Analysis
-
max time kernel
193s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2024 22:30
Static task
static1
Behavioral task
behavioral1
Sample
51c9d8f09a73802a05455e7aa8fd9953.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
51c9d8f09a73802a05455e7aa8fd9953.exe
Resource
win10v2004-20231215-en
General
-
Target
51c9d8f09a73802a05455e7aa8fd9953.exe
-
Size
1.4MB
-
MD5
51c9d8f09a73802a05455e7aa8fd9953
-
SHA1
6510caf6fe4f5069acde292851de1c259ffe1c3f
-
SHA256
e2d38fff6489893582da7827bf3f5179f7ced39a1391f736ea55d86b695b8e82
-
SHA512
3f865ce110a852cd0c1e88c4697d9c6fbd6fb403cf418a8f40a4375c6547d0069e40edbe04ced3c61d03c723167b8994dfcd3dcccccc5be6b9e94e8366025fd8
-
SSDEEP
24576:MNAdKxA6xbbGhL56y6kX7wHkQaa9aA7CEbAj6tP4lWqDCbtOgbSekUhKuzfv:3dKa6xfGhL54kDuaAm4w52lGXxgX
Malware Config
Signatures
-
CryptBot payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2588-28-0x0000000004E80000-0x0000000004F23000-memory.dmp family_cryptbot behavioral2/memory/2588-29-0x0000000004E80000-0x0000000004F23000-memory.dmp family_cryptbot behavioral2/memory/2588-30-0x0000000004E80000-0x0000000004F23000-memory.dmp family_cryptbot -
Executes dropped EXE 3 IoCs
Processes:
Vigilanza.exe.comVigilanza.exe.comVigilanza.exe.compid process 1936 Vigilanza.exe.com 4364 Vigilanza.exe.com 2588 Vigilanza.exe.com -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
51c9d8f09a73802a05455e7aa8fd9953.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 51c9d8f09a73802a05455e7aa8fd9953.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Vigilanza.exe.comVigilanza.exe.comVigilanza.exe.compid process 1936 Vigilanza.exe.com 1936 Vigilanza.exe.com 1936 Vigilanza.exe.com 4364 Vigilanza.exe.com 4364 Vigilanza.exe.com 4364 Vigilanza.exe.com 4364 Vigilanza.exe.com 2588 Vigilanza.exe.com 2588 Vigilanza.exe.com 2588 Vigilanza.exe.com -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
Vigilanza.exe.comVigilanza.exe.comVigilanza.exe.compid process 1936 Vigilanza.exe.com 1936 Vigilanza.exe.com 1936 Vigilanza.exe.com 4364 Vigilanza.exe.com 4364 Vigilanza.exe.com 4364 Vigilanza.exe.com 4364 Vigilanza.exe.com 2588 Vigilanza.exe.com 2588 Vigilanza.exe.com 2588 Vigilanza.exe.com -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
51c9d8f09a73802a05455e7aa8fd9953.execmd.execmd.exeVigilanza.exe.comVigilanza.exe.comdescription pid process target process PID 3604 wrote to memory of 2900 3604 51c9d8f09a73802a05455e7aa8fd9953.exe dllhost.exe PID 3604 wrote to memory of 2900 3604 51c9d8f09a73802a05455e7aa8fd9953.exe dllhost.exe PID 3604 wrote to memory of 2900 3604 51c9d8f09a73802a05455e7aa8fd9953.exe dllhost.exe PID 3604 wrote to memory of 1816 3604 51c9d8f09a73802a05455e7aa8fd9953.exe cmd.exe PID 3604 wrote to memory of 1816 3604 51c9d8f09a73802a05455e7aa8fd9953.exe cmd.exe PID 3604 wrote to memory of 1816 3604 51c9d8f09a73802a05455e7aa8fd9953.exe cmd.exe PID 1816 wrote to memory of 3552 1816 cmd.exe cmd.exe PID 1816 wrote to memory of 3552 1816 cmd.exe cmd.exe PID 1816 wrote to memory of 3552 1816 cmd.exe cmd.exe PID 3552 wrote to memory of 5020 3552 cmd.exe findstr.exe PID 3552 wrote to memory of 5020 3552 cmd.exe findstr.exe PID 3552 wrote to memory of 5020 3552 cmd.exe findstr.exe PID 3552 wrote to memory of 1936 3552 cmd.exe Vigilanza.exe.com PID 3552 wrote to memory of 1936 3552 cmd.exe Vigilanza.exe.com PID 3552 wrote to memory of 1936 3552 cmd.exe Vigilanza.exe.com PID 3552 wrote to memory of 412 3552 cmd.exe PING.EXE PID 3552 wrote to memory of 412 3552 cmd.exe PING.EXE PID 3552 wrote to memory of 412 3552 cmd.exe PING.EXE PID 1936 wrote to memory of 4364 1936 Vigilanza.exe.com Vigilanza.exe.com PID 1936 wrote to memory of 4364 1936 Vigilanza.exe.com Vigilanza.exe.com PID 1936 wrote to memory of 4364 1936 Vigilanza.exe.com Vigilanza.exe.com PID 4364 wrote to memory of 2588 4364 Vigilanza.exe.com Vigilanza.exe.com PID 4364 wrote to memory of 2588 4364 Vigilanza.exe.com Vigilanza.exe.com PID 4364 wrote to memory of 2588 4364 Vigilanza.exe.com Vigilanza.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe"C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:2900
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Apparve.dif2⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^MUDMsvnAuDtONRMrwaGsxlhulYeCQOaTIUmgfUabcdKNJUYWSnXNYFQBGvCzzWKskkuSsbOiZpVrAmbdZuJsQEUetXHSaZ$" Abbozzo.dif4⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.comVigilanza.exe.com y4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com y5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com y6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2588 -
C:\Windows\SysWOW64\PING.EXEping VFMDDVWB -n 304⤵
- Runs ping.exe
PID:412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD556be969732eb8d40539f4996f11003bf
SHA1fde5e246db4e864deaba285db78c9bea50bcaf72
SHA256294c98105913e6507a1a9d64feb1a9954ee5a2c9f1240ee151ee711f73e36aec
SHA5125e60e4e0e4b4b46009232c71a91e70ac173bc8d507a6d9679ffb7f18c4b2481c61aff47746845a31ef4841b8b4d282f697292b488099a420fdfeb97c39ccbda7
-
Filesize
491B
MD5ed9121c7368700aa3cc49ba2d4c2e6b8
SHA1b3b287d04addba4f3c58abdddf68fb6c6f05847e
SHA25685c9a4a8d0042e183d90b8effa79306da4d71e45ff103a3ba933bfe016897b9d
SHA51224c8965ca680407ab4e586ffdec988c60bd8bd9714ffccf186937411f6257e05b014a46dd208e1008760bf47851ccb6a762821686506948747d49cf89d677440
-
Filesize
666KB
MD58905857f90c02a6d4175cf169311a3ff
SHA13cd095cf284ba240259a2f96189dc97f924e4772
SHA2565ee655b903a03727768eb421d9f7c4b1db02b88b96462d30bb6f903d80ea9d8a
SHA512824bf266770d08e68a7f544e99d8f51fd0f2c04a5a9ec97a2bd89d325857a4dce4be03e11f6f4adeb65d1a329e72fe01824cc8c8f6c75e90d732168e66e95075
-
Filesize
634KB
MD5dd0cd3862ffea01b0574e2fc841a9d0a
SHA135a3d5df1f3f4199b0c38b9b1a341876b2121d3d
SHA256fdfc18b03172b2755cc2d9412c6942864b23d2c1f9eb471637e6042ff692beea
SHA5120f10defb0a48827863b7ba710ca3ef0d2dc759bf7e0bdf426bfc35b3da371e4a69c60a90e69328844a994dea1ce8b52a6e55fb81df6710fb86309e4963653976
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
837KB
MD5487cd726828fd2a8790984213fc3df98
SHA14cecb2986565869fce44f52347e8203f9c0f4768
SHA256dcbf9008fe3a7b34cf20187b1a97c5094cbce6363d5173bcb61bae6055c8b9a4
SHA51293100ad0a485ec3e91b8b4fa65b33053b0a3e4229b0c00183c385c112dfb9dcd45bcb3c893ae95a8090cbdbe4aaa66c0eeeb0b07b8ba898ae9f14d14a8382b91