Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 10:21
Static task
static1
Behavioral task
behavioral1
Sample
6a2c1831c6131eb0f59078d477f4247f.exe
Resource
win7-20231215-en
General
-
Target
6a2c1831c6131eb0f59078d477f4247f.exe
-
Size
610KB
-
MD5
6a2c1831c6131eb0f59078d477f4247f
-
SHA1
c17ecf688c67d509d646023fc7634b8e497119b4
-
SHA256
c1d11f66c89d2b7a284d8b61092fab044066c5443250d90d2dd9f3221857900a
-
SHA512
df885e557808c4d5370c3ae06d4d1f9b148be9c91d449bd95f43f5d82f9fe046f6ca3c99112c600191ff0264c01509af75fa602d05faa271dfd7282edf2c5845
-
SSDEEP
12288:q6nudbPYiEZ2n6k4hcMcBveeEjwAdNUHl3QyNfwLw/NIbDTyTZ6y:judbPYjFOMcBv9EMXHlXCpvO7
Malware Config
Extracted
cryptbot
ewaqug42.top
morjau04.top
-
payload_url
http://winhaf05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4008-2-0x0000000002260000-0x0000000002300000-memory.dmp family_cryptbot behavioral2/memory/4008-3-0x0000000000400000-0x000000000051D000-memory.dmp family_cryptbot behavioral2/memory/4008-208-0x0000000000400000-0x000000000051D000-memory.dmp family_cryptbot behavioral2/memory/4008-213-0x0000000002260000-0x0000000002300000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6a2c1831c6131eb0f59078d477f4247f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6a2c1831c6131eb0f59078d477f4247f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6a2c1831c6131eb0f59078d477f4247f.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6a2c1831c6131eb0f59078d477f4247f.exepid process 4008 6a2c1831c6131eb0f59078d477f4247f.exe 4008 6a2c1831c6131eb0f59078d477f4247f.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD50e2a024081b63e43c2b9f2bc43ec70bd
SHA1d09d0a31dc3c46679a9805160210149b5e9d5a15
SHA256dde74d2efd366f518bf07eb22086c7b53822dfa8ffb4b6cc8a94ddd1dca7454f
SHA5124aa97226277c53f6a3c22921cbd65fd7cb6b7e4e0a4111d985c30fa0be067b14707cf6202f8d328f05aa01b3573606cb840dddfaeb3def94f9beb5891f0af8c7
-
Filesize
43KB
MD57a5fc1230afbd8397976d081e5ebaa86
SHA12195a202fed1396bd39e40625c33854e1bcfe11d
SHA256e4fa828b0c7e76dc7034c616dd63f03618ae5fcf8d6bbe16468cc85f6ba7a87c
SHA512a03a43ded6da9c47148ba3df1703f143386d3c6296ae397c4b994e7be0fb029a4724595eacfd41dfa2f231d1000e88e2349ad06edc52de30458f015bb9ae03f8
-
Filesize
1KB
MD5bb922c8c422946d787552831a41a3cb2
SHA1bf3df008cb4d8cca4418d812e9566e9560488f20
SHA256eb676aa5d8f29611fa2d7c3518959b3a78b59332b143051c42154043fb4e443b
SHA512bfec57996abfa37f02e8d8c6e7f25ac1bf242321d657bcde48d7d2f5be58bf2772c394abdbcf53897914726a06a12aa3c6c387fe28b54bf6bd3a2109f083a0d3
-
Filesize
7KB
MD56794f748f24c56146c5b6121afca3729
SHA15cb28a27c4466428b8244dff3395c208782b1988
SHA256a2ce1bab81642f1064779bbd2deb91ed6b9dc3324e98c18e7f32c1375f214229
SHA5123f056d278d6ef2e6fa5461062ea0fbfb44740af9c7689f5970d7ebb5e6ff413e163cc16fb1d45c19e72c9de0fc3fd9573b0719cfd9fde44e46c93b0bba9632a5
-
Filesize
27KB
MD5319dd9d403a1257cd941f68e4d9488b4
SHA1155ec2457035abb9505ec6924b84c757e9fcc3ad
SHA256b738887d185378270ece8f1ce18fd01c7f9283eb3b2b697f526dba862b6ba581
SHA51218786ced575535b332491340616dba3ebd6665839843b15ee24d1d42b021ce92d2ab4d6826ac36b99028eea84c01eefb6b23e14253ecd84ac0eccd2b2962d4ae
-
Filesize
1KB
MD5a45826fdc4d83fb9728260eb2b092521
SHA1a49d1c5323f8994957779bdfa75fab9261f4a634
SHA256a774d50b57662437f46d57ee727ee88ee423681dd34d28061591387517ef456b
SHA512c6a7bbdd67f04a0da504d419fc3c5f136567a54781cce6c5efc5713a3e503f117e962136ae1012921c188e6a63275f81bee9dc8ce2317b51e3e0d1c1e5bd5b97
-
Filesize
3KB
MD55e8a27102fd6ecda086fcd491a2ab23d
SHA1f597fa8b60da67fb0ebaa85c983fc47028a1953f
SHA256508e474adbba2ee9b45d83382b5b5352673f4614b2daad516501c80b26080c9b
SHA51281233f527dc0b532cdf1a5eedda70ae8c78e1a48dda8cc6d67327aa6e527ceee4cf4ce872d4d0957cffa1d77c7dc7566c0b33c96b4682d28809ede5c35bbf672
-
Filesize
4KB
MD56db0063e17d10d709b613891f7ac21f3
SHA1399adcf95f0758b0411fd3ba0770f999d01f3acb
SHA2568853a90b71c67e4008be5a1c618d227f93cb61f643e667c46865105f31700bb3
SHA512dabb18e7926086c3e006afe81f035b185be60ab9d18dc42c8edebc1ed4fd453a04a33b7518abf7a1e7bf48d1db450c2d5838e08c772146582c7dc7d68bb65c0c