Analysis

  • max time kernel
    35s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 15:23

General

  • Target

    67f64deda3027f9fcdd4b5d9568d37ca.exe

  • Size

    1.5MB

  • MD5

    67f64deda3027f9fcdd4b5d9568d37ca

  • SHA1

    a0282c1308618988507d893ff0cf4210f48b8434

  • SHA256

    4100053b3cc8236c5fefd63c3773e81c5daea40638bcafc588b2127d9a191670

  • SHA512

    1004cb0635793106001a6aae43f82c53f21e20a24ad19d0a7e7904cc86fd76dc39aad4b6d9397274f640bec196559cc781260e45f82e123297161d041d9aa3b8

  • SSDEEP

    49152:No/WVBIH536/5KXqU4lcv/BVHoj2RCtR3l:NoeVB4536/s6Ulvpt

Malware Config

Extracted

Family

cryptbot

C2

ewauhc58.top

morexn05.top

Attributes
  • payload_url

    http://winorm07.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67f64deda3027f9fcdd4b5d9568d37ca.exe
    "C:\Users\Admin\AppData\Local\Temp\67f64deda3027f9fcdd4b5d9568d37ca.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c JUQpepOg
      2⤵
        PID:1500
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c cmd < Ecco.xlm
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4372
        • C:\Windows\SysWOW64\cmd.exe
          cmd
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1096
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^eNKbLEuNmZeVzmbqrPjFSkfDWrCYKYlVKuwVuMOOuBEruoAlgWCLlQPRnuBIwoeBOikjbBUdwnnsGkbNCsJOcmLTslbZlyMXnrgZWhNMejJLsnljJOyKmgufcsVht$" Vento.xlm
            4⤵
              PID:1632
            • C:\Windows\SysWOW64\PING.EXE
              ping localhost -n 30
              4⤵
              • Runs ping.exe
              PID:3608
            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.com
              Crescente.exe.com W
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4792
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.com
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.com W
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        PID:1792

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.com

        Filesize

        85KB

        MD5

        2b2d827b18a7262022a31bdc0d0ce185

        SHA1

        8d5ea6d34e1135ed9be1d64da1caf246cc420534

        SHA256

        e8d1898493feb437e491834b473595d727b71602620930475b94db28f6e8a1ab

        SHA512

        a03d45517222365a649e7f280d6f0fe0d7195b1d1c1583e5126f5e3542af0c1f5900ac936bc02cfd17e41a8e5eca586e94474815a8f7af0b6d1670a79827e4ef

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.com

        Filesize

        25KB

        MD5

        069df712884c8b042312281c65b97ca6

        SHA1

        cc170e59b00a2bfa3e71a020d7f156c49f805384

        SHA256

        80fba0098a0b397c058c4a83d5dd72dbd098f3cf8e794210f30002ffb8ae8514

        SHA512

        d2a71de6db47c40dd2b5fb597fb384c59163b1f2e67eb5373626506d7eb312c10bccd672e2f50ff9daec66a08cb1b1a87c58b41f2a97c30f7d99d0b42d046fe3

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crescente.exe.com

        Filesize

        313KB

        MD5

        c78fe2fdd481558e8cff60758186f17e

        SHA1

        a68f3dc1f5a3c3c892ef9557e7784315df88b51e

        SHA256

        c9fb34ccb8335b1d8934f32858c24153a3797e9117f93c7ce6f371fc2919967d

        SHA512

        538d27f0ee6d1b8856ba0db9ffb5fea6cd80698dd840afdc30235cdd0bee18368a0be2272286fdb7c74fa41c35391fcb6f99d863f383f4eb22c2798dc001e55a

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ecco.xlm

        Filesize

        499B

        MD5

        2aff5060ef4f5d995d554450516532bb

        SHA1

        2fc0f1b6ead08bbca6241c95d72c85de0a2ca735

        SHA256

        2f0a4a9283fb38f5f88376fa00844eb3141e1a0492ed42b38918df92c6f365e3

        SHA512

        798d0d5f1bfbc18e094c80329b4ab873517165f986b1bacdaaf3558af72b54870be5e4055600127950eda52ae4dedba653f87354fc48ddc8c1c261cbd67b9f7a

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Par.xlm

        Filesize

        57KB

        MD5

        5b336c4d8041df6015d576a6d97e10ff

        SHA1

        fb49face08bd9a370d5c05b4783d3e1ee6dd6966

        SHA256

        f6c07df80f43d98abcfa77bcc147262236242f51f59b8d4461762c2729f3a09a

        SHA512

        a6932660dd31fe0efe29521cd66ba69d8aeb60291c5d63b835e9f64abe1826c0221ef02c8ad5747e08521eaaf17dfa382ace8e15245e8588066b155edfee8458

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sommesso.xlm

        Filesize

        100KB

        MD5

        6cda557f8a50d25159dca725c2def6c8

        SHA1

        b248faeeac13ae6dfcfd54b0eb7302977e034913

        SHA256

        9fe940e08558ddb44a4e6558a5342a2d35390a961282e6cc38aaadd3a254b437

        SHA512

        16b66ad800b9abf82eeab8611daae0665e37dc6601983e30ea7472f8f23f3e55630f0d8ebe1de1217979ad69203a9d0cad1d4bfff60204dc1f346952b2ab3b83

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vento.xlm

        Filesize

        90KB

        MD5

        07a145be8cb7819d0232385ae95a7556

        SHA1

        52b8fe1fc2160c3cbb0774820153f37aa7b3f037

        SHA256

        3cfe319b83966e9fa8e280d13dc7726b4416e2f448529d5a8943910250449628

        SHA512

        e45f5c465484ad806c64871234a8bf1e9150502a6846a6b316c0aed3c30649ccaadbec222d8a08a92b72aaa5ef7d1d4905a4b256efa0e89a7fc3c8eaeea41420

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W

        Filesize

        57KB

        MD5

        7a3c332d51eabe3ae9d04398ebb9ea3a

        SHA1

        fe641697ae3a15374c2b38279c9389bedc2bd6c4

        SHA256

        4609d46d70d4fa736dee89295a2628418191ecba96fb2f58f4f75fd02cd6e564

        SHA512

        58f0e7d94bdda29c27d99650a7211ae7ff0b5593eebbffc61238571fddc8372e5dc05d5117998662fe9a9ae9506b9734489d9fe3bfdf0feecdce208b84592df0

      • C:\Users\Admin\AppData\Local\Temp\UDplCliW1\0utHfeupBiVIbn.zip

        Filesize

        37KB

        MD5

        b8e8e5f097fca6e2f8a11258fa11874f

        SHA1

        0229e1736f1321344b2e6941dd27b9cc3e9de626

        SHA256

        2da77d7d0f0e7b7dd27ab5ba79c4bebd612a7cc93433301ec490684352bfb393

        SHA512

        b16297b2c136d40389f165adaa4918c0215addbf58ea60d590b679d044bf3570fddc883a6a2e1717a09e508f5d09816a0bf392047aea975db4c87157edb66f7d

      • C:\Users\Admin\AppData\Local\Temp\UDplCliW1\_Files\_Information.txt

        Filesize

        1KB

        MD5

        a7105f6a85fd8164f5a50ee70d285230

        SHA1

        3b015fee55f0c7f4cc2acfdc75029d03d3763baa

        SHA256

        5624c4d40e3097f742cc1196679dfd3a6daf102172a86eea40237fa4d6b029d1

        SHA512

        95829995903e3e5bf20f84ed49145adef3e771ddcfdb239a2263db8bf1391643556e6a7349d6fd47044c40c248e3eff57b75d05b6c3c72e95b4af0c0a0a070f2

      • C:\Users\Admin\AppData\Local\Temp\UDplCliW1\_Files\_Information.txt

        Filesize

        4KB

        MD5

        a07c3eb2d6942d0e2b149a238eae7f62

        SHA1

        e9fdf308a89145161dfc4d5255d072d5a787a0e2

        SHA256

        e92238b4b989532f989b7c779d20575a19f90dfb12a42181199ceccb7398f54f

        SHA512

        d9e41d95891310f2f2df300d5253483cab9c01a34d4c2364de138d2d7fce3f0f7fef47773dc171a9ef188ff90062639c50b91cc9fc5a56fdd0e2366fc2f55065

      • C:\Users\Admin\AppData\Local\Temp\UDplCliW1\_Files\_Screen_Desktop.jpeg

        Filesize

        43KB

        MD5

        f8235810deb2086d17b04df042394502

        SHA1

        b4afc129638d0e76a5cce0b752007cd1a63dab91

        SHA256

        78124668a300c5665c75499ba819350d5759723b51d8d139498d416432c9614f

        SHA512

        b147d62f6c02663e0b1aea421c16a422ac71e7024083809171dac64c12e8fe4c93385f53ce968e68e6ebcb3bb3c400d2e78f44dface9d68070aa0d90fa675ef1

      • C:\Users\Admin\AppData\Local\Temp\UDplCliW1\files_\system_info.txt

        Filesize

        1KB

        MD5

        249ebe6f9aba0ff819b737e370ca84e7

        SHA1

        d2646d6b47b8ad8b3ae3af4f4e0f0600912896b0

        SHA256

        0f1170ffbf7d4dac358f830052b271789d26b6d25958cdf9fb5fdeaea5ba97bb

        SHA512

        c6bbaee436bbbc9e313febc8bb5101e8722d95a38ad3252480f39b53b4b5b35af3fb00332fef4b759d9ced4058ffd5166899066196651b9fc777b3cc79db7640

      • C:\Users\Admin\AppData\Local\Temp\UDplCliW1\files_\system_info.txt

        Filesize

        1KB

        MD5

        d55a657103664b1b2319d2432c79aa7d

        SHA1

        61f91fa3b7a67017b6cc78be6279604ba9bdabf1

        SHA256

        6632da31d144afca7458fbcf13747b5d535059c75a2429e130a2ec1ac6c3ee44

        SHA512

        4995b3db60d70a3523ce607fdd228457905bb131752788de2becf7c83550f2a6ba0bc4de8f5913a4c7c3e985a8f4b5fdf05869383ae82084a5b4ae47a0665efb

      • C:\Users\Admin\AppData\Local\Temp\UDplCliW1\files_\system_info.txt

        Filesize

        4KB

        MD5

        75c2c0018750153e89581707bc00ccd3

        SHA1

        089bc8ee6ed5d91151201f600f2ff4860ece8717

        SHA256

        aea23cc7db39eb62271697c3ec8743c271a0b735bdb73da961f26ec7f8be7c28

        SHA512

        7e75e7f65ef55990c7f4ec1d01f4946bc72c4a8d01e57c610520ae5597d3638c2fa7c432745dddff70cadb511125c797adc73c0a926fa8688b3ecbd245179215

      • memory/1792-29-0x00000000042D0000-0x0000000004373000-memory.dmp

        Filesize

        652KB

      • memory/1792-24-0x00000000042D0000-0x0000000004373000-memory.dmp

        Filesize

        652KB

      • memory/1792-27-0x00000000042D0000-0x0000000004373000-memory.dmp

        Filesize

        652KB

      • memory/1792-22-0x00000000042D0000-0x0000000004373000-memory.dmp

        Filesize

        652KB

      • memory/1792-23-0x00000000042D0000-0x0000000004373000-memory.dmp

        Filesize

        652KB

      • memory/1792-25-0x00000000042D0000-0x0000000004373000-memory.dmp

        Filesize

        652KB

      • memory/1792-26-0x00000000042D0000-0x0000000004373000-memory.dmp

        Filesize

        652KB

      • memory/1792-21-0x0000000001030000-0x0000000001031000-memory.dmp

        Filesize

        4KB

      • memory/1792-236-0x00000000042D0000-0x0000000004373000-memory.dmp

        Filesize

        652KB