Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15-01-2024 08:33

General

  • Target

    5c9bc69219f434c0d872aa764bd8e624.exe

  • Size

    603KB

  • MD5

    5c9bc69219f434c0d872aa764bd8e624

  • SHA1

    968e1fcede080b4bf082448b39064a4a25d3d15d

  • SHA256

    3c3ec4c1e29ddd7df20882f14db717567717772eba3c25063564c7b8a665ac06

  • SHA512

    0fef741a425696c58831ef07b471e581b3fc7434d0d28069d5901505fa16cd09b2ba7e1893786538a8dd9219504c7bac0a52db8607032b3166e17ac776741fe5

  • SSDEEP

    12288:/nZ8kWc1HDIX6EjUPS8vG2p6oTxu7hYAuczF39Pl9C52y:B8kWc5iixlJOYgR9N9

Malware Config

Extracted

Family

cryptbot

C2

haibam72.top

morelm07.top

Attributes
  • payload_url

    http://zelyoc10.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe
    "C:\Users\Admin\AppData\Local\Temp\5c9bc69219f434c0d872aa764bd8e624.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Files\UpdateCopy.txt

    Filesize

    292KB

    MD5

    7c2b617e705f14ad444585696fe3fbab

    SHA1

    c5702b1e257585226b65095e1d352bade5629ef5

    SHA256

    c2523558b9fe8c09972788aafab015a5614f69a2a80710157b2e33c197669162

    SHA512

    67809dfc884484dc041d2383640ebc58a69cddc8eaecbfc528cf54edfa91c0211f893d5f800b213c289c61bfff26d1ae6d26bdc9ab821f0d7940e21d464edc50

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Information.txt

    Filesize

    3KB

    MD5

    84bb0a5f0c9cd45955d8f95fbf4e7e99

    SHA1

    e9a022f5dc2b88e6d7713e3a9a1641295b3f08d3

    SHA256

    2c7c5d2181f1ce1c99532011c642706d28c02255eeb5b6fb1d01bbc968b26c39

    SHA512

    4519dec3b9620a7a9e5782f70cea2fac256fb0016ab86e30dc19015b7250885429d1495307abf0e657d2cf8eabc402f263fb93bbbe1f2062a6b84151e9e7931b

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Information.txt

    Filesize

    3KB

    MD5

    3ce2942f879b66cb8a4cb2473afc6763

    SHA1

    987370691a651865d9a705e13775d0d63cd38570

    SHA256

    17bdc3bf1b959f628cf5a44e2f824fd92c1bd8bab6c6cf460744e4fcb8c6b602

    SHA512

    7df630321d24c2aa0ba5f279755c1ce5b52e15d39904d6b938a0e37d5063ceff7b033951036d2aa35301b3d9428a35a086da25cebcefbb9b9b7f12eb6a7416f5

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Information.txt

    Filesize

    3KB

    MD5

    5401f72895a42a7ccda317ba0b0aaf79

    SHA1

    9c45b233173cd6702b1abf20c4ca506008acf451

    SHA256

    3f1d81236eb77459707e71aa82d256040a722936e416c103babe0fcb02746c04

    SHA512

    0d67eb8e73e334abac76004161f4dc2fe2f90d8b4a41ca40acd8c5e43808dece5cfc1485853df557effdcac305e7a09ea3e40e843077da554daa56b2e29b8831

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Information.txt

    Filesize

    4KB

    MD5

    ee6d411f20fa72c5d27edf5c33550d3f

    SHA1

    f96f2e692a94e97895a0f4d84de736e75f3403ef

    SHA256

    e1977c61bb5a5d1982803d6258fdb115e35c4ced5b15c91839e61e39eca6ec3e

    SHA512

    1e04de302ccb617ea5319ac637528cc78e899175aef7caf52bec86ca99d398d8436d0c2670da5457d839fde83aaa7b97f9ae99993ad4d7f3e1303e72a6d00555

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\_Files\_Screen_Desktop.jpeg

    Filesize

    48KB

    MD5

    099e0f0ce405f4323036dfd2afb76ac1

    SHA1

    fa64ee4bb5d231d064127f59d7946f9579a671d7

    SHA256

    2c74dabe81de7139815a7d78eec42384279631718feec4861ca786f869639896

    SHA512

    04cf76f95d7caba517da2d6f13ca9a18507b2f3903d36724897237ff8747688af5fa7dead7ddb3deb54f02d06de42aa46efe7c2ced6d9a340046116d93da56c9

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\files_\system_info.txt

    Filesize

    1KB

    MD5

    29c9d2cc2de503ae43676c1a70080fef

    SHA1

    58303196ada85c32c2b95bb421d06876a45a5a7f

    SHA256

    c930058a391653560df41784c197b5a979ad40f4c37a827bd1171db73af32664

    SHA512

    62b1396c35d7671695de480a850b12846c8827fa052bc7c0a32032845c777a0068727fd29bd4364adb2e83627f124f0967ba69bbefa2b473d9bcc05672b7d981

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\files_\system_info.txt

    Filesize

    3KB

    MD5

    341e7d5b30a94a72b24e4afa42039bb6

    SHA1

    bef814fd75c3d536867fb6182cce98400010934d

    SHA256

    9815fa88aa56382b016d13b94d02f533a443a90f488d610df29dc36bbff9e322

    SHA512

    6c540e149297042780240cfd24f34cd2ee9923a78ac5cf093a38ff3f27c8ca20cdc91c307432923fe2b67235bae67a744a5bbaca809bee200872464976438fb9

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\files_\system_info.txt

    Filesize

    3KB

    MD5

    c990a69e8e467484db767394e61788a4

    SHA1

    1e35e2cbbd85a1f173506fe4b20fa9cd1e05cc77

    SHA256

    61389420ac93a8277cfc15867078c8d01b89386a82c4934b3f4dd8c65baa91e2

    SHA512

    7b6f80866785b68a62e052559bb6b3424331c1d2a479f46db1443643a864ed3f93e05bedb0b8c9a581f9cfbe019be03cea62f22bee57f0110060530a0a0413e4

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\files_\system_info.txt

    Filesize

    4KB

    MD5

    231c7f2ac14f16102a1e9d23b14d3ef5

    SHA1

    89c357e4d53a3d3826b134091e2c79ad682e1306

    SHA256

    375ef6c2cb5b45a9a252951a3bea5fc2aa3685221b48bd17ef9d77020e242e49

    SHA512

    d7e9a51e876a845eee72623c629f2a118504657487b34e7eb40b89c63321fb866692afc1081830c7d974a2286a33b3e973941477a87d41e6d1e85f7cc48ac9cd

  • C:\Users\Admin\AppData\Local\Temp\JwK5fQJ\yFe43cQTLk1r.zip

    Filesize

    333KB

    MD5

    2914580d240be6cc7774d023802b3a6c

    SHA1

    795f5b99e29464d7dc909d4b661bd06b3d5c1c5f

    SHA256

    5a5cb40f3f2a1172b485b12ad18ae92c75bd7c2f484ae564c7cbad0e589251e7

    SHA512

    2a7599bdd0215983fa97b6276ca1e35d08cabd8e5bae11152bba871b1d7ce4b7997f99590824e8309f6e7d19d95f4be14f24bd2f5650f0b8622d54d554f29f88

  • memory/2104-4-0x0000000002E70000-0x0000000002E71000-memory.dmp

    Filesize

    4KB

  • memory/2104-3-0x0000000000400000-0x0000000002CCC000-memory.dmp

    Filesize

    40.8MB

  • memory/2104-1-0x0000000003130000-0x0000000003230000-memory.dmp

    Filesize

    1024KB

  • memory/2104-2-0x0000000000220000-0x00000000002C0000-memory.dmp

    Filesize

    640KB

  • memory/2104-226-0x0000000000400000-0x0000000002CCC000-memory.dmp

    Filesize

    40.8MB

  • memory/2104-228-0x0000000003130000-0x0000000003230000-memory.dmp

    Filesize

    1024KB

  • memory/2104-232-0x0000000002E70000-0x0000000002E71000-memory.dmp

    Filesize

    4KB