Analysis
-
max time kernel
158s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2024 19:01
Static task
static1
Behavioral task
behavioral1
Sample
eace6cd84265058817841921eb59d13a.exe
Resource
win7-20231129-en
General
-
Target
eace6cd84265058817841921eb59d13a.exe
-
Size
663KB
-
MD5
eace6cd84265058817841921eb59d13a
-
SHA1
f775412ce8d51fbce4d8b589a7bacb9470487daa
-
SHA256
1c0e9c19952db42f2e8b9b8c158e1d761e1d58a548eda1b09984a510ed9c7541
-
SHA512
105c9bdd3cbccd4c2b1b50f84e4322b7438d8896830157236c6276271528f89adafd8c71cc5645ce3829415e66e283ace9a37e844bb1ee0385f5c02716cc787f
-
SSDEEP
12288:FgEZDdRJJSlTCRU2amM90djFPogwEl11SnuTCK8OiyZkx1bdi+S76q4tjjIy:FPQlTCRHdBPJ/Qn68OiyZiyR4tPIy
Malware Config
Extracted
cryptbot
ewaumk24.top
morzup02.top
-
payload_url
http://winqoz02.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3752-2-0x00000000020F0000-0x0000000002190000-memory.dmp family_cryptbot behavioral2/memory/3752-3-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral2/memory/3752-4-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral2/memory/3752-5-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral2/memory/3752-6-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral2/memory/3752-8-0x00000000020F0000-0x0000000002190000-memory.dmp family_cryptbot behavioral2/memory/3752-218-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
eace6cd84265058817841921eb59d13a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 eace6cd84265058817841921eb59d13a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString eace6cd84265058817841921eb59d13a.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
eace6cd84265058817841921eb59d13a.exepid process 3752 eace6cd84265058817841921eb59d13a.exe 3752 eace6cd84265058817841921eb59d13a.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD593967b40ff70c65b6c07ca32aa057e96
SHA14da46c80aeb245b6ec95d1f338d5891a77798411
SHA256f7fdedb4e9425e834885e5ef677a40c194091f93e4a1fbb70391dfb2a7d0508c
SHA512953e08f1f51eba35ea8c9f36be6b0c18f41dcc571d021f80afde97ed7702142ee1a30792395ca5418abbf1b5aee80b6c3f6da0fe2323327b51d29d7a9321f003
-
Filesize
1KB
MD5eb46e22df190419f833b99ac6675779d
SHA1af5fb73f4b2b52c5f94bd3c62b8ee2bfbc8bd1cd
SHA2564e7ad5447b2188d37d4459186d392805c06144b0ab5fed958629e31dbbbd3ffa
SHA5125df3c6d3fcc910acff6265ee68554884543e80886b4f366498c268a554385d19daea22f4580470b324306c06b34706686b7ea996926beef3827fe5de9d48974c
-
Filesize
1KB
MD51d672df726b06220fd7bac4c8840bdfb
SHA171a578615f193173e2ad6bd52eeac297b546a5bf
SHA256cf50ef4a2b879dfa8848a558d44618dc605236629aa1e4f1c6a77ccc706d5e28
SHA512161def5f36af01cdaa3b24ac5588d384e48ccb59866c71aaa49258ddf383cd7efadf8e1821917f44db22fb4c3cd0b998e54ad7ec37b6212dbe176493a700cc50
-
Filesize
4KB
MD54d4f3ea884cf16a44bf2fb9381533330
SHA1044fb511d5796c88e44936f86790b51100f0b747
SHA2562fc4d58f9c68d9e1788588e3597085bf6815688812b0c8b289516cc043a374a4
SHA512347daae8d155295a76ee26585a8db5802967bc87b3fa36407cd3f6e8b9218f8b71cdbd4ce62f3cd10b46b4280e3576e05b967d9e466848a975b7bd9de56e7743
-
Filesize
44KB
MD56020ae6a78c026255896903896e41915
SHA18150f91a97da34afd6f2b07522bdd46d57576e05
SHA256b2ecad1518849cf10e5387c31ec06df01c4e947c68be265ea3c8cbfbaa45e297
SHA512f7b052f7302e0e6fd0ae1b40515f4c21ff3d896161cbfae3c533740c3eeae61318d469d78be09171ec125ad59a7737a9ff6f723da1c873a9fa1d87fa966a769d
-
Filesize
7KB
MD5dfb9cd1c06fcd881d1ff965022d87759
SHA1890e18595754330da8666a810d768a9325520c07
SHA25675b5975347d08889fe3cf7cf9f759d954a3b0dcaf86165111ce5fbe5a7c718c8
SHA51236a4c5300cfe627375873dedda7ffc13e8cb9999b67d7d91a6adf04f08bbc3fa50af34c025eddb6ef06d947ad2bd64abfa05debec6c0a879af255c81e99dc5e9