Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
10-01-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
519a5e8618177c423039f4e5c47aa27a.exe
Resource
win7-20231215-en
General
-
Target
519a5e8618177c423039f4e5c47aa27a.exe
-
Size
653KB
-
MD5
519a5e8618177c423039f4e5c47aa27a
-
SHA1
734edb3abad541d4236a41fd9f4d06cc36c3b29c
-
SHA256
656dd9e677ea4da1892f14f0b38ca7d989d6d8a07d1ce3d1675cf2ff1b030653
-
SHA512
8dd6542c8c6e26e781035d22eb511325f43f2ddf9a575b245987509c211c3c4b58e6e950d2196e1c7b7754bdc1603f3f2cb9bb1fffc792e14a101e35def7f31f
-
SSDEEP
12288:ZcTh83Cp4M6Ujub6eDbLCnzm4WIUPH1L8MeKQA7mNjSRd:ZZ3CpowahIUFXezmRd
Malware Config
Extracted
cryptbot
lyssen62.top
morwaf06.top
-
payload_url
http://damliq08.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/812-2-0x0000000000310000-0x00000000003B0000-memory.dmp family_cryptbot behavioral1/memory/812-3-0x0000000000400000-0x000000000095A000-memory.dmp family_cryptbot behavioral1/memory/812-221-0x0000000000400000-0x000000000095A000-memory.dmp family_cryptbot behavioral1/memory/812-225-0x0000000000310000-0x00000000003B0000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
519a5e8618177c423039f4e5c47aa27a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 519a5e8618177c423039f4e5c47aa27a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 519a5e8618177c423039f4e5c47aa27a.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
519a5e8618177c423039f4e5c47aa27a.exepid process 812 519a5e8618177c423039f4e5c47aa27a.exe 812 519a5e8618177c423039f4e5c47aa27a.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5ad098d5722726ff474bb1dccf5e9988a
SHA1475babb1aeda23c4eaa3bb6445d7818bee4c1db8
SHA256f3f619086b8fda738c699b0f78c0753735a1b364784dd92627ee9f353605ba47
SHA5121c5cf6d14e1e05be8d280767b0e8bee7d62c935f04c03ae843818bc13f6071c3588d46f6c9db48656d08deece5b3d9582957272ca04a3e4d020835c34ba37f16
-
Filesize
8KB
MD58088e3ab5c16cd024183761df3806864
SHA18a07a9e5169d2fbd4ed51f2c8171ae654d9d7f00
SHA25693d0ea13a5a5c50bed7df667ab4b2323be9c34b438b9fe26e0893bfd759b81ee
SHA51270223e48a848b0fd38f60da55aa41f25a164896dc24220073d0bfc6f3fca349c65ed0c0b885c3fe10fad3ff37be9f05f53ba70ef10f627c8b611947472937c06
-
Filesize
44KB
MD5440038e6bce3174305c6efa21805ad70
SHA128cb2e7b692c8adf2abcb5cb3d00569c069144d3
SHA256fece7af270540e1b057ce3456afc15f4e1c2edf550c19c1e181632b16b4f9365
SHA512981d48e1fa116cb279c080110a22faa671000ad12599cc475422e4dd320a8b76acfa11828791448cdf52266efdfa24c8ab0ff9aff464dcd31ef6baa81660b7fa
-
Filesize
8KB
MD5657e58c60df206ec33cf1c86c83364fb
SHA142f446ae4836c45ed15e8f2b1def8069caed89f3
SHA2569ea8cec4039e06e586d39deb1e74e3ebb46713daa422ee010e8ba7b287a41b0d
SHA512917c30bd2d066a350979774633f7fa9c45862f1da6e2fdcf394782d2aee30f86202aa3dca12201c0dea02cc6b841359fe2275151b018ed8436226d5f69858b20