Overview
overview
10Static
static
367f64deda3...ca.exe
windows7-x64
1067f64deda3...ca.exe
windows10-2004-x64
10Ecco.xlm
windows7-x64
1Ecco.xlm
windows10-2004-x64
1Par.xlm
windows7-x64
1Par.xlm
windows10-2004-x64
1Sommesso.ps1
windows7-x64
1Sommesso.ps1
windows10-2004-x64
1Vento.xlm
windows7-x64
1Vento.xlm
windows10-2004-x64
1Analysis
-
max time kernel
35s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 15:23
Static task
static1
Behavioral task
behavioral1
Sample
67f64deda3027f9fcdd4b5d9568d37ca.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
67f64deda3027f9fcdd4b5d9568d37ca.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
Ecco.xlm
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Ecco.xlm
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
Par.xlm
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Par.xlm
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
Sommesso.ps1
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
Sommesso.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
Vento.xlm
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Vento.xlm
Resource
win10v2004-20231222-en
General
-
Target
67f64deda3027f9fcdd4b5d9568d37ca.exe
-
Size
1.5MB
-
MD5
67f64deda3027f9fcdd4b5d9568d37ca
-
SHA1
a0282c1308618988507d893ff0cf4210f48b8434
-
SHA256
4100053b3cc8236c5fefd63c3773e81c5daea40638bcafc588b2127d9a191670
-
SHA512
1004cb0635793106001a6aae43f82c53f21e20a24ad19d0a7e7904cc86fd76dc39aad4b6d9397274f640bec196559cc781260e45f82e123297161d041d9aa3b8
-
SSDEEP
49152:No/WVBIH536/5KXqU4lcv/BVHoj2RCtR3l:NoeVB4536/s6Ulvpt
Malware Config
Extracted
cryptbot
ewauhc58.top
morexn05.top
-
payload_url
http://winorm07.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1792-26-0x00000000042D0000-0x0000000004373000-memory.dmp family_cryptbot behavioral2/memory/1792-25-0x00000000042D0000-0x0000000004373000-memory.dmp family_cryptbot behavioral2/memory/1792-27-0x00000000042D0000-0x0000000004373000-memory.dmp family_cryptbot behavioral2/memory/1792-29-0x00000000042D0000-0x0000000004373000-memory.dmp family_cryptbot behavioral2/memory/1792-236-0x00000000042D0000-0x0000000004373000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Crescente.exe.comCrescente.exe.compid process 4792 Crescente.exe.com 1792 Crescente.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
67f64deda3027f9fcdd4b5d9568d37ca.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 67f64deda3027f9fcdd4b5d9568d37ca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Crescente.exe.comdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Crescente.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Crescente.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
67f64deda3027f9fcdd4b5d9568d37ca.execmd.execmd.exeCrescente.exe.comdescription pid process target process PID 5008 wrote to memory of 1500 5008 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 5008 wrote to memory of 1500 5008 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 5008 wrote to memory of 1500 5008 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 5008 wrote to memory of 4372 5008 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 5008 wrote to memory of 4372 5008 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 5008 wrote to memory of 4372 5008 67f64deda3027f9fcdd4b5d9568d37ca.exe cmd.exe PID 4372 wrote to memory of 1096 4372 cmd.exe cmd.exe PID 4372 wrote to memory of 1096 4372 cmd.exe cmd.exe PID 4372 wrote to memory of 1096 4372 cmd.exe cmd.exe PID 1096 wrote to memory of 1632 1096 cmd.exe findstr.exe PID 1096 wrote to memory of 1632 1096 cmd.exe findstr.exe PID 1096 wrote to memory of 1632 1096 cmd.exe findstr.exe PID 1096 wrote to memory of 4792 1096 cmd.exe Crescente.exe.com PID 1096 wrote to memory of 4792 1096 cmd.exe Crescente.exe.com PID 1096 wrote to memory of 4792 1096 cmd.exe Crescente.exe.com PID 1096 wrote to memory of 3608 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 3608 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 3608 1096 cmd.exe PING.EXE PID 4792 wrote to memory of 1792 4792 Crescente.exe.com Crescente.exe.com PID 4792 wrote to memory of 1792 4792 Crescente.exe.com Crescente.exe.com PID 4792 wrote to memory of 1792 4792 Crescente.exe.com Crescente.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\67f64deda3027f9fcdd4b5d9568d37ca.exe"C:\Users\Admin\AppData\Local\Temp\67f64deda3027f9fcdd4b5d9568d37ca.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\cmd.execmd /c JUQpepOg2⤵PID:1500
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Ecco.xlm2⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^eNKbLEuNmZeVzmbqrPjFSkfDWrCYKYlVKuwVuMOOuBEruoAlgWCLlQPRnuBIwoeBOikjbBUdwnnsGkbNCsJOcmLTslbZlyMXnrgZWhNMejJLsnljJOyKmgufcsVht$" Vento.xlm4⤵PID:1632
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.comCrescente.exe.com W4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.com W1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD52b2d827b18a7262022a31bdc0d0ce185
SHA18d5ea6d34e1135ed9be1d64da1caf246cc420534
SHA256e8d1898493feb437e491834b473595d727b71602620930475b94db28f6e8a1ab
SHA512a03d45517222365a649e7f280d6f0fe0d7195b1d1c1583e5126f5e3542af0c1f5900ac936bc02cfd17e41a8e5eca586e94474815a8f7af0b6d1670a79827e4ef
-
Filesize
25KB
MD5069df712884c8b042312281c65b97ca6
SHA1cc170e59b00a2bfa3e71a020d7f156c49f805384
SHA25680fba0098a0b397c058c4a83d5dd72dbd098f3cf8e794210f30002ffb8ae8514
SHA512d2a71de6db47c40dd2b5fb597fb384c59163b1f2e67eb5373626506d7eb312c10bccd672e2f50ff9daec66a08cb1b1a87c58b41f2a97c30f7d99d0b42d046fe3
-
Filesize
313KB
MD5c78fe2fdd481558e8cff60758186f17e
SHA1a68f3dc1f5a3c3c892ef9557e7784315df88b51e
SHA256c9fb34ccb8335b1d8934f32858c24153a3797e9117f93c7ce6f371fc2919967d
SHA512538d27f0ee6d1b8856ba0db9ffb5fea6cd80698dd840afdc30235cdd0bee18368a0be2272286fdb7c74fa41c35391fcb6f99d863f383f4eb22c2798dc001e55a
-
Filesize
499B
MD52aff5060ef4f5d995d554450516532bb
SHA12fc0f1b6ead08bbca6241c95d72c85de0a2ca735
SHA2562f0a4a9283fb38f5f88376fa00844eb3141e1a0492ed42b38918df92c6f365e3
SHA512798d0d5f1bfbc18e094c80329b4ab873517165f986b1bacdaaf3558af72b54870be5e4055600127950eda52ae4dedba653f87354fc48ddc8c1c261cbd67b9f7a
-
Filesize
57KB
MD55b336c4d8041df6015d576a6d97e10ff
SHA1fb49face08bd9a370d5c05b4783d3e1ee6dd6966
SHA256f6c07df80f43d98abcfa77bcc147262236242f51f59b8d4461762c2729f3a09a
SHA512a6932660dd31fe0efe29521cd66ba69d8aeb60291c5d63b835e9f64abe1826c0221ef02c8ad5747e08521eaaf17dfa382ace8e15245e8588066b155edfee8458
-
Filesize
100KB
MD56cda557f8a50d25159dca725c2def6c8
SHA1b248faeeac13ae6dfcfd54b0eb7302977e034913
SHA2569fe940e08558ddb44a4e6558a5342a2d35390a961282e6cc38aaadd3a254b437
SHA51216b66ad800b9abf82eeab8611daae0665e37dc6601983e30ea7472f8f23f3e55630f0d8ebe1de1217979ad69203a9d0cad1d4bfff60204dc1f346952b2ab3b83
-
Filesize
90KB
MD507a145be8cb7819d0232385ae95a7556
SHA152b8fe1fc2160c3cbb0774820153f37aa7b3f037
SHA2563cfe319b83966e9fa8e280d13dc7726b4416e2f448529d5a8943910250449628
SHA512e45f5c465484ad806c64871234a8bf1e9150502a6846a6b316c0aed3c30649ccaadbec222d8a08a92b72aaa5ef7d1d4905a4b256efa0e89a7fc3c8eaeea41420
-
Filesize
57KB
MD57a3c332d51eabe3ae9d04398ebb9ea3a
SHA1fe641697ae3a15374c2b38279c9389bedc2bd6c4
SHA2564609d46d70d4fa736dee89295a2628418191ecba96fb2f58f4f75fd02cd6e564
SHA51258f0e7d94bdda29c27d99650a7211ae7ff0b5593eebbffc61238571fddc8372e5dc05d5117998662fe9a9ae9506b9734489d9fe3bfdf0feecdce208b84592df0
-
Filesize
37KB
MD5b8e8e5f097fca6e2f8a11258fa11874f
SHA10229e1736f1321344b2e6941dd27b9cc3e9de626
SHA2562da77d7d0f0e7b7dd27ab5ba79c4bebd612a7cc93433301ec490684352bfb393
SHA512b16297b2c136d40389f165adaa4918c0215addbf58ea60d590b679d044bf3570fddc883a6a2e1717a09e508f5d09816a0bf392047aea975db4c87157edb66f7d
-
Filesize
1KB
MD5a7105f6a85fd8164f5a50ee70d285230
SHA13b015fee55f0c7f4cc2acfdc75029d03d3763baa
SHA2565624c4d40e3097f742cc1196679dfd3a6daf102172a86eea40237fa4d6b029d1
SHA51295829995903e3e5bf20f84ed49145adef3e771ddcfdb239a2263db8bf1391643556e6a7349d6fd47044c40c248e3eff57b75d05b6c3c72e95b4af0c0a0a070f2
-
Filesize
4KB
MD5a07c3eb2d6942d0e2b149a238eae7f62
SHA1e9fdf308a89145161dfc4d5255d072d5a787a0e2
SHA256e92238b4b989532f989b7c779d20575a19f90dfb12a42181199ceccb7398f54f
SHA512d9e41d95891310f2f2df300d5253483cab9c01a34d4c2364de138d2d7fce3f0f7fef47773dc171a9ef188ff90062639c50b91cc9fc5a56fdd0e2366fc2f55065
-
Filesize
43KB
MD5f8235810deb2086d17b04df042394502
SHA1b4afc129638d0e76a5cce0b752007cd1a63dab91
SHA25678124668a300c5665c75499ba819350d5759723b51d8d139498d416432c9614f
SHA512b147d62f6c02663e0b1aea421c16a422ac71e7024083809171dac64c12e8fe4c93385f53ce968e68e6ebcb3bb3c400d2e78f44dface9d68070aa0d90fa675ef1
-
Filesize
1KB
MD5249ebe6f9aba0ff819b737e370ca84e7
SHA1d2646d6b47b8ad8b3ae3af4f4e0f0600912896b0
SHA2560f1170ffbf7d4dac358f830052b271789d26b6d25958cdf9fb5fdeaea5ba97bb
SHA512c6bbaee436bbbc9e313febc8bb5101e8722d95a38ad3252480f39b53b4b5b35af3fb00332fef4b759d9ced4058ffd5166899066196651b9fc777b3cc79db7640
-
Filesize
1KB
MD5d55a657103664b1b2319d2432c79aa7d
SHA161f91fa3b7a67017b6cc78be6279604ba9bdabf1
SHA2566632da31d144afca7458fbcf13747b5d535059c75a2429e130a2ec1ac6c3ee44
SHA5124995b3db60d70a3523ce607fdd228457905bb131752788de2becf7c83550f2a6ba0bc4de8f5913a4c7c3e985a8f4b5fdf05869383ae82084a5b4ae47a0665efb
-
Filesize
4KB
MD575c2c0018750153e89581707bc00ccd3
SHA1089bc8ee6ed5d91151201f600f2ff4860ece8717
SHA256aea23cc7db39eb62271697c3ec8743c271a0b735bdb73da961f26ec7f8be7c28
SHA5127e75e7f65ef55990c7f4ec1d01f4946bc72c4a8d01e57c610520ae5597d3638c2fa7c432745dddff70cadb511125c797adc73c0a926fa8688b3ecbd245179215