Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2024 06:50

General

  • Target

    55c61c75644d75f6db561a8fb294876b.exe

  • Size

    630KB

  • MD5

    55c61c75644d75f6db561a8fb294876b

  • SHA1

    26c72345b1d08ca1f2078f071674dfd01610e313

  • SHA256

    0274cb61fea6621c4d2d7eced3bfc1fbf14d890024cc19a9e1c694693547a06b

  • SHA512

    8d52eea1b91249299e7e0abb754e4e2c26e1cdde755602926b24515d32c2d759b82a63a4dc42da209355b498de4232137d1e024a2706ce596d82f89a074eec8f

  • SSDEEP

    12288:VCGapkxc+9mXC7/KXw2cmLRs7ILVkwSxtafqaE:P4icGmu/KXjcmzLVkwaafq

Malware Config

Extracted

Family

cryptbot

C2

ewakyc72.top

moraiw07.top

Attributes
  • payload_url

    http://winfyn10.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe
    "C:\Users\Admin\AppData\Local\Temp\55c61c75644d75f6db561a8fb294876b.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\_Files\_Files\StepApprove.txt

    Filesize

    179KB

    MD5

    c7c7d627bda13c1cd83f876442900fb8

    SHA1

    a0e7b8e5e6d0f6b9ef28fbae93179838e809a533

    SHA256

    c70489337264a2710d895e1b563a79af711c9d5ce09e55451c2bc39b4dfb2662

    SHA512

    66013861b7ef28468225bc6da4c9ce4e044b53a6534d015431bcd195b491b9894e44cf4e44eed8cc57d8be07d145a8fc065d0f8c3270f9cf0e80a7bd8d8fd876

  • C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\_Files\_Information.txt

    Filesize

    1KB

    MD5

    8009fb1c12d7be5101187a026c123c80

    SHA1

    484452d70b1ac092b13f5fc56cec6168b76a898a

    SHA256

    c8709e0a7a8fbfbcf952db73ab3260244719c699261bbc0f8d865e11f384ebd6

    SHA512

    f5a8e8375333e2d3412a0023f8019a87bc598a3ba8a181dfae65fc74efd8d3a4e7dbaaa876accf25cb535837ac59974df460eacccf01bdd396f7a70b8556e4c8

  • C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\_Files\_Screen_Desktop.jpeg

    Filesize

    42KB

    MD5

    2ab6551c2924f90d251fd0976d959dd2

    SHA1

    ddfdb2402da8f4b41da3b5c38dc0d0680bda1b17

    SHA256

    f652109d32ba927c78832c594943fd997b7111538c3ec8ad29da0ef115e8c164

    SHA512

    a16052d199bc4e10dabdd0915da47ebcf2fbf014112cad40870382afe8e2195ea29010369e5b6986ea5d3150f15556d65bb7dd669960f381a21a75c8cec16c4c

  • C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\files_\system_info.txt

    Filesize

    1KB

    MD5

    e026ae81076f3cab22ec10f53346918a

    SHA1

    e89106a1913121b6b70d3f2fdc84688be525fcb7

    SHA256

    049c3fe73e47a9810a7f766efd092315692204cae20856a2fa7c9875033692e5

    SHA512

    bf440b4ef61931c1fe6eea2de611854bee8cb942244c261225444070b9d5188caf19e2257e66887d444964b14116043fab14d3e83ed9d64933db0b6b491af4c7

  • C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\files_\system_info.txt

    Filesize

    3KB

    MD5

    8b1dab7720f9c58cbfa9a690846fa9f0

    SHA1

    e70f71bb0d0c1cbb29a1b2eee25c586501fc7e6f

    SHA256

    1c312cfb347613f28020378db906d388d74778ede9410e73d46db9f2ce386de7

    SHA512

    4b35d3dfd1a1b2a38363b6ebfa2c6b03586246183da5b727d4299f7078ea4931320de09556ade442b0a4ee78656e737cafb1bc9e3d583fb3c70364834471adba

  • C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\files_\system_info.txt

    Filesize

    3KB

    MD5

    f264453f660908e809bc38be7eec1796

    SHA1

    46c6e3b2fc6bc48da5421ecba4aa048575d975f3

    SHA256

    7da216e6c0dc70db01e11f2191e57a5dc97848d5c593b1e88a28616f067f55b0

    SHA512

    ab8e512bf518b7cda530ffa880b4bd3064078a6d31a21bd1c82024f12a56e4151bf3da7fb8254b877745f8b44c9213cb5a9edd66375746eef9fe07afb5a9a0c5

  • C:\Users\Admin\AppData\Local\Temp\Fwzfnsjv\files_\system_info.txt

    Filesize

    4KB

    MD5

    4fb6d0b9edb3ed6274c1eafeb8cbadba

    SHA1

    0ccc5cf628b2b07fa0b50ee7aab539316514fda0

    SHA256

    4729417be94eb783f952a9fa37394ccfdd14dc88dacbfb0127984dbd902015be

    SHA512

    a0cc3ab0e4779a000e7a0747c2f745aae744cfcd50b35d914955ca8849b54181a512375e7fba5f49269c3fc39433265d5671d6f13a79315c898a57ca76e46bdf

  • memory/2172-4-0x0000000002E40000-0x0000000002E41000-memory.dmp

    Filesize

    4KB

  • memory/2172-3-0x0000000000400000-0x000000000146F000-memory.dmp

    Filesize

    16.4MB

  • memory/2172-1-0x0000000001610000-0x0000000001710000-memory.dmp

    Filesize

    1024KB

  • memory/2172-2-0x0000000000220000-0x00000000002C0000-memory.dmp

    Filesize

    640KB

  • memory/2172-226-0x0000000000400000-0x000000000146F000-memory.dmp

    Filesize

    16.4MB

  • memory/2172-231-0x0000000000220000-0x00000000002C0000-memory.dmp

    Filesize

    640KB

  • memory/2172-230-0x0000000001610000-0x0000000001710000-memory.dmp

    Filesize

    1024KB

  • memory/2172-233-0x0000000002E40000-0x0000000002E41000-memory.dmp

    Filesize

    4KB