Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2024 20:58

General

  • Target

    519a5e8618177c423039f4e5c47aa27a.exe

  • Size

    653KB

  • MD5

    519a5e8618177c423039f4e5c47aa27a

  • SHA1

    734edb3abad541d4236a41fd9f4d06cc36c3b29c

  • SHA256

    656dd9e677ea4da1892f14f0b38ca7d989d6d8a07d1ce3d1675cf2ff1b030653

  • SHA512

    8dd6542c8c6e26e781035d22eb511325f43f2ddf9a575b245987509c211c3c4b58e6e950d2196e1c7b7754bdc1603f3f2cb9bb1fffc792e14a101e35def7f31f

  • SSDEEP

    12288:ZcTh83Cp4M6Ujub6eDbLCnzm4WIUPH1L8MeKQA7mNjSRd:ZZ3CpowahIUFXezmRd

Malware Config

Extracted

Family

cryptbot

C2

lyssen62.top

morwaf06.top

Attributes
  • payload_url

    http://damliq08.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe
    "C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:4428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\_Files\_Information.txt

    Filesize

    1KB

    MD5

    b7dd22a373ad35516b6fb4117e5c8a3f

    SHA1

    d8d9a799b20348eccbc64dc1b5851cf2c42107a1

    SHA256

    af3895f7c5c56d3e5d575bfdfaadfeca86fdaedb1d784c73c7108754968b7fce

    SHA512

    aef8b5a0ff2c9a79c3733ab63c8846f935b7ffc6f2a4780950eed0b46c6b2d266c12b590ae6427768ee5f9be2df9f7c7b3206006c921d0a62c173e34183e2349

  • C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\_Files\_Information.txt

    Filesize

    7KB

    MD5

    e0ec0e78a1626d45585cb5cd6e274952

    SHA1

    5d68d8beddcb481ae55a9780fb0561faa0be66b1

    SHA256

    26c5b31b171c970ccc4b397ad79f73f43221d1de341b4f305c1412b49d846bed

    SHA512

    fc578f46eae45d85c702a1b86c258d1982865fb9bbfe5f1996c1d7210631d5f9e8e21d2a2d383581a04277c2f422066a9cf20770b74c1e91db9bc712629a64b7

  • C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\_Files\_Screen_Desktop.jpeg

    Filesize

    47KB

    MD5

    6b0e49f33245e9d9cd0c4b49354f94f6

    SHA1

    99c16e6cb99b0faaaec9a66854b37b3973c348d6

    SHA256

    9923568ef710aa556b4809854ca04290e318babc0303793f5141a2b40d4d2b66

    SHA512

    9fa2010fd49f1a04c59b75e9eb4627ff67906dc666737e629a20f725e9fd13e0b29adc94161eea4844eb22e53b186851d8a48c3cf1fc1b62a6890a629e73d2b8

  • C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\bFogcARCIrQ.zip

    Filesize

    41KB

    MD5

    031178d4340d07f11caba3aad80b8935

    SHA1

    e20494e700ed5f17f653408a65cdc02c162aeb6c

    SHA256

    289e8550bd31901c338555d51b5b123c4cf4cac0eb40f2ed4fd14cc67b73d9f2

    SHA512

    cd4954a1e4e934973e198ba45b8354a93bc67bd33eabf9e42b18487a4a2e9c35a247ab5d592d9b822baec4ad790871341e421583fc68d4d6b126cd85ccfbd476

  • C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\files_\system_info.txt

    Filesize

    1KB

    MD5

    a6f16e9cb322be17d3555b014b698d22

    SHA1

    c2e4bf475a10763614f0df35713072d238f7078b

    SHA256

    ca8aebdd8fd24c2cbe0db5a74073f56096fff2ccacc5e31db069f07b215277e3

    SHA512

    bcaffc051d24ef3df23780608bd3a51372867b6e2bc8d7baddfbfb8529f9b26720e7af71bb7558a5c06a8cdbfaf0cce1d0ccaf0c364ac90081df1a3decb7e61a

  • C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\files_\system_info.txt

    Filesize

    2KB

    MD5

    e11a7b251671edc1a5170b7d5cc1a38f

    SHA1

    351df1be8644cfd3da6a44e667cb4906fe5036fa

    SHA256

    11d689b3cc2ae592d6494d29a762d3a187722fa6c62ebfc377e359a173d3b66c

    SHA512

    26c62370ebaef92dc7626b0e8e3d41f5ba35de95390ae9d1b4c5f284ce56ab516361e9b198b479eca4dc2004aa973bb87e04a6de48ff6b6ef7aa49ca0cb882c8

  • C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\files_\system_info.txt

    Filesize

    4KB

    MD5

    9d4d0ac0112d201e8659529b82eb7337

    SHA1

    0235f852cff10691f07ab853736e9226d6fe393f

    SHA256

    866d4ed183dc704f3068fad07a5703c79c84c3519bb379e706f7ab16678a2a12

    SHA512

    4fb10f904af9b3830c11d21f2479a0818e6161ac8543a37bc631e56c1ab6341e368c3c244f18b58b4beb981fbf1930af665111abb39e1fdf154833e8d17e4a60

  • C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\yVf6un6xKoVBMf.zip

    Filesize

    41KB

    MD5

    9764767a43064f47283e34f730be9297

    SHA1

    444d3b9374a230e44753b83554b62556990ab6af

    SHA256

    40cc871c6391f8c302b50b77390eb07263d56b83691cca478dab22fd06a62aa3

    SHA512

    314588f2b4dc599bcf95e1f3466c933fae1f36109e91114fb35f5ecff5d94d2ee9327ba8ff8459f145dd254503c9c3c036343813ffa963e6681de4c159def65a

  • memory/4428-1-0x0000000000B50000-0x0000000000C50000-memory.dmp

    Filesize

    1024KB

  • memory/4428-3-0x0000000000400000-0x000000000095A000-memory.dmp

    Filesize

    5.4MB

  • memory/4428-208-0x0000000000400000-0x000000000095A000-memory.dmp

    Filesize

    5.4MB

  • memory/4428-211-0x0000000000B50000-0x0000000000C50000-memory.dmp

    Filesize

    1024KB

  • memory/4428-212-0x0000000000960000-0x0000000000A00000-memory.dmp

    Filesize

    640KB

  • memory/4428-2-0x0000000000960000-0x0000000000A00000-memory.dmp

    Filesize

    640KB