Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15-01-2024 08:33
Static task
static1
Behavioral task
behavioral1
Sample
5c9bc69219f434c0d872aa764bd8e624.exe
Resource
win7-20231215-en
General
-
Target
5c9bc69219f434c0d872aa764bd8e624.exe
-
Size
603KB
-
MD5
5c9bc69219f434c0d872aa764bd8e624
-
SHA1
968e1fcede080b4bf082448b39064a4a25d3d15d
-
SHA256
3c3ec4c1e29ddd7df20882f14db717567717772eba3c25063564c7b8a665ac06
-
SHA512
0fef741a425696c58831ef07b471e581b3fc7434d0d28069d5901505fa16cd09b2ba7e1893786538a8dd9219504c7bac0a52db8607032b3166e17ac776741fe5
-
SSDEEP
12288:/nZ8kWc1HDIX6EjUPS8vG2p6oTxu7hYAuczF39Pl9C52y:B8kWc5iixlJOYgR9N9
Malware Config
Extracted
cryptbot
haibam72.top
morelm07.top
-
payload_url
http://zelyoc10.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4880-2-0x0000000002FA0000-0x0000000003040000-memory.dmp family_cryptbot behavioral2/memory/4880-3-0x0000000000400000-0x0000000002CCC000-memory.dmp family_cryptbot behavioral2/memory/4880-4-0x0000000000400000-0x0000000002CCC000-memory.dmp family_cryptbot behavioral2/memory/4880-210-0x0000000000400000-0x0000000002CCC000-memory.dmp family_cryptbot behavioral2/memory/4880-213-0x0000000002FA0000-0x0000000003040000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5c9bc69219f434c0d872aa764bd8e624.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5c9bc69219f434c0d872aa764bd8e624.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5c9bc69219f434c0d872aa764bd8e624.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
5c9bc69219f434c0d872aa764bd8e624.exepid process 4880 5c9bc69219f434c0d872aa764bd8e624.exe 4880 5c9bc69219f434c0d872aa764bd8e624.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD552447c9d6f7c3ca14c63872caa4ea31f
SHA1150f529a0e8be8bf0f9377d9a2b8ecffb8107dcc
SHA256a5e2f91acb497a2c6e1c16e17846da89d7b918586b1551bbad8e4d78e48aafc2
SHA512afa6f5f358fff7135ce6da8c2e7257bc80f54bf05c17a1c07c04d861b6a55235a0c7b21ff9028b4591925da7d7dc10f01a7457b9a64713d7f483cff6aea0c8b4
-
Filesize
1KB
MD52d344e62ab82c12846743add10ce08e0
SHA1d21e3aa8103421b5695881bb9e2f461625d8b5fe
SHA256ddcfd0ba71adf3f916fb116c9323fcd56cdda4824c0776bab5e64f8e8c0eecac
SHA5122675338fe2352da517c2fecc85dfbe71b8ca65fd8c6213f28c6eac73aa7f4a5578f68a5e0241159c2539ace4a6d8df3ce247ec570d5a0005e63574928fe6868d
-
Filesize
3KB
MD59f0ec6e3c35d075ded64e5dc0b3df328
SHA11e2326209828a8c73416358154b05e33b79f9b3d
SHA25648d57fdd9708e81237b5fa7aeceff3f61e5cd862795b3926297f38524bf9e0ee
SHA51233f110ff82c9c90bd4d0b55a401ff1d2e12032977d289bc234c5d0fa1e704c04e206916cbfe8bc7c4a49abd3558b9576b9237e46c1089213209a1a508986cd81
-
Filesize
4KB
MD5254e83fcf2d900b919740fff243895f4
SHA1cbc2920ec161984dc3fd1ff222d0d9b3845825e7
SHA256e6279d8151afd696b9fc88050b43a29c961ac6703c16bc475be8958cd54461ed
SHA5124d67d98035afebb0ddcc08b13ba14f5c5672d18dbe059153dd178cb07d2f4c79e65c05dd28d54fb542e5235f6085372a8670bf621bfa510f29bf3f45652f0b59
-
Filesize
44KB
MD5eb2e85cee22138119cd02e1ef5077ae9
SHA1f2adc5af53c1325a587c9928991d0f66bff4d8ba
SHA256e886f61b966805c419a74955c830fe316b3268f4f4a6ff7fb9c0a2847cb7671e
SHA512061f42a70d1be382401aa1f70474fb962c03152e641a2125f540014f76cfa076daa451251582d8a14cebe0206ac680cbfb6076ed276fdaa2f65d6e1bb672ed77
-
Filesize
39KB
MD59bbd26fcd00b053d822c23b036486eb9
SHA13692a9bbd310a82b4e051626c1d91c494b372748
SHA25686e0e17d72212546b8d0b09dcbeb940fe67f68121452b0aed03c6c23d395177a
SHA51281d39a07e7821f6575b572b03a3d3eb37f90c7e446a615100f1b2b0dbca1993e60adc32b4bed3e62718b422a83860479c5832633e0c51672ac7a38c710a693e7
-
Filesize
4KB
MD5f9c9676c3a38fb817aa2f601db77f6aa
SHA13108431d5f0ed033f90ea2a7d769352627d0136a
SHA256f69c4ad467ca26d40cc5ed480a1537496b62584d97b25826747afea98a6ca6ac
SHA512471f941daf9f8bbf80a81f399ff243c033344a8655151bf4fa5942e4a2d53137ca4d69912dcfb5925877016faa873e0f53b3aba0b79c993bf021fb0ec1815113
-
Filesize
7KB
MD5762adc72515e9a89095f6ab4965a8942
SHA1ae1250bc5de97122e170306d9f448e4ae16c99ef
SHA256a538ff9c6602d8fc5bc0e10c3311bdc3795345483959bd631fc1d9b4b8cd8a38
SHA512a7d31062752d92dfaf43f7c53f8caf640fa88f576ad665b51ee9d254fb3ce51bcb251468b4c5e827a6effa88a86284b339fda4f9f6f9075bb7e935e2fe383353
-
Filesize
39KB
MD5d2e3a9495d67951fabc5304337977440
SHA1ab46a4b33505c30a5c2f9b7a098425ee7d5855f6
SHA256ce1ea171db7ec0862855c7ff41dd7823e2cf619dc4fafc031021cc63dd887192
SHA512d759b0579162277d9bb48613691c87672cabe8340c0a67e13dc177f0ff4dbd43382aa3f609239a3ce8299cc0d2175abd3bc3f2f21d91ca498537b860069cf85b