Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2024 20:51
Behavioral task
behavioral1
Sample
6393577eccbb54f677ff7dd65c984807.exe
Resource
win7-20231129-en
General
-
Target
6393577eccbb54f677ff7dd65c984807.exe
-
Size
3.0MB
-
MD5
6393577eccbb54f677ff7dd65c984807
-
SHA1
5020ec827081c486c32af374473d96ce5f4f30de
-
SHA256
fb7f48daa45730568caa82cfa74c3c3a16130d2428ccef71eb266daa4146efde
-
SHA512
81e6e3b90072454e6497e1622b6d43371ca3c43cb5a073364b9f9db1c85866b1b9614f56c0b5c970b456cba7ffd0a7e8ce490649ec189c52d234b5e7e68a6d28
-
SSDEEP
49152:hU6pv81VrL49dOdL4hE+oQ2OkCe2OtIcm+H2w6JFqtEI8X3nUywRve:C6pJ9dO6hhofOkCCycm+WRJFnlNI
Malware Config
Extracted
cryptbot
fokfgl36.top
mortbo03.top
-
payload_url
http://nybaer04.top/download.php?file=lv.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
6393577eccbb54f677ff7dd65c984807.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6393577eccbb54f677ff7dd65c984807.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6393577eccbb54f677ff7dd65c984807.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6393577eccbb54f677ff7dd65c984807.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6393577eccbb54f677ff7dd65c984807.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/5028-0-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-2-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-3-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-4-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-5-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-6-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-7-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-8-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-9-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-215-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-225-0x0000000000330000-0x0000000000AB7000-memory.dmp themida behavioral2/memory/5028-228-0x0000000000330000-0x0000000000AB7000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
6393577eccbb54f677ff7dd65c984807.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6393577eccbb54f677ff7dd65c984807.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
6393577eccbb54f677ff7dd65c984807.exepid process 5028 6393577eccbb54f677ff7dd65c984807.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6393577eccbb54f677ff7dd65c984807.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6393577eccbb54f677ff7dd65c984807.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6393577eccbb54f677ff7dd65c984807.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6393577eccbb54f677ff7dd65c984807.exepid process 5028 6393577eccbb54f677ff7dd65c984807.exe 5028 6393577eccbb54f677ff7dd65c984807.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6393577eccbb54f677ff7dd65c984807.exepid process 5028 6393577eccbb54f677ff7dd65c984807.exe 5028 6393577eccbb54f677ff7dd65c984807.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe"C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59e822e58a87cc95596d8d0e3fc04662c
SHA1f5040ac163e1c03dc2d67e3921a2a28e27fedfe7
SHA256753248ab1507fa63e69d4391e227f870f2e2f311c1fc0fb2baddd7216cefcf41
SHA5124b9dcbfc93401126dff26aab28e89fcda4e0c3ab35d1aa1843a9146ef823f5a3752ef1dddf1c91e205f401ecebd535670e48b8849617e8e065629ffac522d0ba
-
Filesize
4KB
MD596ffbfaa37c5b07727b82b4d56ec51c2
SHA1f38d3efe58bfa231117f96b662a2678a9c0dd7cb
SHA256d0bafdec6260e5a340c92582679548e3037134dec8b892febe320278c18f460e
SHA512a7c23e8b369bd5f96f4d13235ff38b9364220575c02d63e2b45a088aa1fac87ca35dfc1db45eb37d5a3394dfd30dfc7dab3f2a42647f58f407827888716e9706
-
Filesize
51KB
MD5c3fec46d69dc2680f687f4fc5c85fe3b
SHA1fe703003991b3bfe38a659c16b8b6ae38f7523f4
SHA256086426fc37bb68b0bd39e25390005b74f63f75aaeb585c59dd925cf71c37fa96
SHA512dce417b59ea47252a706657257e7bb9dbba55df3af1d98c92aade35fbe76c04055d36db97a24e6f9be1832739daa87623fb5fbbfb84974f84c5b30f5f27cb452
-
Filesize
1KB
MD5c80b34b7ed70aa50d575aa08b72dae89
SHA165ac42b532a98652dc29ba876d64edafde5e9fd2
SHA25658964d53a58dd513ae30f5e0fb5d1f0557176ac7c245c46dcafbbb0ed2cc2e11
SHA512a6800418c83442df4435d27e5c7f004c904df39f061f130bb517a2229dce695207ba0b3566541e749b1e4e6aaa777bef1fb8246adf7323166d515b8d834d5496
-
Filesize
4KB
MD5fa7022c7b7de97783dd6f8fd53c7765f
SHA10a7d12e638076141b1459148a6ab2a27b5079a28
SHA2563fca66c54d53a357757cc3d252e9767e3259670a8678701bf3bdaf86145c9004
SHA512c72ae59bf28bea9249d1b6d71490fc420942ca94c0c63e7384332e8a0d57709dcce13c2d0db3f9a15a1d55bc05d77ef4ab8dcfbbf9fd6062a4b1a0772cef4444
-
Filesize
45KB
MD5295adc1381c9f0f393604d5133917369
SHA118e20289c5cdf9c836dde90344c743f0e19ddf25
SHA2561187c53a11377607b06c7111587909fdd8866f98a93c4718c7ff2379f7dbff19
SHA51283405fca8a223b4e6cc977be09aa8db99ee439e910e198acd1c087d0cfae4cc6af2b170584565e3948751c1e2327d4db0e0900764587138d0665f00488ebd756