Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-01-2024 07:11
Static task
static1
Behavioral task
behavioral1
Sample
584d548c03e8861214a069d6da77fa95.exe
Resource
win7-20231215-en
General
-
Target
584d548c03e8861214a069d6da77fa95.exe
-
Size
669KB
-
MD5
584d548c03e8861214a069d6da77fa95
-
SHA1
660e92380a92f9fc2af5ae7d7b1a0f3c8a54b06d
-
SHA256
7d5b421a001c3fa5345f5f6603e675b5d55b145a96f7669ae983a0e81fb24d2c
-
SHA512
3a5420485a1d29caef9b1829bd27fc7de84887d78f3ad19381ce92f52569298950a1750a58784892bfecc45f47e0e4e582178b6b33e5cad5e70160e5535c5776
-
SSDEEP
12288:qkfYHf48BZPRzmH+6WbFQf6VthtNT+ajAEfLxBy09dmaW7AMlzhRTXhU:m/48BZpzmu3PNiWXbd1dMlVTU
Malware Config
Extracted
cryptbot
lysayu42.top
morbyn04.top
-
payload_url
http://damhlu05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-2-0x00000000002A0000-0x0000000000340000-memory.dmp family_cryptbot behavioral1/memory/1748-3-0x0000000000400000-0x000000000095E000-memory.dmp family_cryptbot behavioral1/memory/1748-222-0x0000000000400000-0x000000000095E000-memory.dmp family_cryptbot behavioral1/memory/1748-226-0x00000000002A0000-0x0000000000340000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
584d548c03e8861214a069d6da77fa95.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 584d548c03e8861214a069d6da77fa95.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 584d548c03e8861214a069d6da77fa95.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
584d548c03e8861214a069d6da77fa95.exepid process 1748 584d548c03e8861214a069d6da77fa95.exe 1748 584d548c03e8861214a069d6da77fa95.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5399b83e1b95f20700af58539bfa48cc2
SHA1ab95366195d379b266e0db30c3c3b5e4070a240d
SHA2567719b30d56b9e2543eaa0a302fceb3d8f31d019842782806fea12e5424514248
SHA5129057c99692ad2b77cf9b2c3e5add322f90876b157743d7ab8361473c5658fcb009d2c0269471a4170991ebf438a07da74e1ff4be7c83f1aac7f6086e97b24b3d
-
Filesize
1KB
MD5713ad559c19169d10c176595889536d0
SHA1446c87a82dbbabc8b1394da25c50b2c5d0b9fbfd
SHA25642a4879c7f2cdb3732b507abbe3eb5e65ee708949fe1a4aea2878c2a2352d862
SHA512d3224924292105840cb9cee16f915dda8dd449f3fbb4639f41ba02110275a82194fd40b7b3a0736129f59fd3266a21fa77d81795a68cdd9b5455918c8f3cf463
-
Filesize
3KB
MD51303806217808a8404731ec64f65f4f1
SHA151eb690b35e70e9d2b8d66d2c128ab659ebf7074
SHA2563e76fe2ee51deb59ae9c66bdf0ad06dfb9837994f4633173556f2430b18a618e
SHA5121f38cc34128707a0ab7afcc4527a1107c26924eb1a201eccbc796f50dec70c8bdeba0e42bd7456a5735ea0b91a5d077155d9847fee46e85a40456968d2f3b0cd
-
Filesize
3KB
MD50289dae89f725d34104a40f7eed7fea2
SHA1d0a995f64b1e57b9a1e4f43855d885a0bbde705d
SHA256d8c66de4eec2faa6d9bd4ffb6ccea3d28c0e04861a1dbbe07ff3b33422618289
SHA51256a1826e411d20ed319c29aba48d4c31073fca44ea6827922c34ae3efa527cbae716b495e69ecc722fc858d029fb6ebe45b40d81e4c8b0f75a46c09bffbc8378
-
Filesize
4KB
MD5d4ba44cc5078f46a44bbd4f3d4f19f24
SHA1a92666d333d27114b817aeb946455429600e2d0b
SHA256dff3b2ccc43dcc5014b836e6a616a44f33505427559f19ee100c13cfc4a0c0e4
SHA512cb345ff00b7e96948e44afb6522e52dbfe05daffc06b3f5ecac3149aa2365c63a985e61ae8e1f205bc2a36ff0d45749c4246b10753e3a7fedf51c3d978ff590c
-
Filesize
45KB
MD5dfb0a084c190d08d28eb84b5e458d855
SHA17809b4da9238e8ddf20ffa4286085a657eda0d7a
SHA2567afad31a24d1fd0a90a27802dfa3c67028c4174a0045f01d9ac6d03cdddfc2fa
SHA5123af0e4caeaa3a2c994496bb3f1a9aff6210dfe04cbfd6a10e69e1729b40627ef41e1af2439e40f046a6ca7a8b5268369339c58e555761e8d6f7580f9c5925abb
-
Filesize
1KB
MD546126c6504cfd2e40b1ab318d28b2a65
SHA14d906329e92396a098aa4110802628c7aa6fb26a
SHA256e0ec90568eddb9b8a28ee668de9221dbe46b1bd803aed5505cfd1401bb521397
SHA5122f515ba274db3d200f7e1816fbdeca33570a4985eb20d6429f4857d89bd0490df33768e101ec1096c4e578197c1edbb28881283090ab86a87dab78b9578994f4
-
Filesize
2KB
MD59ab78f6a4c80b9573d9a87a633248d5e
SHA1affc3511b9c2939b6b84bbf4e815594cb0a24993
SHA2567bb4cd41dd4e22aaa0fbb0cebbb06ffc6de36381c4c6b50a9eef2e9e243f6ed2
SHA512ca21ada4f93b81a9f7e7bb64aeb215070cbc7c7e729b21237cc09b8068e502b67683f7157b8a5033fd667b655421327bfe05978e6f689238f70e4bb1e1e71687
-
Filesize
3KB
MD5cc520ced9b8dce4843ef29c945c5f815
SHA1e7c722ffa8b51df2ad552027f29e267a23c043dd
SHA256bf9aa171631d6bdbbc9ff6380a2f7add63472a6293732d673b1cdcc8ba8025aa
SHA5125db7d1d9bc230727d487606a3140d9e9b83ec194543e5949e90f0f355f3cebb20ee8bee1f3724ebfe62f37633c6dce4a2924eca6dc171b26cc583fa4e6872943
-
Filesize
3KB
MD51fbc3db49727cfd267b2839f8da55d70
SHA15a3be04aee98df4a2cbd6a2425001a4b2d5f7ee7
SHA256ae0b6d65854f850bc484d16ef503a3aff0d680131b139aa55f84fe5e9a922435
SHA5127be09f298ec4e5c675ea6cc3ab82cbb6e2130b8a6298931c4d15cf17fb551ef106396c4a70242ae597385e75304a29fc04e8427532c799b3334df111a990ee44
-
Filesize
4KB
MD5c54405ec2c14058166821f39013272fd
SHA117c6e1a48bbd4be8edd2fa4b7bca203949e31cbd
SHA2566457af26f6b122d77c36d7c5e4ce997c8a657618fef4c672f7e90bb073b9a842
SHA512131e9d6e8be7777247727aa779f8d6f5cdf5e13d9eb018fe961196458a8227daf44ddc468084a93b0d706106f5e862129f7f7743be5e6fe516acf23c457ece7f