Analysis
-
max time kernel
157s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11-01-2024 07:45
Static task
static1
Behavioral task
behavioral1
Sample
52f166f6aeb75858dc1b2eddd57874f8.exe
Resource
win7-20231215-en
General
-
Target
52f166f6aeb75858dc1b2eddd57874f8.exe
-
Size
690KB
-
MD5
52f166f6aeb75858dc1b2eddd57874f8
-
SHA1
b99cb20cc175ba699844410fe8848a2ddb710290
-
SHA256
0ff144c6195170469fe4c678d394adf47a4d7b7e0c5a00d7282d284fe973bcb6
-
SHA512
d5c2cbdc69a9e129d458aa6bd78c225ed230f102fa26c1b490b1f216feb88199a64d3666bd2f69c58888a6d7ca04773bcaf8e5be366df18bfb52566f12297a85
-
SSDEEP
12288:qbZo5lhbUW+GqckAI951TSKa9xz37WNbr4gn1N1ebk9fb/C80K1Y9N2W:f53gSPTKNp1Tx/CR9N
Malware Config
Extracted
cryptbot
ewafal62.top
moruat06.top
-
payload_url
http://winazr08.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2340-2-0x0000000000330000-0x00000000003D0000-memory.dmp family_cryptbot behavioral1/memory/2340-3-0x0000000000400000-0x00000000032A7000-memory.dmp family_cryptbot behavioral1/memory/2340-221-0x0000000000400000-0x00000000032A7000-memory.dmp family_cryptbot behavioral1/memory/2340-226-0x0000000000330000-0x00000000003D0000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
52f166f6aeb75858dc1b2eddd57874f8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 52f166f6aeb75858dc1b2eddd57874f8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 52f166f6aeb75858dc1b2eddd57874f8.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
52f166f6aeb75858dc1b2eddd57874f8.exepid process 2340 52f166f6aeb75858dc1b2eddd57874f8.exe 2340 52f166f6aeb75858dc1b2eddd57874f8.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1KB
MD593c8801f441afe0adb6ebe4cd2443a72
SHA11f0041a2a0722b41a067e6310ad5948510d26aba
SHA2564580d30deecbbdd340ce67d24ffe081eff82cafc3511c849e8b2e6f9930c8db5
SHA5125cb498683993665be7ee9e16131f6b1efa2c529d0759f7be22069b1fddb5329e2c51ff03930582a1712a324aee07c6e8fc8ff83817173148d6396e3dcd6c78f2
-
Filesize
3KB
MD502aba0908b47df6f0344dbf2a74b8f1e
SHA18592b2bf4ab916cc1cecf0a4b37f83184a8aaea9
SHA256bfe7d0abe0a49929fe25a3b60c1b18857c53da6720803ffc5c5128a48f368c09
SHA5124c4ff09099b4c0c933fdf0c687def18978db75653aca4ee39b75d23fa54a9e153243a8ff4b44aa98ba9abcc17c46103bd827952581097db544cc5215e87fd419
-
Filesize
3KB
MD54d146e2420cc6ba0976027b3d61fde5b
SHA16f47e64be2769f7d77371d2c1685a25869b490b7
SHA256cac2b1a98a16307817c70ea82b88dbeb4e4aa3f2524d3f1bf8e1d69d722f7c83
SHA512241bfb25ed5948a2322501666486ff85c97a1521cbfed1e1cb08456bcb32d52f7c89918583da0a4085e8a77c5a4b61db67dd107ec02d0f0d08dc6ca7e4f1ba9c
-
Filesize
4KB
MD58bf63cc24300bfa9467e39f041b240ca
SHA110c13215f5d13bbf4899deab718a96f9f46c3ee6
SHA256c6e6fbb40817550da70f5ab2cf480c772761c44460e5d5b4a2e2506a282eea91
SHA51232762d1a3b6bcb4d8b6a876a8d6d90327720569b0fe2e794ca26be8471467b18ad4ee10b3fbb57e836310a65ab56d941c747df05e014c0d8df8a0b1986f69132
-
Filesize
46KB
MD5dc18103240b1b717f06561a73a045c5a
SHA1fd042ebc10990b4f295c8b3698865da754a33715
SHA25617e5d541470a16b79f6f9bd5f29be4398ecf0a411f790493a33caa6b3bd7b9a0
SHA5121bfc3dbb25e74df1fbd44e4a6a35f758b460b533ac75ce80bad06270437e756b6649a156d8c62cb9e4e4821af38a03725d73d9538189fff384a4baadb1180a69
-
Filesize
1KB
MD54d44becd4ce8b351dc1e7f191d8bd7d1
SHA182cc374dad8cd2f5b0611ed5ac43542c1edeb344
SHA2568eefbee38b351d52fe693d97d7277031010841177a745de1a22483f1ed8c9219
SHA5120c7f67d13c2b8f35fb214911cc5d30fb718fe2ad0ed9f57bdfdb1131deb35e2cebcd2281d0d9c600490ee76e7499ab796eb19650f99b5f82ef27ef19a763d173
-
Filesize
3KB
MD545ca20927fe07c7b8c7095fd86379caa
SHA15b22ad4004e7d9f1b21a57f9871270133434019e
SHA256445d833966f4510e9a8850f9d22042b07ceea417b387ad34ffcc69eb2440b865
SHA512c4ca3ae17bd8993dbaf7dd2a6e604e611d1704e29e0f1df95ec3cc9ccadbd007d582133e552cf07a08854bfaddaa76eeeb2a83f0589d8a307d86239d5c39dba0
-
Filesize
3KB
MD5644a272ef789862fba9ccff0583d116d
SHA1d2963c2885b5456b6ea7759b9a4b43ebf3ba38e2
SHA256dbbda6aa8efded6fdfbc18945ef16c1cf8988e7d30774820e3c465c9a9e48df3
SHA51270a012dc01fdd5c5a9f40b86b4eab676528698051af0b3dc7745db65defd99952a0bf9f8cab264569d88d9d5b532d7122d030b206d7e129ec5f2ffd8ebf333ec
-
Filesize
4KB
MD54b7d772d1cdde65fbf11830e409fb72c
SHA1535ca3064e0999f16621016f7f2a042744cd364e
SHA256d55003b150636d619475bac9b36b0cc8ba59e070c33a7da92b85de3a1d0b5d6e
SHA512a2a46089b0a9ac503d3ff23767bbc1914687f1f16a9a2b37018f5528f1aec00b764b9062d782f6e2561f2ff7e46daa10377096e7ff65678f914ac52687eb6aed