Analysis

  • max time kernel
    161s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2024 07:45

General

  • Target

    52f166f6aeb75858dc1b2eddd57874f8.exe

  • Size

    690KB

  • MD5

    52f166f6aeb75858dc1b2eddd57874f8

  • SHA1

    b99cb20cc175ba699844410fe8848a2ddb710290

  • SHA256

    0ff144c6195170469fe4c678d394adf47a4d7b7e0c5a00d7282d284fe973bcb6

  • SHA512

    d5c2cbdc69a9e129d458aa6bd78c225ed230f102fa26c1b490b1f216feb88199a64d3666bd2f69c58888a6d7ca04773bcaf8e5be366df18bfb52566f12297a85

  • SSDEEP

    12288:qbZo5lhbUW+GqckAI951TSKa9xz37WNbr4gn1N1ebk9fb/C80K1Y9N2W:f53gSPTKNp1Tx/CR9N

Malware Config

Extracted

Family

cryptbot

C2

ewafal62.top

moruat06.top

Attributes
  • payload_url

    http://winazr08.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe
    "C:\Users\Admin\AppData\Local\Temp\52f166f6aeb75858dc1b2eddd57874f8.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:3824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\mnVCBVW\_Files\_Information.txt

    Filesize

    7KB

    MD5

    6f5066083684ae09ed8db02cf7303906

    SHA1

    d4853a082f239f6c2099ee4cba51666e5c74a898

    SHA256

    1537d254f8064fe7051fcfcbe35e5a5bd0ba232e3c676086a00f05fe6e9b7790

    SHA512

    7b58c9964271b5182cff4866b084fd56f769d11ed0e84f0bc80105ecfd289af0b768e640d5781dc7a897d4d0f0ce7acda646cde5dd36f0151eb74001fe6f126b

  • C:\Users\Admin\AppData\Local\Temp\mnVCBVW\_Files\_Screen_Desktop.jpeg

    Filesize

    48KB

    MD5

    eb923b820a5fcf021db1d857c8b96784

    SHA1

    a8704d76bd1aeb092577f47aa622e4bd288a3f2f

    SHA256

    1d8a27de2c8c5e34d6ae17212afd3da645cb438e36e683504beb8e78f054d6c3

    SHA512

    96c696f8f5df62fabaf08229520926da2c44e79d6df6ea091ee4141518f4da92941e5c404680495ed4ddcac61f9bc5c0fc175f8a1162f57eef65b216edc87da5

  • C:\Users\Admin\AppData\Local\Temp\mnVCBVW\files_\system_info.txt

    Filesize

    2KB

    MD5

    b202719503daf28ff99e70baafcfcee6

    SHA1

    f4b65807f7d4c00c560069319fd2ee5dd133ddf4

    SHA256

    1bedb3673840d5316facfea17865f70bd08dc829db8451c82548a1d44dace2b3

    SHA512

    6b2bc6ac861ca380de9195111b2a10f1d12b499b288a054428ba673d2e89ce1bb83a9180d42d253276dbab018e694dab8da1d0d28e7d95cb0135132354a0885c

  • C:\Users\Admin\AppData\Local\Temp\mnVCBVW\files_\system_info.txt

    Filesize

    4KB

    MD5

    fd8ffb56387de25a1c2879a396bf62da

    SHA1

    e4d3459f1a6bdd89b048bc2f3af7f1a519a63060

    SHA256

    2aea2c3c71346860c2be8015e5027bc600ba0c470e1369a36a39652dc3c1d28e

    SHA512

    c6d20421a1aca71ee4ee05af040974f2029b3d46627e05c268ceb3b56eaa627490b3c26e59024f04f118b97e7ea330e5495ee8064c1675d269ce766a39e1b746

  • C:\Users\Admin\AppData\Local\Temp\mnVCBVW\j7MwrfAK.zip

    Filesize

    42KB

    MD5

    6505510f7de7419da1b7b4a6c344e043

    SHA1

    fdd32e8741c83d762d2326193baf0f7911871d60

    SHA256

    5b4e73d71d71f75fc3f3bd788ce6a3bb32f7f84f815ba4801619886fb4912ee2

    SHA512

    adb9fcea979928b8c9be94bcea12a04290af4d09bc86a2729d997ad442a43d7a0edcc4830b21a404608a7c7c7066e0b7c9a4f0530f264806993185836c9bad98

  • C:\Users\Admin\AppData\Local\Temp\mnVCBVW\yng6hIwnqYL.zip

    Filesize

    42KB

    MD5

    1463620ede77b2a36200f7ba280e1985

    SHA1

    e04a52b31c898e8ab24d0e4ecbd0a7d97d4e7795

    SHA256

    1e2860333b9da744ce6fb869e8dcbaa43bd15b906c33ad4d95f0d314772df562

    SHA512

    0ba2b2ec93edc12bbba7ab9a44f945ab9b9521b90c2b060960dcdd11e5bd4ed1d865e8b255863e7744d74cf2fb8cae88f782137fcdb10510c19ed62e9ae4a83c

  • memory/3824-1-0x0000000003620000-0x0000000003720000-memory.dmp

    Filesize

    1024KB

  • memory/3824-2-0x0000000003570000-0x0000000003610000-memory.dmp

    Filesize

    640KB

  • memory/3824-3-0x0000000000400000-0x00000000032A7000-memory.dmp

    Filesize

    46.7MB

  • memory/3824-207-0x0000000000400000-0x00000000032A7000-memory.dmp

    Filesize

    46.7MB

  • memory/3824-212-0x0000000003620000-0x0000000003720000-memory.dmp

    Filesize

    1024KB

  • memory/3824-213-0x0000000003570000-0x0000000003610000-memory.dmp

    Filesize

    640KB