Overview
overview
10Static
static
367f64deda3...ca.exe
windows7-x64
1067f64deda3...ca.exe
windows10-2004-x64
10Ecco.xlm
windows7-x64
1Ecco.xlm
windows10-2004-x64
1Par.xlm
windows7-x64
1Par.xlm
windows10-2004-x64
1Sommesso.ps1
windows7-x64
1Sommesso.ps1
windows10-2004-x64
1Vento.xlm
windows7-x64
1Vento.xlm
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 15:23
Static task
static1
Behavioral task
behavioral1
Sample
67f64deda3027f9fcdd4b5d9568d37ca.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
67f64deda3027f9fcdd4b5d9568d37ca.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Ecco.xlm
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Ecco.xlm
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Par.xlm
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Par.xlm
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
Sommesso.ps1
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Sommesso.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
Vento.xlm
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Vento.xlm
Resource
win10v2004-20231222-en
General
-
Target
67f64deda3027f9fcdd4b5d9568d37ca.exe
-
Size
1.5MB
-
MD5
67f64deda3027f9fcdd4b5d9568d37ca
-
SHA1
a0282c1308618988507d893ff0cf4210f48b8434
-
SHA256
4100053b3cc8236c5fefd63c3773e81c5daea40638bcafc588b2127d9a191670
-
SHA512
1004cb0635793106001a6aae43f82c53f21e20a24ad19d0a7e7904cc86fd76dc39aad4b6d9397274f640bec196559cc781260e45f82e123297161d041d9aa3b8
-
SSDEEP
49152:No/WVBIH536/5KXqU4lcv/BVHoj2RCtR3l:NoeVB4536/s6Ulvpt
Malware Config
Extracted
cryptbot
ewauhc58.top
morexn05.top
-
payload_url
http://winorm07.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2656-28-0x0000000003960000-0x0000000003A03000-memory.dmp family_cryptbot behavioral1/memory/2656-29-0x0000000003960000-0x0000000003A03000-memory.dmp family_cryptbot behavioral1/memory/2656-30-0x0000000003960000-0x0000000003A03000-memory.dmp family_cryptbot behavioral1/memory/2656-31-0x0000000003960000-0x0000000003A03000-memory.dmp family_cryptbot behavioral1/memory/2656-251-0x0000000003960000-0x0000000003A03000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Crescente.exe.comCrescente.exe.compid process 2548 Crescente.exe.com 2656 Crescente.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeCrescente.exe.compid process 2384 cmd.exe 2548 Crescente.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
67f64deda3027f9fcdd4b5d9568d37ca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 67f64deda3027f9fcdd4b5d9568d37ca.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Crescente.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Crescente.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Crescente.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Crescente.exe.compid process 2656 Crescente.exe.com 2656 Crescente.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
67f64deda3027f9fcdd4b5d9568d37ca.execmd.execmd.exeCrescente.exe.comdescription pid process target process PID 2888 wrote to memory of 2052 2888 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 2888 wrote to memory of 2052 2888 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 2888 wrote to memory of 2052 2888 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 2888 wrote to memory of 2052 2888 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 2888 wrote to memory of 1264 2888 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 2888 wrote to memory of 1264 2888 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 2888 wrote to memory of 1264 2888 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 2888 wrote to memory of 1264 2888 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 1264 wrote to memory of 2384 1264 cmd.exe cmd.exe PID 1264 wrote to memory of 2384 1264 cmd.exe cmd.exe PID 1264 wrote to memory of 2384 1264 cmd.exe cmd.exe PID 1264 wrote to memory of 2384 1264 cmd.exe cmd.exe PID 2384 wrote to memory of 2980 2384 cmd.exe findstr.exe PID 2384 wrote to memory of 2980 2384 cmd.exe findstr.exe PID 2384 wrote to memory of 2980 2384 cmd.exe findstr.exe PID 2384 wrote to memory of 2980 2384 cmd.exe findstr.exe PID 2384 wrote to memory of 2548 2384 cmd.exe Crescente.exe.com PID 2384 wrote to memory of 2548 2384 cmd.exe Crescente.exe.com PID 2384 wrote to memory of 2548 2384 cmd.exe Crescente.exe.com PID 2384 wrote to memory of 2548 2384 cmd.exe Crescente.exe.com PID 2384 wrote to memory of 2560 2384 cmd.exe PING.EXE PID 2384 wrote to memory of 2560 2384 cmd.exe PING.EXE PID 2384 wrote to memory of 2560 2384 cmd.exe PING.EXE PID 2384 wrote to memory of 2560 2384 cmd.exe PING.EXE PID 2548 wrote to memory of 2656 2548 Crescente.exe.com Crescente.exe.com PID 2548 wrote to memory of 2656 2548 Crescente.exe.com Crescente.exe.com PID 2548 wrote to memory of 2656 2548 Crescente.exe.com Crescente.exe.com PID 2548 wrote to memory of 2656 2548 Crescente.exe.com Crescente.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\67f64deda3027f9fcdd4b5d9568d37ca.exe"C:\Users\Admin\AppData\Local\Temp\67f64deda3027f9fcdd4b5d9568d37ca.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\cmd.execmd /c JUQpepOg2⤵PID:2052
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Ecco.xlm2⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^eNKbLEuNmZeVzmbqrPjFSkfDWrCYKYlVKuwVuMOOuBEruoAlgWCLlQPRnuBIwoeBOikjbBUdwnnsGkbNCsJOcmLTslbZlyMXnrgZWhNMejJLsnljJOyKmgufcsVht$" Vento.xlm4⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.comCrescente.exe.com W4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.com W5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2656 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
805KB
MD54825cf1277dd845ba6d6072809e587b3
SHA15471e188b0276f57e982e6fe035b612506b46111
SHA256848758eeb00ef5fa96c1b0fe61c28ff1b98cb8d24bc05f20c6223b6ee1cf15ad
SHA5124988d2bdc6410f42eb13a2e5654012593eb613eff171a2a8539874e1c3e9855901e4682a7e06fe2c8746f797abce1a71d2c71b12927b4a7846bbfd1ab94d2de3
-
Filesize
655KB
MD5ff73805e2d06c3e506e4e5f309834565
SHA1091bed8a3f7268b42ad8b0728b0107ff68a870de
SHA256e6e97efc2b5ce218465381a65776620acc262ff01d1e740d065b868a3f3f522e
SHA5123585571a66df133c6ecc596e86f971ba8c1479f4335453e9e3f36a8071d7cc5760bc05322d55eccabccc6893f14461f2abab4ee2f9187c48e50c153aa514cfd5
-
Filesize
599KB
MD5500eef52e2139df25c31d2b71ad8956b
SHA196ec6b63a2dbccf1f9eca0ab875070f66f42c199
SHA256c7d0db9f9182b1ad766c58604bcdf4c97d8341282ed5d102df46218baefa22de
SHA5127287087aea7afeeda66cea2634f5c179b61054862e3265c3a7fdd3facaf713a48a401cad56c73a3a982c9adb1739f46790f11ce100dd1940a0aba6ff424a685a
-
Filesize
499B
MD52aff5060ef4f5d995d554450516532bb
SHA12fc0f1b6ead08bbca6241c95d72c85de0a2ca735
SHA2562f0a4a9283fb38f5f88376fa00844eb3141e1a0492ed42b38918df92c6f365e3
SHA512798d0d5f1bfbc18e094c80329b4ab873517165f986b1bacdaaf3558af72b54870be5e4055600127950eda52ae4dedba653f87354fc48ddc8c1c261cbd67b9f7a
-
Filesize
600KB
MD5928e9e2a34017f3f570ba2acb9e1a689
SHA1a3fa722d040a3f1cdf62f44cf7c80cbd35915e8b
SHA2560e9c8217b334c63a0db73b9513bcb93e12ea52b4315d7412a0fc8c2ac34f4a26
SHA512429b4522243793464bff2176504ab8d78224aadcba285c954afc6695acf74c1e6f19a05dfec3c07e2930c8a934e8e4a45c2f774026a73fc6dc9ad128366f4614
-
Filesize
697KB
MD5529d7087e5a2c24342f2f2f3d13526db
SHA104c5c070272f851d1d1e1b9ba09ad43a8cd2db96
SHA2567d766f03577e7bc27034b4657858182a06e1c632fcf3c8ff8afea46937e1c9c9
SHA512e79c226c283da0e84a32e98972a18d95cbe90f41d80b8ae74162730ccc4424dfc694898721de9de955da2a986b95dc590388e1e5e2d9154df5155a39d5b8b99b
-
Filesize
808KB
MD583758f09948ca3dff34552c4954eaede
SHA1ca897bb9e6540e430f3df560df32b8933324f7a7
SHA256813f46cb98e23ce5cda6e67977a423e26d9f0934049178e4a499db61a68a944f
SHA51259dff9ae41a787c99249513f72f313a2d16f6029b44644988fc9b26b9ef4eb382892a55ad9cdaf3a6ba7dfcc2e48d4347c38aa6a6082d73376cb8c66ad297f57
-
Filesize
37KB
MD5f47dd1a6b3cd0362756d8a66dd48c230
SHA1d72d45c4fe6f887951665f3f7b8657e4773af605
SHA2566d8b83464bf22bbbcaebb0bb1f647bc67bc043b8b075e58f19e997454caca7c9
SHA5125c9230e9c8051c8e0d342fc573c9906301e6d72e39329fcf494b01c73f6fd0da803e6a0e6fcec6cd5d1b3f0d72c96b8be0fdd45baa44ab7e4b52416e4c28f183
-
Filesize
8KB
MD5e885e851ffa2199ac8b68cbf2750cf13
SHA107cd1bec6e7e5a867192229cb35fe255564a4647
SHA256b3bdd8e638d7319dc7f5bc67cdd471bbc4fd8cd0df5821d05896843603ccc71d
SHA5120362c85d32a6c80c49ed046736d4ee5100c9f98cd4056663d61686715b12a941d3e7a02fea1cf89f2478825742a1bb2bbaeae7512c57b988168db61308838ca0
-
Filesize
44KB
MD5d1d8227625d7fc3ba29962dfae010a71
SHA1d2eb3efd6e09ed28d16d524c812f4e898d09c9b8
SHA256e59600d6ae89e00aaa9b3ced80aff542ca310833b46f77d895787bc51621dde2
SHA51216a489e3ad0eebdc090d424e1b64bdc62b7a172580b822b3b578d529632a712a6793dea695185bd3c21fb7f76e4f2f144d14423238ea1801b669dbad6eaafa21
-
Filesize
700B
MD5dd04cab2c3942fba89a8c78964b7c292
SHA17272691ac7a27258cb5bd93b63bc9b32ff0548ee
SHA25697077381e1e3a05201b1dc51ab678dc8541c79980e1dcd388a6756b5015e02dd
SHA51295c83d80fa310a508d3fd0d9db1a5eae51bf4abce28a20f33ee740de92860a570ece3bb549d2dd7a6af4fd54e86c1902aa6926c3144583cc2fc758060803f8a7
-
Filesize
8KB
MD58dde9f501c18b1654a731ef9b388763c
SHA1d48be3f24c03c9c94314bdefb8c791974b79a238
SHA256e0f368c3d05fccc099a1ff4c76ecb5c6c1ad08a2011be772dde11b567469605a
SHA5122cfb1ac8757683e9907e13f9049db81d42c8ac09e869900a609baf8be076eccfbfea848dd3dc5bf28b49d27ec6f6bee83381a44f2727a1fe6aa85f2ffee88919
-
Filesize
799KB
MD5af91bda33fc6274f3d99d15a75333e6d
SHA1ef53762aa34be79c5505b16200da045ad2e57a92
SHA256e1866f897901fe913b78ca6535cb90cabed8733620e37af4abd7545595541fd7
SHA51237885b3476349bf68a2f89d459bc2057238fe025d47e25d97387cf189000240fc498377d84f2dfcd830327f97b100a69639b67cca0dd2484c8161674b406d72b
-
Filesize
761KB
MD52aa73df1274b4e4afaf52f7362085d68
SHA1a0cfa1e65797611c3df8c69939d3ce408fce8127
SHA256dd796168426ac68b597a046aeb88268910b70271bd07982dd78dccdc610e99c2
SHA5121978f52b40447efb31a469a018126ef363d69b0208f744772a7dcd17990f156069380334f7d465fe5af0e7bfab3ccaf40ed9c0b53adb9e5739cf437bbe3aac55