2344 cmd.exe certutil.exe PID 2344 wrote to memory of 2776 2344 cmd.exe certutil.exe PID 2344 wrote to memory of 2776 2344 cmd.exe certutil.exe PID 2344 wrote to memory of 2776 2344 cmd.exe certutil.exe PID 2344 wrote to memory of 2808 2344 cmd.exe cmd.exe PID 2344 wrote to memory of 2808 2344 cmd.exe cmd.exe PID 2344 wrote to memory of 2808 2344 cmd.exe cmd.exe PID 2344 wrote to memory of 2808 2344 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\cmd.execmd /c dOPsYvb2⤵PID:2064
-
C:\Windows\SysWOW64\cmd.execmd /c certutil -decode Sorso.xltm Pallore.accde & cmd < Pallore.accde2⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.execmd3⤵PID:2808
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VagMWnXqBIFcKZdYcTQuiOWIjFBjSYnEBJsCtnoFZOuMjCNfLyEyGViicGmsXKiClqUqIOUWLkuzIlcJRjBNxaYFClubZRHgGDBk$" Sapro.vst4⤵PID:2840
-
C:\Windows\SysWOW64\certutil.execertutil -decode Subitanea.xlsx l4⤵PID:2816
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.comIllusione.com l4⤵PID:2700
-
C:\Windows\SysWOW64\certutil.execertutil -decode Sorso.xltm Pallore.accde1⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com l1⤵PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5ff0a5d410cb9c7ac26fb826444110430
SHA1999a5a7c1957091e2972974db59f02c7465e1d4a
SHA256660bf9d18618e101d9f547ee57329731e8c36d9e6b41c22b8d2db5aceadf4e6c
SHA5126958e216cb2b872f1df7626be10a097ef1ab8990a5cad354e2002f872acab0b162d55d882735c3f477a528cb41142f3254e68ae30b07a1ccf97e58c882c0c8cc
-
Filesize
38KB
MD58ed844dfd87dade7cf42085edcbeed5b
SHA16a32bd4c765b720988105f155ff0f7ef24d4d635
SHA25639960e1c7fe74e983fc1f3772a0fca8be5835d4928524dd56848b459c232756c
SHA51226258c17fe26db165c583aa91ad33179dc5ed1069382e2dd25ed96b3061376e01bddf5dfc5ef1fdc3004741e87855bd31ddc99c0e0eb3732c575df402c1fd48c