Analysis
-
max time kernel
90s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2024 05:18
Static task
static1
Behavioral task
behavioral1
Sample
5f0f316459cf8e92f8705124acdbe3e4.exe
Resource
win7-20231215-en
General
-
Target
5f0f316459cf8e92f8705124acdbe3e4.exe
-
Size
746KB
-
MD5
5f0f316459cf8e92f8705124acdbe3e4
-
SHA1
dd8ec58e0fb787491eae153bd02d3be825fa8f3a
-
SHA256
b118e2deb33dc46a4ae01ba586feafcae96251267ab36dee8aa7f282b7263d13
-
SHA512
5af5e66c8de74c941337d44315beb9ded9bf9ada0b8348820c87516ef5eb507ab44586afc7401d72e61b829d1bc2e87034cfe82eaf4353a3772653c4677854c4
-
SSDEEP
12288:7n5IQdj9J0t1CIQklyPGt0dPf2OgiCjwnRl/1T7xu8+3oIa1oDVLBTv5NKrk52mB:7Nut1CIHlgGOgwnTu3zRtTX2kLB
Malware Config
Extracted
cryptbot
ewapyc22.top
morzup02.top
-
payload_url
http://winqoz02.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/5068-2-0x0000000002330000-0x0000000002411000-memory.dmp family_cryptbot behavioral2/memory/5068-3-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/5068-213-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/5068-221-0x0000000002330000-0x0000000002411000-memory.dmp family_cryptbot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5f0f316459cf8e92f8705124acdbe3e4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 5f0f316459cf8e92f8705124acdbe3e4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4608 5068 WerFault.exe 5f0f316459cf8e92f8705124acdbe3e4.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5f0f316459cf8e92f8705124acdbe3e4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5f0f316459cf8e92f8705124acdbe3e4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5f0f316459cf8e92f8705124acdbe3e4.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3648 timeout.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
5f0f316459cf8e92f8705124acdbe3e4.exepid process 5068 5f0f316459cf8e92f8705124acdbe3e4.exe 5068 5f0f316459cf8e92f8705124acdbe3e4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5f0f316459cf8e92f8705124acdbe3e4.execmd.exedescription pid process target process PID 5068 wrote to memory of 3912 5068 5f0f316459cf8e92f8705124acdbe3e4.exe cmd.exe PID 5068 wrote to memory of 3912 5068 5f0f316459cf8e92f8705124acdbe3e4.exe cmd.exe PID 5068 wrote to memory of 3912 5068 5f0f316459cf8e92f8705124acdbe3e4.exe cmd.exe PID 3912 wrote to memory of 3648 3912 cmd.exe timeout.exe PID 3912 wrote to memory of 3648 3912 cmd.exe timeout.exe PID 3912 wrote to memory of 3648 3912 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\WpLMkILJomce & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5f0f316459cf8e92f8705124acdbe3e4.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 16922⤵
- Program crash
PID:4608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5068 -ip 50681⤵PID:1380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD544b29d82f82d206b92a69cb82a6ecc82
SHA1b622313d8e10cdf13f245f21ffaa577a93da96d1
SHA256b69794bba950de4eedc85b787a926f35b8e4ad6df8243770338fbde842354719
SHA5125427b50d296792da742fb780071e40b153f4137b15c4ca91625b29496d54d4553108d0536f0c64abd2499a9b1b9840f83841bedfa32198fb31e63e23abf75a72
-
Filesize
40KB
MD5eb204acc7fbf2ec31c263aa4d6acd2ef
SHA1ce52d8dafc36eb917658fffbeb459d6861710c09
SHA2569cd9acde6e06d4154cc00b8c7bf7267e017076cd80999a26ba43a5c8de310beb
SHA5120d5313a703c92927d58e0c1bf6633ed5c096d308e4f827e98586453f8f00b5d6c5f07415814b50fdb481a49883e6bcf53bef81a2f9e72a7211aa65586ed31a08
-
Filesize
7KB
MD5c6fa787d86601841dfa1012a1ec7c718
SHA170414a3111600331561e2fc303e9d936d1dd3af9
SHA2563ad13b8a5941836424b743301f3e0cf8816afc4c3ed00f8b7966662bef13994a
SHA512f76965205d602a155db9fbb79b7359979fdf8877a9dae5b37bac88c5ab61841620cdab5ddc2ec2e40d531ce8b78ff30eb3312182dddf3749f84fa2f36e248b41
-
Filesize
1KB
MD509394f9d432614df15b58ce4ba7eec28
SHA1e90576538716df6012a39daf39b28268a7920ad7
SHA256cfd9949b1e1319fd82ad88460db04a8bc62225f09c3b5f6275b9ed59febed7ca
SHA512555316e5180be9ba7dfdf02d61b123669e23c3cfc10d27959d14f2e7584ce58ca1a843e3622d689161a403fe47bfb10661363f0351a17f2d8226af1f3ceb14f6
-
Filesize
4KB
MD522ff6f120ddbc44c8e486c3366951643
SHA1e8d738addf97eeb043af559a0a03bffd5492b06c
SHA2564842ed08873ea7f42a725da7653a24d928e2c9da174b3f4b3d761d8f9a41df88
SHA5127a7a38e2638e7abd9ca586cb896675ffb56edfa32abc00316d52c83e2d18f47e2b55599fcfe184dfa4d169a8d53154c1c894b676d2deb1e4617b7d625a99d1a0
-
Filesize
46KB
MD5a7e6988fc8f6d175f898fd3b45acdbf2
SHA1d71cef1c0831f4ca42fb414a9916ee19817ee574
SHA25696d7b5843d5f6d4dd6b2215d57671591c11460861c63e9a5cd1c14a18c98a2df
SHA512887f74d99ba28d27e89faabafea51ebc28d1396d597db090e5ad153de8d1c8c797c26ff558fe877e61c77b2c8906cdf0a1748387fd56c04ebc22b2cea6806e5b
-
Filesize
808B
MD55398901716c40b1f27d231d8bb0b9f44
SHA16305231e449e86b5df711d06c92ed780fabdf7e6
SHA2560fb1474726777f3b5daa411e714675d3271fa71cb72397eeee1ff1b8722831b7
SHA512f1161804deb18cfc2a0daa9211f7ceaf7022cdcb374831a00734379ae1ced5e9078430f5a6ea16c6ff179b3d1836fcb3ca2c4803aa051ab628491edce3e038ac
-
Filesize
7KB
MD56da8891b329eb32d678252a3bf64b769
SHA1e665554e163e392c63ed43bd07f45ceb311baa89
SHA256193806a9f2be6a7799807a4bb809fa90fc302c5d5e4f7e6dda8ab84dd856afa7
SHA512aa50775d7c643d0cbe79be141cb32135cf504306ea2639c02a13489160be87c7aaed68aad4265ebe8c21baeebc37c40b4323a26aa0a0963f99f3dfd75122e3f3