Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
4f50cf39b0256b79367090cc533779fc.exe
Resource
win7-20231215-en
General
-
Target
4f50cf39b0256b79367090cc533779fc.exe
-
Size
663KB
-
MD5
4f50cf39b0256b79367090cc533779fc
-
SHA1
c58c5148729bf780c4e9393bcbeb24bf0204d0da
-
SHA256
11f1b6976617dd9180c13e3605183f58ef4ddcf3c93a41ec43c1dbf03cf1e9f1
-
SHA512
f2353e75441e93fa8faf782eaaced021cff74ed918b0403a15f8e919053e1cd6a332b2a497db44ab39de5f644dc1baf35ac19c13d8eb717bfc00376dca871075
-
SSDEEP
12288:NgW9ndfZJ29rtCnMc+yX00dCfTBhpK7ohHliqQozxp9vXYYzwHdlaD4EMt:NfU9rtCnpTATjkUhFiqQc9vojHPa0EO
Malware Config
Extracted
cryptbot
ewaymo21.top
morzup02.top
-
payload_url
http://winqoz02.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2232-2-0x0000000000540000-0x00000000005E0000-memory.dmp family_cryptbot behavioral1/memory/2232-3-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral1/memory/2232-221-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4f50cf39b0256b79367090cc533779fc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4f50cf39b0256b79367090cc533779fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4f50cf39b0256b79367090cc533779fc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
4f50cf39b0256b79367090cc533779fc.exepid process 2232 4f50cf39b0256b79367090cc533779fc.exe 2232 4f50cf39b0256b79367090cc533779fc.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bf9f0733d3d66ec0bcd9d75b3d2c8555
SHA13e1fb07807a018473d274c873e700852dc8d9bcc
SHA256ce587e531a70cf196223f335492c7d6ca59ac0b4445a793be6e7fdd872af2f0e
SHA5128d87df88d9f39c1cca24c4a14c6b3d476bdf828cdfd72b039292fa3051acc08ecaddca8bbdb81ef844b38245e0f768fde543b0a6ddb9decff04039b4e5a1512f
-
Filesize
1KB
MD52d48213848cf869f3cbfd0b014b87f35
SHA129424abad49648964102135a7207c0c82df0fc21
SHA25601d15ed82b481c0e6f8004901a6b29798e5a7f8d6625f7188da5e4bf89ea5b78
SHA5127a5aee0b338a3fc617ecd59e04c979283c9f2e110ef54599d96a45d1ab3f81d19dfa7568543012f1f086864430bfe742ba5446c5f8dee399e54c718b03e9f4f1
-
Filesize
6KB
MD5fdc33b63e72329231cae28979018033f
SHA1804be36cb2d9daa0efacc6bab028d4b67faaaaea
SHA2569bf99c888750571f7baef058beb00e633f487c5addcb016e687fd4b43a8a387e
SHA51202f65777a83daeff4d97eec8a9b1dc6ad877fe329fa868d5aabb72d7ab47fde359cf5d637fca954b722141fdc1b748f8a8f8f031dd5b9eff14bd6b31344af378
-
Filesize
44KB
MD5ed7ddda889be9a5e89f32878af5bd9d2
SHA1f344579f66d4ca19b2fc8c88a76873115a6249ca
SHA2567231e48f52880ac3094c2d3ba9831bd0eb4498f0086b9437d4d9d06144c12a14
SHA512c03f803cfd880b70b7071b26f0a960f73de4e727d82a1121a849e3e25a49bdf59633b1825eb568867d11fb2642f12bb8d997224657f5a666298ae578ba1d6303
-
Filesize
1KB
MD5ee2fc61dd1b99d9023027bd94ed76238
SHA177e5e714c9e873f39bc522ee42d01b1f7b1cf830
SHA2561dcd9767858111038ebe62dcce8313350e2d833f7ad2c1fa0ff5b511ffaef804
SHA5121ec379c240551c39c2264e80dbf5421a921e3c0b0a306b6c080a696c5f0b9523dfbcad824314e2727988f2c841e7017ae180fb258b079b477bc5aaf83cad5fb6
-
Filesize
2KB
MD53c9664603b45bfe06e159907c072dbc7
SHA1ba905b68673aec2f798445ed44166e1d108c3d3b
SHA256567d1e2e9551f876ea5e66d12d06c3ad5a1e42766a535cc103d491f09cf30287
SHA512b3da8b8a877e48e2549f2f0d688150d630a4cdeb703cb8be67637bb6e17c116628f7ef09358d3929348b350d3f987986312cbb0a168ad6209dcf0cf8c827149c
-
Filesize
6KB
MD538dd45697406ea402fc11de34ebf16d3
SHA1ae9827994e0cda4037af0c84a1c35036a27ebd3e
SHA2563d9166309dfe7a96271e4aaccf33b52ee03a4cbe21071c4a1b0987f30bb899a0
SHA512880841adffe071d3cf4d4275486318661dc35da5592435bd33997618439f5402deba94513fb95f9ea1019fef9bb0d0450b455fd4a75bfd51a788ba1fecd8a2df
-
Filesize
37KB
MD5d258bfbbb4c4cdce5b6217bba071a675
SHA118275e3c0abed32906ea7411cea02f94662d1917
SHA256fc59407576d0de2f301d088c6bb9028e2a50d5a9f63e86ccc793f0e521ae0a33
SHA512d77cb16986ae0f7ce006b7fe27f8fb4bc87737a63eb6fdbeaa31c85cc84269a698814f87ccc521704d0dad01732f3734887decfae4e0ebe013840999a73b56c2