Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 14:06
Static task
static1
Behavioral task
behavioral1
Sample
50c296575066f87cac60995fc36f2283.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
50c296575066f87cac60995fc36f2283.exe
Resource
win10v2004-20231222-en
General
-
Target
50c296575066f87cac60995fc36f2283.exe
-
Size
1.5MB
-
MD5
50c296575066f87cac60995fc36f2283
-
SHA1
0f058485c10dbd26312f71ad60319bc97362a914
-
SHA256
e29a9d4153912e41bbd5afc00aa90e7612107708fe59ac05c1d9e8b184a254c5
-
SHA512
e3f352aee496bca5b7c37fc80ca2c3fd52d5cb190d51da5e62d4aa2a9bc2ea9a7aa3a8f0f8f45d94056f97289f03b6aedb8d1f7844c590df815dfa043acb8bee
-
SSDEEP
24576:c5rTNMBS+/dlYP2z9FEI/TXN8ad8XjzqKrhSEqcG0EUNvb8zkQXXc/3lLwiPb:6NoS+/QP2JFZTXN8/qe80EYgkQ8NLwi
Malware Config
Extracted
cryptbot
ewavmp35.top
morxeg03.top
-
payload_url
http://winxob04.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2632-28-0x0000000003930000-0x00000000039D3000-memory.dmp family_cryptbot behavioral1/memory/2632-29-0x0000000003930000-0x00000000039D3000-memory.dmp family_cryptbot behavioral1/memory/2632-30-0x0000000003930000-0x00000000039D3000-memory.dmp family_cryptbot behavioral1/memory/2632-31-0x0000000003930000-0x00000000039D3000-memory.dmp family_cryptbot behavioral1/memory/2632-256-0x0000000003930000-0x00000000039D3000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Paragone.exe.comParagone.exe.compid process 2944 Paragone.exe.com 2632 Paragone.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeParagone.exe.compid process 2700 cmd.exe 2944 Paragone.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
50c296575066f87cac60995fc36f2283.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 50c296575066f87cac60995fc36f2283.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Paragone.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Paragone.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Paragone.exe.com -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Paragone.exe.compid process 2632 Paragone.exe.com 2632 Paragone.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
50c296575066f87cac60995fc36f2283.execmd.execmd.exeParagone.exe.comdescription pid process target process PID 2784 wrote to memory of 2856 2784 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2784 wrote to memory of 2856 2784 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2784 wrote to memory of 2856 2784 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2784 wrote to memory of 2856 2784 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2784 wrote to memory of 2936 2784 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2784 wrote to memory of 2936 2784 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2784 wrote to memory of 2936 2784 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2784 wrote to memory of 2936 2784 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2936 wrote to memory of 2700 2936 cmd.exe cmd.exe PID 2936 wrote to memory of 2700 2936 cmd.exe cmd.exe PID 2936 wrote to memory of 2700 2936 cmd.exe cmd.exe PID 2936 wrote to memory of 2700 2936 cmd.exe cmd.exe PID 2700 wrote to memory of 2356 2700 cmd.exe findstr.exe PID 2700 wrote to memory of 2356 2700 cmd.exe findstr.exe PID 2700 wrote to memory of 2356 2700 cmd.exe findstr.exe PID 2700 wrote to memory of 2356 2700 cmd.exe findstr.exe PID 2700 wrote to memory of 2944 2700 cmd.exe Paragone.exe.com PID 2700 wrote to memory of 2944 2700 cmd.exe Paragone.exe.com PID 2700 wrote to memory of 2944 2700 cmd.exe Paragone.exe.com PID 2700 wrote to memory of 2944 2700 cmd.exe Paragone.exe.com PID 2700 wrote to memory of 2840 2700 cmd.exe choice.exe PID 2700 wrote to memory of 2840 2700 cmd.exe choice.exe PID 2700 wrote to memory of 2840 2700 cmd.exe choice.exe PID 2700 wrote to memory of 2840 2700 cmd.exe choice.exe PID 2944 wrote to memory of 2632 2944 Paragone.exe.com Paragone.exe.com PID 2944 wrote to memory of 2632 2944 Paragone.exe.com Paragone.exe.com PID 2944 wrote to memory of 2632 2944 Paragone.exe.com Paragone.exe.com PID 2944 wrote to memory of 2632 2944 Paragone.exe.com Paragone.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe"C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c tiXdycNz2⤵PID:2856
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Strette.xlsx2⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^laMWhvksTZufNgRLOGoYXOkgswRMErhJdMoiGZuHMPnSqspgtJOeDtecibFkFmNPLvZwyJyOABkidagZRCHUglujJMqpxUejwIiDaopcEZCeSUyOpGzeSTBAdMsaIWxFnYuIkKGJzkdgIrzPHjqOA$" Divina.xlsx4⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.comParagone.exe.com X4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com X5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2632 -
C:\Windows\SysWOW64\choice.exechoice /C YN /D Y /t 304⤵PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
634KB
MD5654b8464e8ffbaa8b9a995bd9b07a795
SHA15b23bc6200d0539b022326fb5c5235ce5ef6f315
SHA256297d9cc7db8c6b0ab3b610058e4120cbfa72644da03bc64bd0f25a53f28f90e7
SHA512897d9d1c2c78d1b219038f2cba37431bb27e3631a1ea883c3fa10118e5431cceed32a35cb88b32f127b33eacd032eb95c04dd24271c8b2f4ae29d34917df4b83
-
Filesize
872KB
MD57e838a077a5ed054205287d0d5ca9ace
SHA1b9ca91486439662c84282168bcbda4618aed4c6f
SHA256573a8b873599956be67fb1c31a4dde816cdaf655a670c0c023eb11c46bacceb8
SHA512da81e23e7b185f84312e8282748eec3452b586b0e8cd36d9eae9589eb26addfa867f057be5ba991c93050921240fbf368157e303b9738605c75b1c034079b0b2
-
Filesize
522B
MD5928787182b7f173bcb88f66b3ab6f345
SHA1cd69133e9346473ae8a3ccbb49fa9543d6c3eda4
SHA256aeca99c120cabc3470eb1b1636afbcfea6dd4cb6ca2233daf2480d0f599a155f
SHA5126c05eb5ca70c386e9022e45814f978e2883576a25603f7ca290781b13a2f395e3dd0c3bb8360b250350eaa2bf2686dbb9e42b782bd29c7a3d667a3d15cc5b237
-
Filesize
821KB
MD5e1506e5dcdc0f4550746cc66fa1b0fd6
SHA19b2f34ba860da15aedbfa048d5532e536e484b53
SHA25691bf426997f7c07d0c6a62714d29481443e1e7a3719ee3ccfb362782a960b721
SHA512ccf1c4fd30eb80a7e8186f7533d32540600344f63a709dc8e1cf5ed88bddd13139d85b9a3bcc3114d772bf24a88664e436af1f1556ea64a7ce87e1e9de522dfd
-
Filesize
639KB
MD52b39e954b2c28ab3d5c45966b3044c26
SHA172a51b8a7164a2ea739f7bf8615e2cd44bfa2ef2
SHA256564e834763d60164deac8fce4c543a67d6d5e30dd497e02483718cd018df9ada
SHA51293be2e9497ccd9c1822f8670f5e30d0612a39a55e104864a944f270f8817bd1f88c4291561a6595866f574488ade5d110b896a7f8af70e07d52f2d6b2bd99dbc
-
Filesize
1KB
MD5a19344d35e6ece6c3f4830321e68b5d8
SHA195012a86592eb7d1a7fe8b7cada6ccbd90a62056
SHA256f68533a59bf5b8d5206162ce4cdbe18b6ee1329009676c57862babbb1bfdba79
SHA512982c1ef4227249837cd3c5b4b693b4f956871acf611451e5d31ef240e2ef7116876f2e3c63fb5c01b3a5855dd108fb84ee37274e03845058b28a3acdd45f1078
-
Filesize
8KB
MD59b5b4e21e2a046a102978b634fcc32fb
SHA1a161dfed9533727342ac6a1e052a38b98ad6f320
SHA2564a2a38ab41f5c9250afe11e2dd5d926a2305c56470a1c14c6918efc24a4d717d
SHA5126b01143a1aaf0cbd3288010a735f1d5d40bfbcb85db263fc27bae9811848c30687caf220953020c268f9c2254d7661373e61930aa18940e3e6efb5805d94a10a
-
Filesize
48KB
MD547ad9498944445e669e87a051b2dcc64
SHA192f052ade793980a51af0f2e8d20899fc4f5e696
SHA25683b07e3c052f7e93c0c834e84c739c3c153fd5fadb1a72be60ececf95b33ba91
SHA51205a62213d7c543ffad501981f385d9cd04fa2b8d8549b7c895fa18a009fb5fb404386a3a13652ce3146e0bfc065f4c2f3cff267d4a7154e182aa3400016ad5a1
-
Filesize
1KB
MD5aee53725f461db953a137675c26cd5a4
SHA1ac2d0c6790e5205fda1c3f3e77836e090906ca94
SHA256cbfb45d7d428afc0b1bc61a34d46c263dda07639b00f87cf44e3207f5be409da
SHA51211bb0c4c13deeef12e96b657fdd84d8ff941dd940b80e6196201d68f0378f407a3888f054f690049cf591a51c9226f54fd1cf37f3857bde6a2ce1fa70fe19b0e
-
Filesize
3KB
MD5e11d3a9611a882d37f766aa75c13c34f
SHA16668709198d2862a3eecbd1453f59dad5b721f73
SHA256d841d5dac74753177ab66b76eef4b16fa4858705dac7b61c02a1730e3fcdd0b1
SHA5124654992e7e85df6079ebd57e6f0f006660f19f4a6b7d433f4012be64b95cc99a01e143ae0ead66555b6951b2c93d32cb62cc13cb7c86b589d796bfa1d9b60092
-
Filesize
5KB
MD5b49ee2abae972ed6b3a8da8dcb876fd4
SHA1253148da8852f210933eb501b2e486a0bf7ca1c2
SHA256f0ed8a41f9fd639fec763f2552f101733b389fd486e77b72f85984c2b5ae1424
SHA512be2a17c83138646f436fb6d2fb4f4c47e8a6ab963db58a750116df803f2137074f1c73a14f01af23adeed542b5943d4e8dabfdc133ee55ff0b1287f7e3e5bc91
-
Filesize
680KB
MD51052a347be85d91af0845067bdb0a507
SHA18ecf6739eb1d0b768ca66555df577d6c38be2326
SHA2563e119cb26b1f8770dcf4212d694d2b6f28d0a762339a580a4b6a2358dc711024
SHA5128b982aad88fb3d7a0304c5481709495423a48aa063cc7a995630e9c830b4c98a681b0482a394ccad032ec9b75a67d756505d39df45a2927f559abf10a8603bd1
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c