Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2024 14:06
Static task
static1
Behavioral task
behavioral1
Sample
50c296575066f87cac60995fc36f2283.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
50c296575066f87cac60995fc36f2283.exe
Resource
win10v2004-20231222-en
General
-
Target
50c296575066f87cac60995fc36f2283.exe
-
Size
1.5MB
-
MD5
50c296575066f87cac60995fc36f2283
-
SHA1
0f058485c10dbd26312f71ad60319bc97362a914
-
SHA256
e29a9d4153912e41bbd5afc00aa90e7612107708fe59ac05c1d9e8b184a254c5
-
SHA512
e3f352aee496bca5b7c37fc80ca2c3fd52d5cb190d51da5e62d4aa2a9bc2ea9a7aa3a8f0f8f45d94056f97289f03b6aedb8d1f7844c590df815dfa043acb8bee
-
SSDEEP
24576:c5rTNMBS+/dlYP2z9FEI/TXN8ad8XjzqKrhSEqcG0EUNvb8zkQXXc/3lLwiPb:6NoS+/QP2JFZTXN8/qe80EYgkQ8NLwi
Malware Config
Extracted
cryptbot
ewavmp35.top
morxeg03.top
-
payload_url
http://winxob04.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4828-26-0x0000000000830000-0x00000000008D3000-memory.dmp family_cryptbot behavioral2/memory/4828-27-0x0000000000830000-0x00000000008D3000-memory.dmp family_cryptbot behavioral2/memory/4828-28-0x0000000000830000-0x00000000008D3000-memory.dmp family_cryptbot behavioral2/memory/4828-29-0x0000000000830000-0x00000000008D3000-memory.dmp family_cryptbot behavioral2/memory/4828-236-0x0000000000830000-0x00000000008D3000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Paragone.exe.comParagone.exe.compid process 2460 Paragone.exe.com 4828 Paragone.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
50c296575066f87cac60995fc36f2283.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 50c296575066f87cac60995fc36f2283.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Paragone.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Paragone.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Paragone.exe.com -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Paragone.exe.compid process 4828 Paragone.exe.com 4828 Paragone.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
50c296575066f87cac60995fc36f2283.execmd.execmd.exeParagone.exe.comdescription pid process target process PID 2216 wrote to memory of 4784 2216 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2216 wrote to memory of 4784 2216 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2216 wrote to memory of 4784 2216 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2216 wrote to memory of 2856 2216 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2216 wrote to memory of 2856 2216 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2216 wrote to memory of 2856 2216 50c296575066f87cac60995fc36f2283.exe cmd.exe PID 2856 wrote to memory of 2536 2856 cmd.exe cmd.exe PID 2856 wrote to memory of 2536 2856 cmd.exe cmd.exe PID 2856 wrote to memory of 2536 2856 cmd.exe cmd.exe PID 2536 wrote to memory of 2284 2536 cmd.exe findstr.exe PID 2536 wrote to memory of 2284 2536 cmd.exe findstr.exe PID 2536 wrote to memory of 2284 2536 cmd.exe findstr.exe PID 2536 wrote to memory of 2460 2536 cmd.exe Paragone.exe.com PID 2536 wrote to memory of 2460 2536 cmd.exe Paragone.exe.com PID 2536 wrote to memory of 2460 2536 cmd.exe Paragone.exe.com PID 2536 wrote to memory of 4992 2536 cmd.exe choice.exe PID 2536 wrote to memory of 4992 2536 cmd.exe choice.exe PID 2536 wrote to memory of 4992 2536 cmd.exe choice.exe PID 2460 wrote to memory of 4828 2460 Paragone.exe.com Paragone.exe.com PID 2460 wrote to memory of 4828 2460 Paragone.exe.com Paragone.exe.com PID 2460 wrote to memory of 4828 2460 Paragone.exe.com Paragone.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe"C:\Users\Admin\AppData\Local\Temp\50c296575066f87cac60995fc36f2283.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\cmd.execmd /c tiXdycNz2⤵PID:4784
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Strette.xlsx2⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^laMWhvksTZufNgRLOGoYXOkgswRMErhJdMoiGZuHMPnSqspgtJOeDtecibFkFmNPLvZwyJyOABkidagZRCHUglujJMqpxUejwIiDaopcEZCeSUyOpGzeSTBAdMsaIWxFnYuIkKGJzkdgIrzPHjqOA$" Divina.xlsx4⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.comParagone.exe.com X4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Paragone.exe.com X5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4828 -
C:\Windows\SysWOW64\choice.exechoice /C YN /D Y /t 304⤵PID:4992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
634KB
MD5654b8464e8ffbaa8b9a995bd9b07a795
SHA15b23bc6200d0539b022326fb5c5235ce5ef6f315
SHA256297d9cc7db8c6b0ab3b610058e4120cbfa72644da03bc64bd0f25a53f28f90e7
SHA512897d9d1c2c78d1b219038f2cba37431bb27e3631a1ea883c3fa10118e5431cceed32a35cb88b32f127b33eacd032eb95c04dd24271c8b2f4ae29d34917df4b83
-
Filesize
136KB
MD5212697b8c163be4b00f170a62b7cec8d
SHA15987cd1c5cd04104d37eeb9aa87ce445a5621e72
SHA2560f7b957d1145cc2281a372fb47bda1ecae77caa67353cb2791768a62b9bd69e5
SHA51231327d7cdae9677f7865d14bb70c70b404cde64398f241a092ff52756628a04531c8d80f654f519c57f616c155b275fe745a31694627533ff80a50b867af6fc1
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
522B
MD5928787182b7f173bcb88f66b3ab6f345
SHA1cd69133e9346473ae8a3ccbb49fa9543d6c3eda4
SHA256aeca99c120cabc3470eb1b1636afbcfea6dd4cb6ca2233daf2480d0f599a155f
SHA5126c05eb5ca70c386e9022e45814f978e2883576a25603f7ca290781b13a2f395e3dd0c3bb8360b250350eaa2bf2686dbb9e42b782bd29c7a3d667a3d15cc5b237
-
Filesize
821KB
MD5e1506e5dcdc0f4550746cc66fa1b0fd6
SHA19b2f34ba860da15aedbfa048d5532e536e484b53
SHA25691bf426997f7c07d0c6a62714d29481443e1e7a3719ee3ccfb362782a960b721
SHA512ccf1c4fd30eb80a7e8186f7533d32540600344f63a709dc8e1cf5ed88bddd13139d85b9a3bcc3114d772bf24a88664e436af1f1556ea64a7ce87e1e9de522dfd
-
Filesize
1KB
MD539856867cbf0c798c47e59838b42d8a6
SHA1bc7b5286f56c7817b82ab8ee1ab2a30872cced09
SHA25604232f672c4fdca1062f5507c7285763ca54cdc78490381787de18284324090b
SHA51239143b0935d0dd9b54e93c17dec67611e56bbdbe290395c9da3e87a81d5de03735c2626cc00d8c3d16c0f1bf63ee460b1ebc793e353c0957b6efb9e55a01381e
-
Filesize
3KB
MD56332e337122c93222e5eca1c76fe4e84
SHA136d4e928db0103b7e129e48ed30a217be87e89d1
SHA2563d4ab903e90b6655fa030c40018c2a6ab22e5f8658e609d7f9a88752e835e339
SHA51248d3e6eef16c0daea505768fabecf60a725cdc6b60d5854fccabaa058e8a6f6caa9f72bfae379d9d8b75367e0b8783217dd7e708f4cc8207f4efdec72a01332d
-
Filesize
4KB
MD51c366f9ec66920f9b7df055242ae75e4
SHA1201e73a56a59baae25849a75a0cd0f5821a7b34a
SHA2567bbe3d5e4afd28113522ffbdfb45bdba0da030278f94fb893268658f31185ac2
SHA512480dc66adab094873f3713483c618dd5732b661564c9664ae5c70d9b26961e721642e13b63aab9b81d63279a9ed4a7ad4958581b883246a2219b42d9f3ad6712
-
Filesize
49KB
MD57fea681288e440b1564752a1a413d606
SHA1b2c5db4c533b7e9c15affcf587f2a47f9ecf11bf
SHA2564de1552fd656fe9177581cd4c04895b64649b84a23533ce32d21e6d2f60e3879
SHA512adbf968c8f08b550ead2b5f69eb2c2b9252887e88793b1d085c0f173e77350dd02ced83cf94a9b21751a76bb345608168603c65410421978cd915d0c34c6dc64
-
Filesize
43KB
MD530f2a9aad51101f5877c805a28e0c969
SHA1124906f84fcb3e226d020b4cb6539d7c6766b539
SHA256a637765726fd6a4be9364d4a0c493352dc48949c0ff3d16c9a2f9e434fca6816
SHA5123691a4ebe3b2a0f914df7d6fe7e52bb94033165b80fa220ed4c4f9be9a2a4c4a3e50e670e1d1f5658bed6d418723a61bf8c1af582c74995d8e62b8448fcfca1b
-
Filesize
7KB
MD59d0ec99a42f39784acdb8c77d9a2d8c1
SHA1c1a9fb1758e736095ac5a615c11fa038396afbf8
SHA256458cb2336f481225219adc7e7a4360ba019918970a1bf5d239b73e124b960ae9
SHA512da61a6e690271abf1f83fafe9d9cf791a44d7b32af9f1751d1946c98901aaaf30df7176629aa344f01dab56a39e3566cd179c23fd3ba77968888b23ff2d2e7d0