Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
4f50cf39b0256b79367090cc533779fc.exe
Resource
win7-20231215-en
General
-
Target
4f50cf39b0256b79367090cc533779fc.exe
-
Size
663KB
-
MD5
4f50cf39b0256b79367090cc533779fc
-
SHA1
c58c5148729bf780c4e9393bcbeb24bf0204d0da
-
SHA256
11f1b6976617dd9180c13e3605183f58ef4ddcf3c93a41ec43c1dbf03cf1e9f1
-
SHA512
f2353e75441e93fa8faf782eaaced021cff74ed918b0403a15f8e919053e1cd6a332b2a497db44ab39de5f644dc1baf35ac19c13d8eb717bfc00376dca871075
-
SSDEEP
12288:NgW9ndfZJ29rtCnMc+yX00dCfTBhpK7ohHliqQozxp9vXYYzwHdlaD4EMt:NfU9rtCnpTATjkUhFiqQc9vojHPa0EO
Malware Config
Extracted
cryptbot
ewaymo21.top
morzup02.top
-
payload_url
http://winqoz02.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2900-2-0x0000000002290000-0x0000000002330000-memory.dmp family_cryptbot behavioral2/memory/2900-3-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral2/memory/2900-207-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral2/memory/2900-212-0x0000000002290000-0x0000000002330000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4f50cf39b0256b79367090cc533779fc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4f50cf39b0256b79367090cc533779fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4f50cf39b0256b79367090cc533779fc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
4f50cf39b0256b79367090cc533779fc.exepid process 2900 4f50cf39b0256b79367090cc533779fc.exe 2900 4f50cf39b0256b79367090cc533779fc.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD515d9f6ad06ae01356bb9fa493e4895d7
SHA1e0747ac5f2a700b9c2cd195a2f60ac6f307a4054
SHA2560fe60309812e7ae43e97492b414dd555a7246bc277bddd840a99077a5d00b2ef
SHA512765021bf55211bcf689b01362e68c3ed1121841fbee77638be290bfe58d61481ca30d68566bc001f8caad25017e829f43def76c198a4913ea79995016d44c2f4
-
Filesize
1KB
MD51c42196f5081d63a9fc8cbba4d3aeb81
SHA1c2420001382fbd9dd509d40b1abb13267e88333f
SHA25675389a097bc0cfcfdd7e355f2d6ca46c7ef8f8abc90fa58fc698fa3b41c7fa1f
SHA512c7e91e2f6e685f6bfd96425ea5912a2e5cc5d82def72bb6843c8ee6e8b55f807dd9840541c27413e4be10ee13dba6d04de6d81dce6541edd8f7d9d8d3bbd4c3c
-
Filesize
1KB
MD568b89c2923f8ea8f4485ee96bc4f47d8
SHA1e8d19164800ae594880a47ac09bd0507e75071db
SHA2560cda1bd913545739e6f2b00489e546ee35ac1ac2049659b15e1512d27773ed98
SHA5123aec31038c92090fb69a7389722a5579b1b38059e5142513cfb5f979cfdb0af007588c25afe00be46dbb33864f60d9082796d62a7ea1b12da35d0fb5f647820c
-
Filesize
2KB
MD5e1f90efa61a6567d25f43c4dcc6fba07
SHA16f7c9714c0f457daab1443855beab22511b88026
SHA2563cb2748e858a534155cdcb6fb551859468180aae6a95381704611befa8408749
SHA512ae45d9e613fdbd091ecdffeae84006639b040742331443f63bf814b23e33ba1e2ce45a29c8b8ee207bee9083b2d6ed2c1ecfb45c1634a0e7094439dc8b295ced
-
Filesize
4KB
MD56c1036dd7c203a463d58767bb8949d69
SHA1867f2cb419f070c72d1d9cbaa9588cc853f98469
SHA256e5cff436556957154925cd1e50f15ab852484d4640d7b1608f1bc2fbbe16ae85
SHA512cf75d223615181b15e60e0c2bb8ab914eb41bfa972aa5edd0e8fa52ba334410faa26629f5cbde4f9a26f87bda2a46c023daf08ba89f54e2247182bf440d6c092
-
Filesize
50KB
MD54ccc6b691f53c6f7be0d94e0151899a7
SHA122cce274a78d23ac0d0edb4ebf96a45d4161fee9
SHA2562b29d2a3cc6206668524078dc2d74082fa5dd498c3c4868282fbb9d07a289d51
SHA512c9b2afc7f30e2a259199b1a694e58751e06473f97a268bc7e988d7244cea07b6b977238165fae7b909e1bc341a403606cb5623e1e9db528fea437fe011309543
-
Filesize
1KB
MD57f8f39af30d9e553df2c6128946a7be8
SHA1b4a4435dc75c83557a884785e152ac4bf59a98d5
SHA2568d67bd2f2130a7c642b6f77220d43b580c850c46532278f9d00768245dcd74da
SHA512b9cb3cfd8e299ceeded74fb2995902ed106ed798d5f27980a5e1991e3ac10f9d6d5dbe5f64ed6caa4137eaa23c1db3519302bc650231dca2a0e7773bf74d5a38
-
Filesize
2KB
MD5d850a314d791766451cdb9ce49d393c0
SHA1d1ed83a4e976efdf860230fb7323d6715e1b87eb
SHA25610accfba71b9bd46fb227b2f0c5371785494974deab43462171e8ae0008b0323
SHA512a1d2c5724b73c6bd2207e73097fdd515e6f95fee0dd1a369440278dde0861cc4bbf44fe365b124bed13fafa75f5bc485cd4fbb2a58f9b0828259327d74ea1ce7
-
Filesize
4KB
MD5142204b8ce5c299c2e91734f0535fc66
SHA1085fcdb55a317cc4a4bae37faec07ecfaf410b2c
SHA256d2e3e1c512e262480f5031376c48b05b609d3d97f9b44d9cf975a321a15ea1af
SHA512a93975c8e21641cb46fc96367b6247f2ae3694eedba85745aa78095d3b1bf0f409358bc8d7582d0e54940e1389d7e45deea252b31525de96b926678de6606c57
-
Filesize
44KB
MD5e22f5718b98363f2901ebac25779295a
SHA101bb09728ddadcecd92bb0d90da775c1422ae27c
SHA25670e67d84ec1cb25b6d246e9d532f5beca1171f63ff73e97c1f2568d41be7cf35
SHA51225be9250688f49051c66760d80495a127318022a4575b3d476d63a68d45737610bd923567d6de2ff5f499f92b0d577462f56a70349f1b58732ddff3e10c9efb6