Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13-01-2024 07:11
Static task
static1
Behavioral task
behavioral1
Sample
584d548c03e8861214a069d6da77fa95.exe
Resource
win7-20231215-en
General
-
Target
584d548c03e8861214a069d6da77fa95.exe
-
Size
669KB
-
MD5
584d548c03e8861214a069d6da77fa95
-
SHA1
660e92380a92f9fc2af5ae7d7b1a0f3c8a54b06d
-
SHA256
7d5b421a001c3fa5345f5f6603e675b5d55b145a96f7669ae983a0e81fb24d2c
-
SHA512
3a5420485a1d29caef9b1829bd27fc7de84887d78f3ad19381ce92f52569298950a1750a58784892bfecc45f47e0e4e582178b6b33e5cad5e70160e5535c5776
-
SSDEEP
12288:qkfYHf48BZPRzmH+6WbFQf6VthtNT+ajAEfLxBy09dmaW7AMlzhRTXhU:m/48BZpzmu3PNiWXbd1dMlVTU
Malware Config
Extracted
cryptbot
lysayu42.top
morbyn04.top
-
payload_url
http://damhlu05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4980-2-0x0000000000960000-0x0000000000A00000-memory.dmp family_cryptbot behavioral2/memory/4980-3-0x0000000000400000-0x000000000095E000-memory.dmp family_cryptbot behavioral2/memory/4980-208-0x0000000000400000-0x000000000095E000-memory.dmp family_cryptbot behavioral2/memory/4980-213-0x0000000000960000-0x0000000000A00000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
584d548c03e8861214a069d6da77fa95.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 584d548c03e8861214a069d6da77fa95.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 584d548c03e8861214a069d6da77fa95.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
584d548c03e8861214a069d6da77fa95.exepid process 4980 584d548c03e8861214a069d6da77fa95.exe 4980 584d548c03e8861214a069d6da77fa95.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fccb2da2942af98943588b2354d3f4ac
SHA1a7160c183018a067dd6f022bf788a39dc7700628
SHA256238656aba67dd73a43542098596858ace5a0c67ecbb73964bec30c199e41a5db
SHA512c10cb1c46d267f6f2b6b639ea9f9ff355f28e9bf91af4a5c5d5c5bcef091359e437e1a9498ddf70c2435dc6c07cf036bedc6973bbb8ffef6b81f43dd4b53bce4
-
Filesize
7KB
MD560c40f0799c2a13875b34faa647f5915
SHA1ecee815f93d14e05fc9e6002e48f0a17feab3784
SHA256e1f39d0f6f696ffb06da2247d5619a184ecb744f9aa522c784a806a5fb9510b5
SHA512fe9f4a5174c137405b79f8a06818f2f908b50ce2023b1cf4476009a13f8ada6b5e74c6c7bec48f8581e397cfa471669dd5aedab23a80ebe1f2bac1f40aaeab2f
-
Filesize
49KB
MD5dbd285ec248241111875d3768d454de2
SHA1244fcf5b71c037310346c340b36d1dcf402d5f4e
SHA256e9e551e481c09df928379003aced0705cceed978ea34cc37c36612fbb9f1df88
SHA5121c9a7ebb21b8359a7635d560bbda5bbbbadbe3cfd194e5a93760e3b83a0f81740f43b1f42e90e5436dc687fa7d12e7c9718a9f953a37559e96c9c74c98ba0297
-
Filesize
43KB
MD5384c7220d43f049280f4756b58b49a9e
SHA1a06413fcaa1cd14ef12eac24bb725b1bbbef1856
SHA256f5a4885066411f3a5c20f62e149d728ed655dec8b58f856de950dd41616ae6da
SHA512f65f8f6271ae54e5a363150bdfca677b0d599bc658df54f2aa90cbbee26cc2c36d2163e507735c15456299021762bc2d9e9e87d99b664f46d572e3eebafe6d6e
-
Filesize
2KB
MD5e0e6b46040cec0b43dfa21baf8953d3e
SHA16ab7d260355b7863f781bcaddbbeb43fb4be9a24
SHA2566a3eb64877d4306502b73ecd019f6ddd1ad4f20ef28e523de05bbdd5b3b4bb62
SHA5120861891fd607f12bb97985447912cf1b051373796edbba8ee492cddc41a16cc73111836a4087bdf3a3c2d11cab246aa6a5cf20943d91f90e1160c54aa3de99c4
-
Filesize
3KB
MD55e634961645265f13e669f40c04e26a1
SHA10d65ec0024dff4f2ddfb892c1eff982c55896159
SHA2567db38bfe90e59e8aa64b4ecd69c2bb9b4a79fe6145a4fa529565a4ea19a036bc
SHA512880f57aed927c7603ed48820fda1007f97628463ab0ad6c0bb199fe5f3d6448aeedd1b848d80debf3da4879e3c94884e162f094f0b7879cc4b05206aceb0bb2f
-
Filesize
4KB
MD578c5b74438971a02ee412a41b7724e73
SHA150bbf91b45a7de299659c0d82854c9df1a63e2ac
SHA256cae3b351e295bfe61bcb19f5080d11cee7183d6c82de70244e19bf4d499234ff
SHA512097ccc2d6045488ef15eee432a2df0b7fa2a23a8a7900a39dd621e839bf3224f8558eb3c919aa3dde0037f5f65edd394c5025c0c281d558a1cff2dfbefba9451
-
Filesize
43KB
MD5c1e29d6f44d1d95bb79f4e34d4e1d99e
SHA1598fc106f77667950f7332d4c8adf4e2be59d985
SHA25682f556f059af5605be764ae5a49e892c18adf8f2ca152fb70da8f35beebde1f2
SHA512b6bce1b689bd2512a7da63dbc0de4234bb4fb5b6a9004fbf59ac69c6fee10df884f9d708a423b1bc9260561f78f8aab622c7d02b4e3159ccab14e23a02cfb691