Analysis
-
max time kernel
174s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2024 18:40
Static task
static1
Behavioral task
behavioral1
Sample
ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe
Resource
win10v2004-20231215-en
General
-
Target
ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe
-
Size
1.6MB
-
MD5
ecb1af6d6c9818c93ffb5c9a54ea9a8a
-
SHA1
c74e20b6423d7536429ff8593c45ab6b999e473b
-
SHA256
7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8
-
SHA512
4f5f1276b260face9b05a1c51eca4ec2d277303ffba6208ead7ed901299555705de8b50cff4dca4f2bd874d756e41a813503943c415e528d28607327b079037d
-
SSDEEP
49152:1YNosFaoyKxdY4nT+kWQZQtZOby7D/YPBVQ3IBbiLoSG:1K5a6dJPWQQtZO2PmBVQ3I1iLoZ
Malware Config
Extracted
cryptbot
-
payload_url
http://ewsjasew03.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-26-0x0000000003C80000-0x0000000003D63000-memory.dmp family_cryptbot behavioral2/memory/5000-27-0x0000000003C80000-0x0000000003D63000-memory.dmp family_cryptbot behavioral2/memory/5000-28-0x0000000003C80000-0x0000000003D63000-memory.dmp family_cryptbot behavioral2/memory/5000-30-0x0000000003C80000-0x0000000003D63000-memory.dmp family_cryptbot behavioral2/memory/5000-250-0x0000000003C80000-0x0000000003D63000-memory.dmp family_cryptbot -
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
certutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Executes dropped EXE 2 IoCs
Processes:
Illusione.comIllusione.compid process 4408 Illusione.com 5000 Illusione.com -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ecb1af6d6c9818c93ffb5c9a54ea9a8a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Illusione.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Illusione.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Illusione.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Illusione.compid process 5000 Illusione.com 5000 Illusione.com -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
ecb1af6d6c9818c93ffb5c9a54ea9a8a.execmd.execmd.exeIllusione.comdescription pid process target process PID 756 wrote to memory of 2892 756 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 756 wrote to memory of 2892 756 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 756 wrote to memory of 2892 756 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 756 wrote to memory of 4024 756 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 756 wrote to memory of 4024 756 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 756 wrote to memory of 4024 756 ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe cmd.exe PID 4024 wrote to memory of 1596 4024 cmd.exe certutil.exe PID 4024 wrote to memory of 1596 4024 cmd.exe certutil.exe PID 4024 wrote to memory of 1596 4024 cmd.exe certutil.exe PID 4024 wrote to memory of 1652 4024 cmd.exe cmd.exe PID 4024 wrote to memory of 1652 4024 cmd.exe cmd.exe PID 4024 wrote to memory of 1652 4024 cmd.exe cmd.exe PID 1652 wrote to memory of 1320 1652 cmd.exe findstr.exe PID 1652 wrote to memory of 1320 1652 cmd.exe findstr.exe PID 1652 wrote to memory of 1320 1652 cmd.exe findstr.exe PID 1652 wrote to memory of 1792 1652 cmd.exe certutil.exe PID 1652 wrote to memory of 1792 1652 cmd.exe certutil.exe PID 1652 wrote to memory of 1792 1652 cmd.exe certutil.exe PID 1652 wrote to memory of 4408 1652 cmd.exe Illusione.com PID 1652 wrote to memory of 4408 1652 cmd.exe Illusione.com PID 1652 wrote to memory of 4408 1652 cmd.exe Illusione.com PID 1652 wrote to memory of 3108 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 3108 1652 cmd.exe PING.EXE PID 1652 wrote to memory of 3108 1652 cmd.exe PING.EXE PID 4408 wrote to memory of 5000 4408 Illusione.com Illusione.com PID 4408 wrote to memory of 5000 4408 Illusione.com Illusione.com PID 4408 wrote to memory of 5000 4408 Illusione.com Illusione.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\cmd.execmd /c dOPsYvb2⤵PID:2892
-
C:\Windows\SysWOW64\cmd.execmd /c certutil -decode Sorso.xltm Pallore.accde & cmd < Pallore.accde2⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\certutil.execertutil -decode Sorso.xltm Pallore.accde3⤵
- Manipulates Digital Signatures
PID:1596 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VagMWnXqBIFcKZdYcTQuiOWIjFBjSYnEBJsCtnoFZOuMjCNfLyEyGViicGmsXKiClqUqIOUWLkuzIlcJRjBNxaYFClubZRHgGDBk$" Sapro.vst4⤵PID:1320
-
C:\Windows\SysWOW64\certutil.execertutil -decode Subitanea.xlsx l4⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.comIllusione.com l4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com l5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:5000 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:3108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
888KB
MD5970b6737c469629d6a289d1c1ff45a62
SHA1c94b7d73545fcfebf16d74864816de0083448afc
SHA2566d93374eed3e39ed112d76647c8df9a0a4651970d0dec309a1370483ddd06864
SHA512eabe5c49d52a31cda5b25e3aa8d02ff8f12eec1f02eb07818fcda6f186f87aa23ded297193ef5dcdb56bff7ea6ea42750753685a66d95e6b40a92ab0d8b63016
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
27KB
MD5ff0a5d410cb9c7ac26fb826444110430
SHA1999a5a7c1957091e2972974db59f02c7465e1d4a
SHA256660bf9d18618e101d9f547ee57329731e8c36d9e6b41c22b8d2db5aceadf4e6c
SHA5126958e216cb2b872f1df7626be10a097ef1ab8990a5cad354e2002f872acab0b162d55d882735c3f477a528cb41142f3254e68ae30b07a1ccf97e58c882c0c8cc
-
Filesize
921KB
MD5524c5cb95000d79ff092ac1bbc834051
SHA19015a75614448901985a74caf632aca9742fb6f9
SHA256797d9bb4e5dc777f4204fdb50ce85b3ed956e3e151c06e1d78d97663a81cd042
SHA5126a9af9fc45e87ca35c447a409d554984820b11de2871b3ccfef9b46685055d979b17352b649dd6344f23566a1c1fe829c58994125c58b59622656dae0344a4e1
-
Filesize
38KB
MD58ed844dfd87dade7cf42085edcbeed5b
SHA16a32bd4c765b720988105f155ff0f7ef24d4d635
SHA25639960e1c7fe74e983fc1f3772a0fca8be5835d4928524dd56848b459c232756c
SHA51226258c17fe26db165c583aa91ad33179dc5ed1069382e2dd25ed96b3061376e01bddf5dfc5ef1fdc3004741e87855bd31ddc99c0e0eb3732c575df402c1fd48c
-
Filesize
655KB
MD56f738d19c97ad52482daaeb7dd740f56
SHA165c1a1e843906a8f557f9d83001d61925d9bc9d2
SHA25685cd887056455ce2d4ac5ba252eec2baa91d1f0b75f30afec153bb02941fbb88
SHA51201733aaa9a0234bedb3714e37fdf585e5b82ece6dc5a2ddc650c4a074fed94f0190fe538e097a8e69b5eba60764c726a5606f122dcba471e1a213baa56d13869
-
Filesize
476KB
MD505eb879d18fb669c75062eef75a5c50d
SHA19aec8a888907ece2a20d184324d9d2f61b01e592
SHA256911dd3e2748cea7b384f51b6c5d41a5d252533b32b299f4480ce23d3595f683d
SHA51260c832b8a164a59535ace303bd55ecaca48c63d53c46be4e28e7a539f4fcc8327cae5cbeb529119edf862e521c52c3bc529bdd8c08070785847b333836af543b
-
Filesize
1.1MB
MD57f43502e321a9638eca593044a20ee3d
SHA148583ce38eee8c899641bda2e3fefe3f36aac19e
SHA256ca1fac42968df2ee10f16b153a7133ecfbc611a321d8209981a83a4aa07f1493
SHA512ab84aaad62f9e9fa0fda032811db5aee2e05e78b9a9c5d067c1016eadd5d65a1c01798cb478366ce4854f3956b40613da4105314b9923f7fb32d4e14e1f2946a
-
Filesize
710KB
MD506374e31ac45bdf090518c00cea0acd7
SHA176ae839518a7fa0e31ffe781dfa87cb76cc26c02
SHA256ed0ca6e20c094d7d59caca6781758bcd8ae85ec16ebd3088edd486706e2dcf61
SHA512ab5e19b12b444c413130c3720857b81fd0aad1935c7758f4f60fbbe482c6cda7a3ddeda501709e0e20314ee63be37cd05568d050b30ae1401042a7ef59c5472a
-
Filesize
3KB
MD52bf79bf9edc025cdd506262ff04778c8
SHA1b104dbbecc498d0e2dafce37547f6df86d04b9c9
SHA25667223d8c890c33a8a06f3fd86f2b1d15420398a505973eec5658457a304d06a9
SHA5127791c77d35adb926ca5d2e33bd1284a994ae2b328024dd5150d4f20538f0ee4dfda30d100f7de3e93f0305fd1bcfd6c52618702292427c6c661566aaed79feae
-
Filesize
6KB
MD55acacc18c14175f65496c9e456d10b3f
SHA17be1529525269f71d920ac20f2a9e6cbb20a5e52
SHA25684efc45170a3b75b5725f42196ddaf9d5e3d9ded7dca7789e7737ab3144af6d5
SHA512c5a4c9153cdde62b61881a55e19e0f50a01d38c7deb033d5f14f9ce86db08f14aceda383cf0cdcc14fe893941e8a9e6bef39ce47c092609f4ce96fdc6f8ae065
-
Filesize
51KB
MD5a2b6fe410de3a3aa8495868c9e59dc7d
SHA1104d47f6192e0a4986251da56df58837d34eb6e9
SHA256dfdd4d026c5cdae7526181080ba465294e8f7fb84407af8aab41e0e1ab50da95
SHA512f0eeade79b9563dc1341b7e49b650ef9555c0ae01fea17c53e9300c48495f3c71767052c3e6c009c9d3cf3ea605e59d4803a30b1f80d3bac82a2acda6b7eb785
-
Filesize
1.8MB
MD5ddbbf6bd61d7ff783622803cd29441db
SHA1ac3033b0ff4f250ab8fdbf660c173efc8d7ac436
SHA2567e4bff1e6ef87e5f4d4a0dfc7b659b65d5b536114e3a523d5bb14efa9508f01a
SHA51261619a6edc5dd8af4d507309b2ca5b41cdb042c506dc0342b9b0094a0b41c6a8fbbafe4283bb9477af6558fd0ce73603b2c01af5a7e1f462ed0ca4cd37cc0ae0
-
Filesize
3KB
MD562f646cdc1347714a98cd4994ed274dc
SHA1fe72676cb86e51295f432cfe2c4d52c9996ad6de
SHA25640ae7ef5cc6143869dab891da7c13fcc9444fa2617c3d0939af041dccdc4475a
SHA5124c56fbb8fe08440df764a6366feffb307dec0b72bedb8ce5052961fa9ca6e69a47109b8f1eb2f3ec445e518518924f315a7cbfec0f3f654cf98849c2f07ca629
-
Filesize
7KB
MD5cd9b62233ad25912384bbb98c9c1b7d6
SHA1b365c3c1f99ffdcd45dde38952ad133d28a2f0d0
SHA2560053d55f566a6701ec596032ba1c7fa0861832968cb26ad4dada4b130dfcfcb0
SHA512cce4d2948789c6d146b2629cf6234889dec989813fcad38d38232751606056dc0cf8120b1b26fb4e4c009a06d2a98e47f43589f31c6cf2c598a3635fb85da601