Analysis
-
max time kernel
28s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 22:30
Static task
static1
Behavioral task
behavioral1
Sample
51c9d8f09a73802a05455e7aa8fd9953.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
51c9d8f09a73802a05455e7aa8fd9953.exe
Resource
win10v2004-20231215-en
General
-
Target
51c9d8f09a73802a05455e7aa8fd9953.exe
-
Size
1.4MB
-
MD5
51c9d8f09a73802a05455e7aa8fd9953
-
SHA1
6510caf6fe4f5069acde292851de1c259ffe1c3f
-
SHA256
e2d38fff6489893582da7827bf3f5179f7ced39a1391f736ea55d86b695b8e82
-
SHA512
3f865ce110a852cd0c1e88c4697d9c6fbd6fb403cf418a8f40a4375c6547d0069e40edbe04ced3c61d03c723167b8994dfcd3dcccccc5be6b9e94e8366025fd8
-
SSDEEP
24576:MNAdKxA6xbbGhL56y6kX7wHkQaa9aA7CEbAj6tP4lWqDCbtOgbSekUhKuzfv:3dKa6xfGhL54kDuaAm4w52lGXxgX
Malware Config
Extracted
cryptbot
lyswug41.top
morbyn04.top
-
payload_url
http://damhlu05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2672-28-0x0000000003830000-0x00000000038D3000-memory.dmp family_cryptbot behavioral1/memory/2672-29-0x0000000003830000-0x00000000038D3000-memory.dmp family_cryptbot behavioral1/memory/2672-30-0x0000000003830000-0x00000000038D3000-memory.dmp family_cryptbot behavioral1/memory/2672-31-0x0000000003830000-0x00000000038D3000-memory.dmp family_cryptbot behavioral1/memory/2672-256-0x0000000003830000-0x00000000038D3000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Vigilanza.exe.comVigilanza.exe.compid process 2576 Vigilanza.exe.com 2672 Vigilanza.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeVigilanza.exe.compid process 2344 cmd.exe 2576 Vigilanza.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
51c9d8f09a73802a05455e7aa8fd9953.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 51c9d8f09a73802a05455e7aa8fd9953.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Vigilanza.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vigilanza.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Vigilanza.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Vigilanza.exe.comVigilanza.exe.compid process 2576 Vigilanza.exe.com 2576 Vigilanza.exe.com 2576 Vigilanza.exe.com 2672 Vigilanza.exe.com 2672 Vigilanza.exe.com 2672 Vigilanza.exe.com 2672 Vigilanza.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Vigilanza.exe.comVigilanza.exe.compid process 2576 Vigilanza.exe.com 2576 Vigilanza.exe.com 2576 Vigilanza.exe.com 2672 Vigilanza.exe.com 2672 Vigilanza.exe.com 2672 Vigilanza.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
51c9d8f09a73802a05455e7aa8fd9953.execmd.execmd.exeVigilanza.exe.comdescription pid process target process PID 2660 wrote to memory of 2240 2660 51c9d8f09a73802a05455e7aa8fd9953.exe dllhost.exe PID 2660 wrote to memory of 2240 2660 51c9d8f09a73802a05455e7aa8fd9953.exe dllhost.exe PID 2660 wrote to memory of 2240 2660 51c9d8f09a73802a05455e7aa8fd9953.exe dllhost.exe PID 2660 wrote to memory of 2240 2660 51c9d8f09a73802a05455e7aa8fd9953.exe dllhost.exe PID 2660 wrote to memory of 2436 2660 51c9d8f09a73802a05455e7aa8fd9953.exe cmd.exe PID 2660 wrote to memory of 2436 2660 51c9d8f09a73802a05455e7aa8fd9953.exe cmd.exe PID 2660 wrote to memory of 2436 2660 51c9d8f09a73802a05455e7aa8fd9953.exe cmd.exe PID 2660 wrote to memory of 2436 2660 51c9d8f09a73802a05455e7aa8fd9953.exe cmd.exe PID 2436 wrote to memory of 2344 2436 cmd.exe cmd.exe PID 2436 wrote to memory of 2344 2436 cmd.exe cmd.exe PID 2436 wrote to memory of 2344 2436 cmd.exe cmd.exe PID 2436 wrote to memory of 2344 2436 cmd.exe cmd.exe PID 2344 wrote to memory of 2564 2344 cmd.exe findstr.exe PID 2344 wrote to memory of 2564 2344 cmd.exe findstr.exe PID 2344 wrote to memory of 2564 2344 cmd.exe findstr.exe PID 2344 wrote to memory of 2564 2344 cmd.exe findstr.exe PID 2344 wrote to memory of 2576 2344 cmd.exe Vigilanza.exe.com PID 2344 wrote to memory of 2576 2344 cmd.exe Vigilanza.exe.com PID 2344 wrote to memory of 2576 2344 cmd.exe Vigilanza.exe.com PID 2344 wrote to memory of 2576 2344 cmd.exe Vigilanza.exe.com PID 2344 wrote to memory of 2688 2344 cmd.exe PING.EXE PID 2344 wrote to memory of 2688 2344 cmd.exe PING.EXE PID 2344 wrote to memory of 2688 2344 cmd.exe PING.EXE PID 2344 wrote to memory of 2688 2344 cmd.exe PING.EXE PID 2576 wrote to memory of 2672 2576 Vigilanza.exe.com Vigilanza.exe.com PID 2576 wrote to memory of 2672 2576 Vigilanza.exe.com Vigilanza.exe.com PID 2576 wrote to memory of 2672 2576 Vigilanza.exe.com Vigilanza.exe.com PID 2576 wrote to memory of 2672 2576 Vigilanza.exe.com Vigilanza.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe"C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.execmd /c cmd < Apparve.dif2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:2240
-
C:\Windows\SysWOW64\PING.EXEping SCFGBRBT -n 301⤵
- Runs ping.exe
PID:2688
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com y1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.comVigilanza.exe.com y1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^MUDMsvnAuDtONRMrwaGsxlhulYeCQOaTIUmgfUabcdKNJUYWSnXNYFQBGvCzzWKskkuSsbOiZpVrAmbdZuJsQEUetXHSaZ$" Abbozzo.dif1⤵PID:2564
-
C:\Windows\SysWOW64\cmd.execmd1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5c69628aaeeec4d0395fe60979b67dc2b
SHA1c52c7b9f7339fad8a8d28790292fa38aea3a1bdf
SHA25678b083afd1ae22a820334448d5c47f67aaf096103b3d2a7ff2862b7437a69449
SHA5124e4f78624183d20f27747e8140466fc13855ee787fbcca6540618ede4c939d4e17b349174140d379a845370a7a7fa63bfaef7a4dd33552d5cd3aa277f40c91d5
-
Filesize
491B
MD5ed9121c7368700aa3cc49ba2d4c2e6b8
SHA1b3b287d04addba4f3c58abdddf68fb6c6f05847e
SHA25685c9a4a8d0042e183d90b8effa79306da4d71e45ff103a3ba933bfe016897b9d
SHA51224c8965ca680407ab4e586ffdec988c60bd8bd9714ffccf186937411f6257e05b014a46dd208e1008760bf47851ccb6a762821686506948747d49cf89d677440
-
Filesize
81KB
MD5aae87cad33c3bbb56b9df7a1837a8ced
SHA1b4a12f104badd0b8c91b6b62438b376dd51a0187
SHA2565890e708590caaca669b1b3d6a18d12728f64942aeced13ce2ce0af3e4f0fb6a
SHA512d95373d96ceaa83a3224c9476f88d75c31571c04a53b49888431dd423b0b599a42dc621039a1a6b8eb9b6a946a156a99034748ec6b603b68a4fe69967c4a067d
-
Filesize
12KB
MD52ace3d9cf2c2a4956d8a37e20852c42d
SHA12268568fbaec8f882a90f344532d8d8b0c403ae3
SHA25628cba2caf69fcfb01c71b30156e59f581aa03298dc9398e41c627e5f772299e1
SHA5127948101bf36ef56178b5097dbc13eecaac9980e99e8a68cdcfd5668933afa4f853acaf6cea038bc5ffbc3369ddc6813d9a04ff2dab1954fa1525aec11a5de1ce
-
Filesize
70KB
MD580bfe7a0c2c6587264584b2c14daa42f
SHA1eb5a8d5a7d640746a331c1863a637ab05e9a3f6e
SHA256c1bf242daefdf134de5342b2fbb60151cabe38a5c757a0dff321438bf27937ac
SHA512d3bc074c542962644c23627cf4d62cd4211d20e2e6c42dacbc8c7af7eede2b5cd509e1855c03b1547b24e35c4e129568e7e84318ebcf4500933e8bf2d4036f0e
-
Filesize
151KB
MD5795a5b41c883df086d9704b953d6995c
SHA19e280078252568a45ce021557cfc23d735a1b827
SHA2566f3c2497ab0e8b409d2cb7fa8d72d886cd06cab6233b7a8496d531a35e98f40c
SHA5129d187fe00c98aa8daa6510d5defba5ec78120982e1af7b48eea0051e21402c9f1d5919d9be416626a398386943b6e89acfd536935938c980e46aeab45689c7e4
-
Filesize
86KB
MD54023d1b0586842023de0b9395474ce12
SHA1328e7e64f7e144f45ac66980b05b6abba895688a
SHA256e85c1d2e1255257b3cbe9915d5379b874056bdef2d96fc278c8ad925567059f2
SHA512ea7915c59af162327da67b7c0796f116204a235236a2addaded07fb0ae93f8330939adc209035c129794efaee0c48d3a4fbab668128376c9339221a2fe3df5b8
-
Filesize
126KB
MD517043819de2eed5c3704d2670da0889c
SHA1f1bc813e48b58ca9cb0a8062a49e0bf8a1116504
SHA256977ba09199b8d39c659d1c2dff13b6ad9fd7985bc7c9d878fe3f68bd63d7559b
SHA512d64e3823d5a2991690bd95d7bf7fc59265b7ba9489c7a56e81e54c955eba8ab1defd73b6da68afc563cf0790eb89607dfc8cf85b2e00046b46e23f1b0e80548b
-
Filesize
10KB
MD53a59004bd89afdd234503a25d3383c58
SHA182d075e64b01759c3122125daf4b87090fd02626
SHA256f3472edac42b2becd4fae831337f686043b52e9e368ceb0d3c6dd29d1b3d43dc
SHA5127d5fea53094b94b900e625084485f702d9dc2cf4e1c6212bb5d748f596885c2d6992468f15d63fc33b3001688eea4b0df6ac3bbfc7d2717b4472f3b7021db070
-
Filesize
46KB
MD547d0a2370dc7d2a762c757eb4f042f02
SHA1ab82c2a3552283db232cd3deaec7aafe7c1e1dd7
SHA25674e4fe1ab0ae6210acaafe1e37bf87b008729661693e01e982a89078667371a2
SHA512397305998358b44c11c47a6892d95f4c36326c49a854c7955cd78df687f0fee0e32348a31e3550313e35c4765f6e882a57f166d4cfbc10297c6988ee2a82b6ba
-
Filesize
1KB
MD5b6f28e0db9c04b42e66917b0344a7688
SHA1e68d17eecd71fb33c224e708897bdccaba2d8297
SHA256d2be3f7d94fe29e59555253792128d8200c2a467c3e912f57487b929a7d842b5
SHA512f753810e963d62ec6d8ab6eadccde0524c6f1d3fdcda812434a955e732b233adf0dfa9ba4ccdfab3fddbbc187a1654ccaaffbbe9d8f62599f0e2c7141f2bc52f
-
Filesize
1KB
MD5a14c8b58522ac4be07be3300e3812f3c
SHA1d6742c4fba97716bc89ceadfeefe947d336ab670
SHA256728e23be9a9a6032b67a1ba39af9be7decae664e2cbc24963cd774e7356d8ee3
SHA512bad88aeb3d8d41032a7904cfc707142522485b83380ff7e0d25843bc7c95bf56d4c141a54cc6b44f41c54963f516e39ad3e650d73e96bdbaa87300b61c74a6b6
-
Filesize
3KB
MD54ac8e09637816196fb8a4114e4efa43a
SHA1d800aa8ac2d00434246391f1f5788b8024f8d1c2
SHA2560512d272a9b8e30b336f2392e078020dbb007052f19865062e6c666cd2309862
SHA512af0ae070c1a7339b9939ad4b9854bd7c8a3e40919fc9712f38a1a3d51735baf569f1d2a5f53be4f7a190593606bb52ba9d06995e41c4b42f7de28191c4c55d80
-
Filesize
3KB
MD5d1d750acc96cf6bf0278e1b5e5c5b243
SHA1e0d8485561b0cf7cddef2f1b3375d23a88a19a8d
SHA256cbdc73c3287841c37f051f6874f55da3f702e53e833b2ea7762df844985f267c
SHA512bf8d8c4a9b15d9752ccb0b081afc3184638f508736a90db152fe037d733b3bbbb17193acce7d601e2544865b3416411568efd440b2e69a062f61a9be3abdf995
-
Filesize
22KB
MD5cfbf8e06d788fef68a6f5657f663fa64
SHA14651b5b60133043c6f5b7222cf64b6629b5b43c2
SHA256caa69101bd3addc5fe75ccff8e29de2b8d3cd50a5d1c495aadf0b6f6a48f744b
SHA5129a023f2b0f7c978a71a89957c51c237dad9230ae31abd5130c84d02e05ce70b7c0303998f812ec7a0bed039c4e7e5d5d1e22b94fa1d92a32291aa648f1d4347c
-
Filesize
1KB
MD55ee6c12702e3d1f338be1248ec517f21
SHA1577baee01d2b81a4eb1732b1613c4694247a0d14
SHA25675b17b57dddf3b2c1ed0293a27d28635e2e319380c6a04a5b55d6b7b4f552efe
SHA512979d6ad98524554111efec5c16a394aa73f3260c4a0211175dc466bf3ce0160d4d3db9bed4d3b3eb80d7de23cd94bcb83cb43d2b81132fe99479a93b692f5f20
-
Filesize
3KB
MD51c44f59890c7e4bb03e57a6398fa10db
SHA11f7001e06b2c9006796c31a82ab88e78a4c6e7e4
SHA25621bfd74d1359010a3dda4f392792ff987b9828c4038461b1ac21a81749c3b9cc
SHA512e70a95e6714c72566c49b11a41db5d7c9d9261e0322a458b37c781aa6c9bebde6edd716a1e91e6fef37c59881058d0d329ecb5242557d0f6fb52edd97b503e6e
-
Filesize
3KB
MD5ef506fe9a995293194aaa5a57d134a34
SHA153f5703735f7baab715aaa0e11ba96806db4e895
SHA256321393963a00fc6059335fdb9f6e3d1fe7af92c51390a43b382edc75680220ca
SHA512c458d11d66e5a5f3df70979500031f997a33022b2eb8805f3b2c6acda0f91ddc5c61ef2fd6b66e9ebdf1e441e5904b86336b2af81002d702a47530e27bd2d416
-
Filesize
4KB
MD56416daadc0350f049797e71ead9cb29a
SHA1f5663167644c9539a987ec838a95c3d60ab9b1c6
SHA2564068cd31068ec8d5782ff9620c0ec691fe9f49f91c541014c0c36a17ebcba0e3
SHA512eca43c121313fd013b3860c1752e5da633e8698f1b64caa4ed4a5147b705ecf1e5ed1341616107a1eee7c3a6f93da87cdc88f3381a352e7494d08618e5b528cb
-
Filesize
71KB
MD5f99d4d643a31e2dbdfc85103641220fd
SHA162a3617d28c90366ed7f2bb5401aefa7257e5d14
SHA25676fbcf9dbb081c556bee77f0ea39f0beaab3323ab37227c82941aa48feab9f63
SHA5129efba35219c781611ddbd54786ce16f37b028f54fba515f58e706ac189c891dda86b7ba98f6b5c0f98000b8b183aeead056f3586c42b65ce50b47c5ea59c7192
-
Filesize
33KB
MD53c97943ebc75df6eea5146f3eb62d92c
SHA1ecfc968cff6a8093ef799a5bde18d71d90bbf5a3
SHA256be338be0b1a29cd295a255742a1ca94d1473f83c7c153dca400f4e463bac262c
SHA512780c524b6cd6b2ef98cd88e80f8fbad0dc4a4f40e9e28cc45a3f99ebd67d23ca995bbbf4338785c93a129e0f7472304a66de51c7ade4d8408dd336034f1f661c