Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
52a88d8066d72a7ec1b37a2ba80e003e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
52a88d8066d72a7ec1b37a2ba80e003e.exe
Resource
win10v2004-20231215-en
General
-
Target
52a88d8066d72a7ec1b37a2ba80e003e.exe
-
Size
1.4MB
-
MD5
52a88d8066d72a7ec1b37a2ba80e003e
-
SHA1
e40164673822686c6d5cc41bcc98aac300664af7
-
SHA256
9c59a45822d8c627c37d5e39d98685debf5d8d81819968b5d5add076ac2fc572
-
SHA512
db43e76700fcac500f7e51cc6bd76bdbfc68c59c5f932efa2b4d17372c02bd34f4d2c97a3c9d465269fecd72c714fea94743d430cc6f069cea4e21ffb6286adf
-
SSDEEP
24576:xTYcH87qAD2yPgH0Iq+xsFfwauMUrnIr7D6GzXWso87GvNbsOMdl3:Rl9y4H0B26LtUS7D6aXW0SBk
Malware Config
Extracted
cryptbot
haiwpj11.top
morhas01.top
-
payload_url
http://zelcax01.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-26-0x0000000000070000-0x0000000000113000-memory.dmp family_cryptbot behavioral2/memory/2192-27-0x0000000000070000-0x0000000000113000-memory.dmp family_cryptbot behavioral2/memory/2192-28-0x0000000000070000-0x0000000000113000-memory.dmp family_cryptbot behavioral2/memory/2192-29-0x0000000000070000-0x0000000000113000-memory.dmp family_cryptbot behavioral2/memory/2192-236-0x0000000000070000-0x0000000000113000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Fra.exe.comFra.exe.compid process 484 Fra.exe.com 2192 Fra.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
52a88d8066d72a7ec1b37a2ba80e003e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 52a88d8066d72a7ec1b37a2ba80e003e.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Fra.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fra.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fra.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Fra.exe.compid process 2192 Fra.exe.com 2192 Fra.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
52a88d8066d72a7ec1b37a2ba80e003e.execmd.execmd.exeFra.exe.comdescription pid process target process PID 2740 wrote to memory of 2276 2740 52a88d8066d72a7ec1b37a2ba80e003e.exe dllhost.exe PID 2740 wrote to memory of 2276 2740 52a88d8066d72a7ec1b37a2ba80e003e.exe dllhost.exe PID 2740 wrote to memory of 2276 2740 52a88d8066d72a7ec1b37a2ba80e003e.exe dllhost.exe PID 2740 wrote to memory of 5016 2740 52a88d8066d72a7ec1b37a2ba80e003e.exe cmd.exe PID 2740 wrote to memory of 5016 2740 52a88d8066d72a7ec1b37a2ba80e003e.exe cmd.exe PID 2740 wrote to memory of 5016 2740 52a88d8066d72a7ec1b37a2ba80e003e.exe cmd.exe PID 5016 wrote to memory of 3852 5016 cmd.exe cmd.exe PID 5016 wrote to memory of 3852 5016 cmd.exe cmd.exe PID 5016 wrote to memory of 3852 5016 cmd.exe cmd.exe PID 3852 wrote to memory of 1072 3852 cmd.exe findstr.exe PID 3852 wrote to memory of 1072 3852 cmd.exe findstr.exe PID 3852 wrote to memory of 1072 3852 cmd.exe findstr.exe PID 3852 wrote to memory of 484 3852 cmd.exe Fra.exe.com PID 3852 wrote to memory of 484 3852 cmd.exe Fra.exe.com PID 3852 wrote to memory of 484 3852 cmd.exe Fra.exe.com PID 3852 wrote to memory of 4996 3852 cmd.exe PING.EXE PID 3852 wrote to memory of 4996 3852 cmd.exe PING.EXE PID 3852 wrote to memory of 4996 3852 cmd.exe PING.EXE PID 484 wrote to memory of 2192 484 Fra.exe.com Fra.exe.com PID 484 wrote to memory of 2192 484 Fra.exe.com Fra.exe.com PID 484 wrote to memory of 2192 484 Fra.exe.com Fra.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe"C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵PID:2276
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Deposto.aiff2⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^TLMjEDpTLcIIJMGgbxtWhmcEZvxziWQdzsVQqSkGdZcGCwYlYfTIltkxfojipQMOEsgaRQgEobGhrPwYblxRriyfyABRGtbmhHwlMGaowgANnYsmi$" Illusione.aiff4⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.comFra.exe.com Z4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com Z5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2192 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:4996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
569B
MD548dd3606008d6ff627aa4a5eb3001ff5
SHA1f68612a5bbf822b32993d4d1451072e42d27ab40
SHA2564de260e84b9b84cad526fcf175d03721f553849318a8ea161bf567d0e7c9fe2e
SHA5128c0c06aecd1c65f68fd9a61204beb95279200c067f14679722fdb79ca870d3482023244e22e6f8d5f55d26c8213c637832b14494697135ffdd6a6b226305192f
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c05dc97cb781e42e9269d142ef1cc85a
SHA170eb77a8114cc888ca94a6c34c8031596759e20a
SHA2565ff41adbaf12ef578a860c1333d2fc55045816f9c6582996baf058440570ca48
SHA51289c1eb5553ff1ae360d487f6a30cafc08d0b03f16b676c6fc09bfabc667937a2133af82f430cacc6eb6b0c764ab3daefcd6f22e99a31d058cad035b35316c03f
-
Filesize
634KB
MD52be154b18d3fa64af5604d87f165124a
SHA1cee27b6c43346a5aaa94e35c73ec068302da80fd
SHA2560c1c7d41910377731bbd354dac74ddfd50a116bc3e5dfe0062178fe2acb57bde
SHA51279487399a6743b1d47a2312dbd70c792e6af2dafc44abceacb521121f049733436007a955783d69abe740882e0c04cb6bfd8a236cd33df235748ee3a9e16e4e2
-
Filesize
661KB
MD5c98e5c79fc362b26b950321217d594e8
SHA194a92bca9baa45ecf31c6e8b87cecc8b18ce3d1a
SHA2567ecd423bfd509cc671d7d02296c49b68f8eff7f0e3135298db558ecebc7b2484
SHA512247bdfa0ddded5781a1d81306ae783c9da1ed00a70efd7fc3646fae12d63713009257575f014548d0bc4bcbd096c8da5b615a34a41d9e635f0eba9ce9f3c1c82
-
Filesize
1KB
MD57c6ba2fa5cd8e50c8716ef38fbcfabc1
SHA1d9f7f2c04041937ce263fc2ecdcd82efb1756b6f
SHA2569b181d0fba0524f1907d19797e7ad5ecfdf6dea6ccc8b4cf49c1fc09ddd7d6a1
SHA512a0e0c787fb1dd0f1b233bc71f0a0ae6f57e2486f64eddfa4519a0e7054306ef8324a7a1a3cd1d971e9e10289e01e4fcaa1fd79f76d3b85e0bd121f3ff0f96e8a
-
Filesize
4KB
MD56b1a7f09b60a8efa3b51ce1992965497
SHA15ad03a21092ffbe280b9457f8498fd6f14ec0cef
SHA256a6271392ef4c427b902626c7d5e05d6aa4654ea3aa75e2abb0d56241ab7c9d91
SHA512bd3ebc7899c5103a38a27caaaf342738a57b66cc25c566abe0d76b2d418418f479fed0fc8e23bc02e1f2cddc5bb1e6f1694fad66b197627ed0dd6bac0be4d447
-
Filesize
49KB
MD54ba722c23616e093af783734f0af480b
SHA1729554b4c61718f9b10a14a8a35addf13320496a
SHA256263ea9e1f8a65d9827346412870630d6ce02aeebbe75c8297863fc1d35e13880
SHA5122afde27f4df5e042cb442ec89841e1734f671123bed42405d6abc21001967a7be151e9aa402443503e33f38c903872e73359b6d6317e339d9225ec591d2baf47
-
Filesize
7KB
MD5567ff43b0b6995da05a8f4321fa22d5e
SHA1061c252d79f2a3c9d44c3c0022e57f3529555e1d
SHA256b4260d886ab55a9d1cb0995023eb5bd615cc730af779adb2e410f4aa9d0774fa
SHA512b25ad7ddcd1ce647ec669dad1e58a31c68f04defe2115306ab97dc4b01dfc51f63d51bd380253bd69c726904163706cfe083ed1df2e8e63e28ccec189066c76c
-
Filesize
43KB
MD51ed4556b393fb5569dac05107b9d5f5f
SHA11085a11ecaecb528bc1edb6982668edde5faa406
SHA2563b2e6d542ae11f6e849b4903eb2d41a090c6fae5ce12e4465a1b285813f3c1b3
SHA512fa0eab85028db2556f8f250bf4bb9dde872ba7f4d0adcb5e5cada2cdf277e8ea982913ab7680fad9d937e729d0eeb74c1c4268db05992a02d307c388e86e3629