Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11-01-2024 23:59
Static task
static1
Behavioral task
behavioral1
Sample
54efb1309d76e87c2185b576e3783247.exe
Resource
win7-20231215-en
General
-
Target
54efb1309d76e87c2185b576e3783247.exe
-
Size
662KB
-
MD5
54efb1309d76e87c2185b576e3783247
-
SHA1
9111f54d035c70780a1decc4d808356cf1857940
-
SHA256
5de12d55a698805ec98ada5964711f226fd1d4a424daf7062f178dbf52702cd5
-
SHA512
e3be1ec27f080280b826429d0457c1560d2f6dc33b20e0af349a8d6b03ef6836c3df4bc5808f813d572fe7b0b7c694920931176fe45add7250fa6e823c943a3e
-
SSDEEP
12288:KzxWqgM8Yi/u5J3noTJDA8pTW8AawUb6nQHQ+5FChY9Cpi+oAg/Dt/zqH/iTQ:S0RM87HMF8VwUbJ/C7CL/DRuHSQ
Malware Config
Extracted
cryptbot
lysayu42.top
morbyn04.top
-
payload_url
http://damhlu05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1848-2-0x0000000000220000-0x00000000002C0000-memory.dmp family_cryptbot behavioral1/memory/1848-3-0x0000000000400000-0x000000000095B000-memory.dmp family_cryptbot behavioral1/memory/1848-222-0x0000000000400000-0x000000000095B000-memory.dmp family_cryptbot behavioral1/memory/1848-226-0x0000000000220000-0x00000000002C0000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
54efb1309d76e87c2185b576e3783247.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 54efb1309d76e87c2185b576e3783247.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 54efb1309d76e87c2185b576e3783247.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
54efb1309d76e87c2185b576e3783247.exepid process 1848 54efb1309d76e87c2185b576e3783247.exe 1848 54efb1309d76e87c2185b576e3783247.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5594f3b87255a76ba88ccfa12d0834aa2
SHA169087231614e61c3b4b68152c885ab361fe8aacd
SHA256ac08a8aaa7f182f6152cdadfae1b77e59c7b503dd8c3ce58041ff41f1afbfa6b
SHA5126920905fe7cafa1fb5babb7c1a9dea57e9377f8db1409735dab6b50a41c3472e9de9a48eb8cab017ce6b458e6c6976197e1524813d0430a5796ea754f6df5a9c
-
Filesize
3KB
MD55a72c2290489557fed02e6ab43514aa1
SHA10caa5c6944faf645cebda7c92ed06e85a1ec124a
SHA256d95a887de090be139cebfd31bf8835bdcd8f35a8d5463ceb6e6f505098caed36
SHA5128919983e9c6bd2e2eee43ebd378a80d5556850f790bac3815ce903196ca353059987b31226f1bf291484a3176f1d84604fc1ff24e6498d764a99d2e6d8994f94
-
Filesize
3KB
MD58889337df1c865d5a47cb6d3c614245d
SHA1bf209396df2f4648a1339b6bfd10792f97f9f783
SHA25632abb85a21ef29b0f14c262fb8e469645c699b8a058e50cdc975abac54b02813
SHA51285eaec09ccb4c2e7763529ff3b266a8d2c40ca91b15d00115f640144206e865f14f76c2e74230b4b51a7d72d3d03611b96acc1f2f956d179da832c9fd70760cb
-
Filesize
4KB
MD5173d05d78a0fc403968e1faa107e0862
SHA152ecba44fb5163e249e1eb3f903dcad70332378b
SHA256745a01c27be3f8490055bf9af36137d3ea410be9ff2cfcf2a2ebbbc62d83e5f9
SHA512bc225bb8d3e5ec79bafadef234222a4a6d4c415db5da6842f33ea558982b49271f3b295fdefdcdd5c80c2803dfe87bac44fb6e14efd84274a749f89f2a2ecf67
-
Filesize
40KB
MD5d3971f316f416b9f26e63474465356f5
SHA1e74b374f15804b2b1fa1c95fecc097d535d82f2a
SHA256499519c173f5b0d3743656b26b9a257d66d92d614722ec5677d92139a51280a5
SHA51244250211f742296395794c57f0b6538719f1c9fe9bb6705374c6f66cccc2a61c8a865254720e7d30d672fbedbacd9ca58f9db23bf0654853a55a4dfcdcc115f8
-
Filesize
1KB
MD53267eacc48e6cb55476a9f4eb5edc9bc
SHA1bcb6bb74dcdb0105bf4f4586183f182db65ba25d
SHA256baa9a2221f0375879173d66ee45383a14396a7dce0ff010ee99ee40b3d9c4b3b
SHA51251004b3efaa1ab62ce95a9671510f9e39a0fab588b7276c4cbb535bcf8f79528816c6052489ef319553f85587d953058986f7ff0a1f7af8041b957c338f6f9c7
-
Filesize
3KB
MD56a25fd066cb6f10adfd4cfb3f5a0dcf7
SHA1f5ceb08c5e25a85a31609fa8592b456a5b48e201
SHA256883ea0e68d64f097cfb92dedf419731c8757758f97477a1822e833ca5526374e
SHA5128b705221080ddf9bfc460f03bdea24b474d3fb47a80457210283274517361dbc6ebd6bb934d1982bfc3525a3811dae76fc4879e74385e562022656e02edfc25b
-
Filesize
3KB
MD5667ddc676a5884778779abc5a85f6cb1
SHA12b3eabe3d908fc9dcc4276d34ad172fdb5eca1e3
SHA256e1931935bd25a88a056a088e3f1b49b209601bca6ceae78ad60b6d08f915b400
SHA5127c8f0d80d9e638e62f4b9d79c0af358bff55c6fc5e7b349ab46956cb04ac39609f5cb3d8ea094d8b191a2b4c6c57b05449e97b705a431dfda6e728815b805e56
-
Filesize
4KB
MD5b0b4eb7a0bf955d61cce33f968beda8b
SHA1690a575b6335c9cbd6d73439be62bc670da472f5
SHA2561439a982a3ac809d7f76bdd1e17fefdd7edb07936d2d08cf067574d91b0f1f54
SHA5122715a4ca719b73651989f98d2ea7c3f7b2284425a1e0274c2dfd29dd6ff08f570f0aa649406af50e36662690bc25e1f8a921092750ddd8f27dbdec88d8f27c72
-
Filesize
33KB
MD5eb7cf715d7c4b6342ef5dec4063f4d45
SHA1a1cc6cc6b01a1cf196cc57a9d3d34448a523a015
SHA256040318799fd96cf114543f9f5553c5540c8bc3901df7bc408b2534d423d07f05
SHA512ded6aa99a20404e0e9036386558ffc99c5e0fd2401dda85792d3d610a3245f5ca032ddd24860f09c34cc972c35aebde1a6301800cdf706da62f796a4fee5bae5