Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11-01-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
52a88d8066d72a7ec1b37a2ba80e003e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
52a88d8066d72a7ec1b37a2ba80e003e.exe
Resource
win10v2004-20231215-en
General
-
Target
52a88d8066d72a7ec1b37a2ba80e003e.exe
-
Size
1.4MB
-
MD5
52a88d8066d72a7ec1b37a2ba80e003e
-
SHA1
e40164673822686c6d5cc41bcc98aac300664af7
-
SHA256
9c59a45822d8c627c37d5e39d98685debf5d8d81819968b5d5add076ac2fc572
-
SHA512
db43e76700fcac500f7e51cc6bd76bdbfc68c59c5f932efa2b4d17372c02bd34f4d2c97a3c9d465269fecd72c714fea94743d430cc6f069cea4e21ffb6286adf
-
SSDEEP
24576:xTYcH87qAD2yPgH0Iq+xsFfwauMUrnIr7D6GzXWso87GvNbsOMdl3:Rl9y4H0B26LtUS7D6aXW0SBk
Malware Config
Extracted
cryptbot
haiwpj11.top
morhas01.top
-
payload_url
http://zelcax01.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2572-28-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot behavioral1/memory/2572-29-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot behavioral1/memory/2572-30-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot behavioral1/memory/2572-31-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot behavioral1/memory/2572-251-0x00000000039B0000-0x0000000003A53000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Fra.exe.comFra.exe.compid process 2980 Fra.exe.com 2572 Fra.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeFra.exe.compid process 2716 cmd.exe 2980 Fra.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
52a88d8066d72a7ec1b37a2ba80e003e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 52a88d8066d72a7ec1b37a2ba80e003e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Fra.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fra.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fra.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Fra.exe.compid process 2572 Fra.exe.com 2572 Fra.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
52a88d8066d72a7ec1b37a2ba80e003e.execmd.execmd.exeFra.exe.comdescription pid process target process PID 3028 wrote to memory of 3036 3028 52a88d8066d72a7ec1b37a2ba80e003e.exe dllhost.exe PID 3028 wrote to memory of 3036 3028 52a88d8066d72a7ec1b37a2ba80e003e.exe dllhost.exe PID 3028 wrote to memory of 3036 3028 52a88d8066d72a7ec1b37a2ba80e003e.exe dllhost.exe PID 3028 wrote to memory of 3036 3028 52a88d8066d72a7ec1b37a2ba80e003e.exe dllhost.exe PID 3028 wrote to memory of 2404 3028 52a88d8066d72a7ec1b37a2ba80e003e.exe cmd.exe PID 3028 wrote to memory of 2404 3028 52a88d8066d72a7ec1b37a2ba80e003e.exe cmd.exe PID 3028 wrote to memory of 2404 3028 52a88d8066d72a7ec1b37a2ba80e003e.exe cmd.exe PID 3028 wrote to memory of 2404 3028 52a88d8066d72a7ec1b37a2ba80e003e.exe cmd.exe PID 2404 wrote to memory of 2716 2404 cmd.exe cmd.exe PID 2404 wrote to memory of 2716 2404 cmd.exe cmd.exe PID 2404 wrote to memory of 2716 2404 cmd.exe cmd.exe PID 2404 wrote to memory of 2716 2404 cmd.exe cmd.exe PID 2716 wrote to memory of 2816 2716 cmd.exe findstr.exe PID 2716 wrote to memory of 2816 2716 cmd.exe findstr.exe PID 2716 wrote to memory of 2816 2716 cmd.exe findstr.exe PID 2716 wrote to memory of 2816 2716 cmd.exe findstr.exe PID 2716 wrote to memory of 2980 2716 cmd.exe Fra.exe.com PID 2716 wrote to memory of 2980 2716 cmd.exe Fra.exe.com PID 2716 wrote to memory of 2980 2716 cmd.exe Fra.exe.com PID 2716 wrote to memory of 2980 2716 cmd.exe Fra.exe.com PID 2716 wrote to memory of 2676 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2676 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2676 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2676 2716 cmd.exe PING.EXE PID 2980 wrote to memory of 2572 2980 Fra.exe.com Fra.exe.com PID 2980 wrote to memory of 2572 2980 Fra.exe.com Fra.exe.com PID 2980 wrote to memory of 2572 2980 Fra.exe.com Fra.exe.com PID 2980 wrote to memory of 2572 2980 Fra.exe.com Fra.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe"C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:3036
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Deposto.aiff2⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^TLMjEDpTLcIIJMGgbxtWhmcEZvxziWQdzsVQqSkGdZcGCwYlYfTIltkxfojipQMOEsgaRQgEobGhrPwYblxRriyfyABRGtbmhHwlMGaowgANnYsmi$" Illusione.aiff4⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.comFra.exe.com Z4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com Z5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2572 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569B
MD548dd3606008d6ff627aa4a5eb3001ff5
SHA1f68612a5bbf822b32993d4d1451072e42d27ab40
SHA2564de260e84b9b84cad526fcf175d03721f553849318a8ea161bf567d0e7c9fe2e
SHA5128c0c06aecd1c65f68fd9a61204beb95279200c067f14679722fdb79ca870d3482023244e22e6f8d5f55d26c8213c637832b14494697135ffdd6a6b226305192f
-
Filesize
256KB
MD56f7d98bc6e164eb29073363e832595ce
SHA1808c4325bb5fb82f539efb5ac3b8fd6178310117
SHA2568266eda839aa64ab57f7db08dbea6f4e4cd7071bd443a85974682e5af1b893ed
SHA51224405dac4d81c8b31dc6a1adf0d108ef090111ed4f591cced3c16661bf2656cf14b7bd44aef6a6df29ea12fcac598c3de0229e2a8bbe85b5cd49a86763972f8e
-
Filesize
77KB
MD5b01ad7567605c541bf62c2df1388af20
SHA17efeb94eb6974c4735a02e7e76a826143c1bfb15
SHA256e2f02696de5956fb46836e288ff474f908874cf5f155d400e079ea45704e1073
SHA512e4f6b5be446a1e60aa827d78365282a333d75850b8ba135530e2f3c74b7775866aada0beb5a4f3b33910005754652565a0738b30fac9201cabb130995fed246d
-
Filesize
384KB
MD516caf563e4f5e233830f744c6a5f7c8f
SHA1f781991271cf75b72a4cd2d1b3d09c3174fc04de
SHA25655cac62e2a0754bfbb38d0799c01dfb60b7178f01d4d20882d7be0c5832dd5f3
SHA5125dc0b468ebdba6fb8a22c0372382a228c7a2c4aa14915c991b09870af671a550b1ac720c090aca66901a41b59c4a9aa3b60411ce69f90bc90e0c15b8e2399139
-
Filesize
872KB
MD5c05dc97cb781e42e9269d142ef1cc85a
SHA170eb77a8114cc888ca94a6c34c8031596759e20a
SHA2565ff41adbaf12ef578a860c1333d2fc55045816f9c6582996baf058440570ca48
SHA51289c1eb5553ff1ae360d487f6a30cafc08d0b03f16b676c6fc09bfabc667937a2133af82f430cacc6eb6b0c764ab3daefcd6f22e99a31d058cad035b35316c03f
-
Filesize
64KB
MD5626f21b7b43ce33e1f9f4f58ff61b89d
SHA1ddfa2975f01b30c85e81e26b63f4eb0dee2766df
SHA2569716c229831f3bf48f20935afb0802f791f3cb6776e470cc141d45117db63fd7
SHA5123bd9ceb04ccbb5aab9437c4691457f9b066321be64fa62005b69f4e3238afec577abf313ec309400ee2fc41819a3bbc1b55630bc130ec0f915059a193cd6ddd1
-
Filesize
661KB
MD5c98e5c79fc362b26b950321217d594e8
SHA194a92bca9baa45ecf31c6e8b87cecc8b18ce3d1a
SHA2567ecd423bfd509cc671d7d02296c49b68f8eff7f0e3135298db558ecebc7b2484
SHA512247bdfa0ddded5781a1d81306ae783c9da1ed00a70efd7fc3646fae12d63713009257575f014548d0bc4bcbd096c8da5b615a34a41d9e635f0eba9ce9f3c1c82
-
Filesize
269KB
MD52c39e6a88dba96495cb7252b700c9ffa
SHA122f46bc0b3a955372eeacafe8126b47f7f535dc6
SHA25658ad5300aebd30a8464eea51c1983e0ecca7c2f0166e6728d8456cde1d45e848
SHA5120d295e431bcd7497aded38f66f8ba15e13dae0d376d2ae48ab249db13637002b5977044f06982f090ab75a3509722904258c917dd87a9efa05cbbc7812190ac9
-
Filesize
38KB
MD529366ba0ff3fb6ac7ec22ce45d779514
SHA1986686f0ae0282342fa93595af769c35d8ba952f
SHA256fd6d82f16be593cc6a3b706685f10c40c3ed28076d2fdabd274a434732b51e61
SHA5120022e8626aac59c9edaf69d941275df1091cdc8cd3828a191c4d5ce378feec18195b69f306b26b521805616e803b8275c2adb0647edbb8421fd6e67ead17a000
-
Filesize
1KB
MD5f3b003e566651027ec510636ebc1bc44
SHA149ee16ba5e0025d6ebc7d2b2577e1134dbbf8a35
SHA2560c958ec929d3c4da48407d70acf1a6d2d79f5307cf25de049b4671aeac1860db
SHA512ce79a2f67096480d00eb40cb9f5f5f89210b060aa9445899eb7caa94743ab9b306cbcd6133182fa5ea61a04d2ae8d4128467a6590b1ebb78e821697429ac00f0
-
Filesize
7KB
MD598ef63bebae9b2eac75400bc98308444
SHA1b5fcf5ddf13c95f98d2b48c9327f43c02f713ce1
SHA256f70011fb8088e842ee0e5d870272c94b2aa4d478c26c8a89885d5894be7b8731
SHA512bc298779596359ccfdb7d5e3fdb8aa6dea57eb03a82a16b9c00f0ec8212af7f691f870cc54c1b54cb31de7c846275c3559f48a11fa0e9f758d752feec1a42ff0
-
Filesize
45KB
MD539066359aa51100896da9cb3b5c635d0
SHA134cae7183575ec2c264bb2f82555dea585ca50a8
SHA25675c09068d558bb6c91b4bfd03bdc4a36e6cf6ed79c7a7b9e545005d85182b140
SHA51221cac45f876d2a1507c0c40c04ee46237eb2984591aee5bb7254ff3c3b350ff580e33da99a59b6a71a1e3a55728393d7b6827755f90d76c134baf19e2f988621
-
Filesize
688B
MD5dbf3b0673cc60566d2b34258f9e9224f
SHA163b4a9216a97b40840f7c04d7838b72ce66b2cd0
SHA256999f14279fcf99b1ea09b454de507e8e9f1e5e9d5cac6ae97e464607e8777a27
SHA512d874fab5fdceaaa206c6ab4ce350203fd0fcf47999ddb28da52dff5e57f024410148a37ddf0300c4a5a6e142d5338d10361724667a0fa7d2948045e50db87465
-
Filesize
1KB
MD5cbd2e2f783fee7c457af73f786a300cb
SHA1ec469e4cd3c5da79c97dd5271f0879537d5139f2
SHA256b8d95e9a969af2883a938bac2800d40d5feb825427a4b8d508d320405c8ffca3
SHA5127cd06138ccaee112f7f8329bfea95964c59bf8a086b08cc4751673c57f608dcf538ad3b920ec72086f33728ac6220fbf97a72b0d9755237f2185f34beca35253
-
Filesize
3KB
MD57a003e833a2951c8da3ab29bd83caf48
SHA19943c204cab2b2420a658080424d9a14a11130e5
SHA2569aaea319fd674eaa5560790838a56b04d437fd67aaa5f7b7aca47006781b5ff7
SHA5124fa9a96890f9fc8a5fc9c2eda3312d31bc4d2df0e4e622f5a36373696e906c107cd55b50a574dfbd4013231b8ab7b031869633c9d567f371a6568c187e59bf88
-
Filesize
3KB
MD5d4f373e76cf6b9826202dc53a2b66dde
SHA1c662a52866994158d0ed032d16568570cd09fcee
SHA256ca91c55fd8cebbd5af9cf87e81fac37ad06c9fea2cd045ac2b450b57cd0a3373
SHA512bec36e4b9cb403f6f5b5ff16e3834e5c126fba777b7cf070378d6fbbd7cacc72197faa6bdce407ed3e971ff80c6caa292b9ada8a4e12937339db88a72715d640
-
Filesize
6KB
MD59883359bd9a04529adf9f8782607e258
SHA103feb00a3ee454406209cb5c956ab7628380a363
SHA2568b9709ce41f80f30fa093bec78b73383d6d72ee368f9500b849518c01533eff1
SHA5123332c3242f73a94a6cd1259885af20245450bc8c394918faa3a9719cfd3050517ec9e3361a22840f8de0964e237ec8f92a0bc19ee71b0cbb36da7ab555aa930c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
169KB
MD5fe3ff2a3c79fa472682abe26174bff37
SHA1d36feb759d24c844d505ed66ae6a660efb9090c9
SHA2560c084f2767a5db47100fb91057438c609cad97462a11c9bd44c657a676bbab72
SHA51283069e123eccf6a8f132456ee1736944707863197888c5539e132078f828e5d1f21f5f39f7ac057fceb2258820e54993775d779eb361a28c7692899721b4a40e