Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 10:21
Static task
static1
Behavioral task
behavioral1
Sample
6a2c1831c6131eb0f59078d477f4247f.exe
Resource
win7-20231215-en
General
-
Target
6a2c1831c6131eb0f59078d477f4247f.exe
-
Size
610KB
-
MD5
6a2c1831c6131eb0f59078d477f4247f
-
SHA1
c17ecf688c67d509d646023fc7634b8e497119b4
-
SHA256
c1d11f66c89d2b7a284d8b61092fab044066c5443250d90d2dd9f3221857900a
-
SHA512
df885e557808c4d5370c3ae06d4d1f9b148be9c91d449bd95f43f5d82f9fe046f6ca3c99112c600191ff0264c01509af75fa602d05faa271dfd7282edf2c5845
-
SSDEEP
12288:q6nudbPYiEZ2n6k4hcMcBveeEjwAdNUHl3QyNfwLw/NIbDTyTZ6y:judbPYjFOMcBv9EMXHlXCpvO7
Malware Config
Extracted
cryptbot
ewaqug42.top
morjau04.top
-
payload_url
http://winhaf05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1564-3-0x0000000000400000-0x000000000051D000-memory.dmp family_cryptbot behavioral1/memory/1564-2-0x0000000000320000-0x00000000003C0000-memory.dmp family_cryptbot behavioral1/memory/1564-222-0x0000000000400000-0x000000000051D000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6a2c1831c6131eb0f59078d477f4247f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6a2c1831c6131eb0f59078d477f4247f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6a2c1831c6131eb0f59078d477f4247f.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6a2c1831c6131eb0f59078d477f4247f.exepid process 1564 6a2c1831c6131eb0f59078d477f4247f.exe 1564 6a2c1831c6131eb0f59078d477f4247f.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD51fc6cb307b66969a1244b283e98b30f2
SHA1307f1633607b28ef7157fde5ffe7a22d1316df62
SHA25674ee1f1abdb51d06ba114b69994e4275856080bbf3f05d4b432ea00ea92f92ad
SHA5122ef3af350c088133cd7d981faecd5d09c482076eb8c018f0597cb468f663c9e0f9567ccb7a2dbdfd5072d03a0449836aeb62b5496c53279681d32b7db9e30314
-
Filesize
8KB
MD5147cddf0aee7abda94e17a59f52b32c0
SHA154dd21d2b9c928b4ba7ec65626f5bc4a21ab2df2
SHA256b19bbe1d1d465993ff8d3faed7b484273d7f157520260edf9f96c1333a797fcb
SHA512eb410457490d598c6b3553813097ec5f7d9b55747b84263948110676fca8fc1d8a0ee5ea65d2de6da66694f01ec8dd7be104da68c4a8384a2c297867466bc4dd
-
Filesize
47KB
MD5dbb59211e04ddb6b104e2728c1765ec8
SHA1a1a6ef75028076151d75a820779b43218645e552
SHA25680531ae594940b2ae81305ea98793a646891595349006dc845e9e7947faf3c77
SHA512b9097b3a8141f5bb8ff148033e9ea2b78531d030e3ae441454bef4e726354eb525174f2655b682b0b7fa612aa324b16c6384849ad8e5d379c718ccdace786bb6
-
Filesize
8KB
MD55321c8bdec2ec9e3baf7106b0672b947
SHA1b29b5514a425fc9f671620d5c7308d6fbc29ed37
SHA25622572c1b67fb89cb63e220aca536973b66e94444e4d7fa809713b90f0b42bcc8
SHA512c2ef8d468a2b9a23a892b593967a9ef50c1160d46e2504d99ec85e74b75368a7b3a90f11c79ead7a04ee5f772dae5d83cbca107e8510cf00130dfdc94f5e636d