Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
519a5e8618177c423039f4e5c47aa27a.exe
Resource
win7-20231215-en
General
-
Target
519a5e8618177c423039f4e5c47aa27a.exe
-
Size
653KB
-
MD5
519a5e8618177c423039f4e5c47aa27a
-
SHA1
734edb3abad541d4236a41fd9f4d06cc36c3b29c
-
SHA256
656dd9e677ea4da1892f14f0b38ca7d989d6d8a07d1ce3d1675cf2ff1b030653
-
SHA512
8dd6542c8c6e26e781035d22eb511325f43f2ddf9a575b245987509c211c3c4b58e6e950d2196e1c7b7754bdc1603f3f2cb9bb1fffc792e14a101e35def7f31f
-
SSDEEP
12288:ZcTh83Cp4M6Ujub6eDbLCnzm4WIUPH1L8MeKQA7mNjSRd:ZZ3CpowahIUFXezmRd
Malware Config
Extracted
cryptbot
lyssen62.top
morwaf06.top
-
payload_url
http://damliq08.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4428-2-0x0000000000960000-0x0000000000A00000-memory.dmp family_cryptbot behavioral2/memory/4428-3-0x0000000000400000-0x000000000095A000-memory.dmp family_cryptbot behavioral2/memory/4428-208-0x0000000000400000-0x000000000095A000-memory.dmp family_cryptbot behavioral2/memory/4428-212-0x0000000000960000-0x0000000000A00000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
519a5e8618177c423039f4e5c47aa27a.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 519a5e8618177c423039f4e5c47aa27a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 519a5e8618177c423039f4e5c47aa27a.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
519a5e8618177c423039f4e5c47aa27a.exepid process 4428 519a5e8618177c423039f4e5c47aa27a.exe 4428 519a5e8618177c423039f4e5c47aa27a.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7dd22a373ad35516b6fb4117e5c8a3f
SHA1d8d9a799b20348eccbc64dc1b5851cf2c42107a1
SHA256af3895f7c5c56d3e5d575bfdfaadfeca86fdaedb1d784c73c7108754968b7fce
SHA512aef8b5a0ff2c9a79c3733ab63c8846f935b7ffc6f2a4780950eed0b46c6b2d266c12b590ae6427768ee5f9be2df9f7c7b3206006c921d0a62c173e34183e2349
-
Filesize
7KB
MD5e0ec0e78a1626d45585cb5cd6e274952
SHA15d68d8beddcb481ae55a9780fb0561faa0be66b1
SHA25626c5b31b171c970ccc4b397ad79f73f43221d1de341b4f305c1412b49d846bed
SHA512fc578f46eae45d85c702a1b86c258d1982865fb9bbfe5f1996c1d7210631d5f9e8e21d2a2d383581a04277c2f422066a9cf20770b74c1e91db9bc712629a64b7
-
Filesize
47KB
MD56b0e49f33245e9d9cd0c4b49354f94f6
SHA199c16e6cb99b0faaaec9a66854b37b3973c348d6
SHA2569923568ef710aa556b4809854ca04290e318babc0303793f5141a2b40d4d2b66
SHA5129fa2010fd49f1a04c59b75e9eb4627ff67906dc666737e629a20f725e9fd13e0b29adc94161eea4844eb22e53b186851d8a48c3cf1fc1b62a6890a629e73d2b8
-
Filesize
41KB
MD5031178d4340d07f11caba3aad80b8935
SHA1e20494e700ed5f17f653408a65cdc02c162aeb6c
SHA256289e8550bd31901c338555d51b5b123c4cf4cac0eb40f2ed4fd14cc67b73d9f2
SHA512cd4954a1e4e934973e198ba45b8354a93bc67bd33eabf9e42b18487a4a2e9c35a247ab5d592d9b822baec4ad790871341e421583fc68d4d6b126cd85ccfbd476
-
Filesize
1KB
MD5a6f16e9cb322be17d3555b014b698d22
SHA1c2e4bf475a10763614f0df35713072d238f7078b
SHA256ca8aebdd8fd24c2cbe0db5a74073f56096fff2ccacc5e31db069f07b215277e3
SHA512bcaffc051d24ef3df23780608bd3a51372867b6e2bc8d7baddfbfb8529f9b26720e7af71bb7558a5c06a8cdbfaf0cce1d0ccaf0c364ac90081df1a3decb7e61a
-
Filesize
2KB
MD5e11a7b251671edc1a5170b7d5cc1a38f
SHA1351df1be8644cfd3da6a44e667cb4906fe5036fa
SHA25611d689b3cc2ae592d6494d29a762d3a187722fa6c62ebfc377e359a173d3b66c
SHA51226c62370ebaef92dc7626b0e8e3d41f5ba35de95390ae9d1b4c5f284ce56ab516361e9b198b479eca4dc2004aa973bb87e04a6de48ff6b6ef7aa49ca0cb882c8
-
Filesize
4KB
MD59d4d0ac0112d201e8659529b82eb7337
SHA10235f852cff10691f07ab853736e9226d6fe393f
SHA256866d4ed183dc704f3068fad07a5703c79c84c3519bb379e706f7ab16678a2a12
SHA5124fb10f904af9b3830c11d21f2479a0818e6161ac8543a37bc631e56c1ab6341e368c3c244f18b58b4beb981fbf1930af665111abb39e1fdf154833e8d17e4a60
-
Filesize
41KB
MD59764767a43064f47283e34f730be9297
SHA1444d3b9374a230e44753b83554b62556990ab6af
SHA25640cc871c6391f8c302b50b77390eb07263d56b83691cca478dab22fd06a62aa3
SHA512314588f2b4dc599bcf95e1f3466c933fae1f36109e91114fb35f5ecff5d94d2ee9327ba8ff8459f145dd254503c9c3c036343813ffa963e6681de4c159def65a