Analysis

  • max time kernel
    90s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2024 05:18

General

  • Target

    5f0f316459cf8e92f8705124acdbe3e4.exe

  • Size

    746KB

  • MD5

    5f0f316459cf8e92f8705124acdbe3e4

  • SHA1

    dd8ec58e0fb787491eae153bd02d3be825fa8f3a

  • SHA256

    b118e2deb33dc46a4ae01ba586feafcae96251267ab36dee8aa7f282b7263d13

  • SHA512

    5af5e66c8de74c941337d44315beb9ded9bf9ada0b8348820c87516ef5eb507ab44586afc7401d72e61b829d1bc2e87034cfe82eaf4353a3772653c4677854c4

  • SSDEEP

    12288:7n5IQdj9J0t1CIQklyPGt0dPf2OgiCjwnRl/1T7xu8+3oIa1oDVLBTv5NKrk52mB:7Nut1CIHlgGOgwnTu3zRtTX2kLB

Malware Config

Extracted

Family

cryptbot

C2

ewapyc22.top

morzup02.top

Attributes
  • payload_url

    http://winqoz02.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe
    "C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"
    1⤵
    • Checks computer location settings
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3912
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3648
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1692
      2⤵
      • Program crash
      PID:4608
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5068 -ip 5068
    1⤵
      PID:1380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\ONYZDR~1.ZIP

      Filesize

      40KB

      MD5

      44b29d82f82d206b92a69cb82a6ecc82

      SHA1

      b622313d8e10cdf13f245f21ffaa577a93da96d1

      SHA256

      b69794bba950de4eedc85b787a926f35b8e4ad6df8243770338fbde842354719

      SHA512

      5427b50d296792da742fb780071e40b153f4137b15c4ca91625b29496d54d4553108d0536f0c64abd2499a9b1b9840f83841bedfa32198fb31e63e23abf75a72

    • C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\UAOAUF~1.ZIP

      Filesize

      40KB

      MD5

      eb204acc7fbf2ec31c263aa4d6acd2ef

      SHA1

      ce52d8dafc36eb917658fffbeb459d6861710c09

      SHA256

      9cd9acde6e06d4154cc00b8c7bf7267e017076cd80999a26ba43a5c8de310beb

      SHA512

      0d5313a703c92927d58e0c1bf6633ed5c096d308e4f827e98586453f8f00b5d6c5f07415814b50fdb481a49883e6bcf53bef81a2f9e72a7211aa65586ed31a08

    • C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\_Files\_INFOR~1.TXT

      Filesize

      7KB

      MD5

      c6fa787d86601841dfa1012a1ec7c718

      SHA1

      70414a3111600331561e2fc303e9d936d1dd3af9

      SHA256

      3ad13b8a5941836424b743301f3e0cf8816afc4c3ed00f8b7966662bef13994a

      SHA512

      f76965205d602a155db9fbb79b7359979fdf8877a9dae5b37bac88c5ab61841620cdab5ddc2ec2e40d531ce8b78ff30eb3312182dddf3749f84fa2f36e248b41

    • C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\_Files\_Information.txt

      Filesize

      1KB

      MD5

      09394f9d432614df15b58ce4ba7eec28

      SHA1

      e90576538716df6012a39daf39b28268a7920ad7

      SHA256

      cfd9949b1e1319fd82ad88460db04a8bc62225f09c3b5f6275b9ed59febed7ca

      SHA512

      555316e5180be9ba7dfdf02d61b123669e23c3cfc10d27959d14f2e7584ce58ca1a843e3622d689161a403fe47bfb10661363f0351a17f2d8226af1f3ceb14f6

    • C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\_Files\_Information.txt

      Filesize

      4KB

      MD5

      22ff6f120ddbc44c8e486c3366951643

      SHA1

      e8d738addf97eeb043af559a0a03bffd5492b06c

      SHA256

      4842ed08873ea7f42a725da7653a24d928e2c9da174b3f4b3d761d8f9a41df88

      SHA512

      7a7a38e2638e7abd9ca586cb896675ffb56edfa32abc00316d52c83e2d18f47e2b55599fcfe184dfa4d169a8d53154c1c894b676d2deb1e4617b7d625a99d1a0

    • C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\_Files\_Screen_Desktop.jpeg

      Filesize

      46KB

      MD5

      a7e6988fc8f6d175f898fd3b45acdbf2

      SHA1

      d71cef1c0831f4ca42fb414a9916ee19817ee574

      SHA256

      96d7b5843d5f6d4dd6b2215d57671591c11460861c63e9a5cd1c14a18c98a2df

      SHA512

      887f74d99ba28d27e89faabafea51ebc28d1396d597db090e5ad153de8d1c8c797c26ff558fe877e61c77b2c8906cdf0a1748387fd56c04ebc22b2cea6806e5b

    • C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\files_\system_info.txt

      Filesize

      808B

      MD5

      5398901716c40b1f27d231d8bb0b9f44

      SHA1

      6305231e449e86b5df711d06c92ed780fabdf7e6

      SHA256

      0fb1474726777f3b5daa411e714675d3271fa71cb72397eeee1ff1b8722831b7

      SHA512

      f1161804deb18cfc2a0daa9211f7ceaf7022cdcb374831a00734379ae1ced5e9078430f5a6ea16c6ff179b3d1836fcb3ca2c4803aa051ab628491edce3e038ac

    • C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce\files_\system_info.txt

      Filesize

      7KB

      MD5

      6da8891b329eb32d678252a3bf64b769

      SHA1

      e665554e163e392c63ed43bd07f45ceb311baa89

      SHA256

      193806a9f2be6a7799807a4bb809fa90fc302c5d5e4f7e6dda8ab84dd856afa7

      SHA512

      aa50775d7c643d0cbe79be141cb32135cf504306ea2639c02a13489160be87c7aaed68aad4265ebe8c21baeebc37c40b4323a26aa0a0963f99f3dfd75122e3f3

    • memory/5068-213-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

    • memory/5068-1-0x0000000000790000-0x0000000000890000-memory.dmp

      Filesize

      1024KB

    • memory/5068-3-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

    • memory/5068-2-0x0000000002330000-0x0000000002411000-memory.dmp

      Filesize

      900KB

    • memory/5068-221-0x0000000002330000-0x0000000002411000-memory.dmp

      Filesize

      900KB