Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2024 10:21

General

  • Target

    6a2c1831c6131eb0f59078d477f4247f.exe

  • Size

    610KB

  • MD5

    6a2c1831c6131eb0f59078d477f4247f

  • SHA1

    c17ecf688c67d509d646023fc7634b8e497119b4

  • SHA256

    c1d11f66c89d2b7a284d8b61092fab044066c5443250d90d2dd9f3221857900a

  • SHA512

    df885e557808c4d5370c3ae06d4d1f9b148be9c91d449bd95f43f5d82f9fe046f6ca3c99112c600191ff0264c01509af75fa602d05faa271dfd7282edf2c5845

  • SSDEEP

    12288:q6nudbPYiEZ2n6k4hcMcBveeEjwAdNUHl3QyNfwLw/NIbDTyTZ6y:judbPYjFOMcBv9EMXHlXCpvO7

Malware Config

Extracted

Family

cryptbot

C2

ewaqug42.top

morjau04.top

Attributes
  • payload_url

    http://winhaf05.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe
    "C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:4008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\TCFZm1cEvwO8l5.zip

    Filesize

    43KB

    MD5

    0e2a024081b63e43c2b9f2bc43ec70bd

    SHA1

    d09d0a31dc3c46679a9805160210149b5e9d5a15

    SHA256

    dde74d2efd366f518bf07eb22086c7b53822dfa8ffb4b6cc8a94ddd1dca7454f

    SHA512

    4aa97226277c53f6a3c22921cbd65fd7cb6b7e4e0a4111d985c30fa0be067b14707cf6202f8d328f05aa01b3573606cb840dddfaeb3def94f9beb5891f0af8c7

  • C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\WLNgGapBgIuO.zip

    Filesize

    43KB

    MD5

    7a5fc1230afbd8397976d081e5ebaa86

    SHA1

    2195a202fed1396bd39e40625c33854e1bcfe11d

    SHA256

    e4fa828b0c7e76dc7034c616dd63f03618ae5fcf8d6bbe16468cc85f6ba7a87c

    SHA512

    a03a43ded6da9c47148ba3df1703f143386d3c6296ae397c4b994e7be0fb029a4724595eacfd41dfa2f231d1000e88e2349ad06edc52de30458f015bb9ae03f8

  • C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\_Files\_Information.txt

    Filesize

    1KB

    MD5

    bb922c8c422946d787552831a41a3cb2

    SHA1

    bf3df008cb4d8cca4418d812e9566e9560488f20

    SHA256

    eb676aa5d8f29611fa2d7c3518959b3a78b59332b143051c42154043fb4e443b

    SHA512

    bfec57996abfa37f02e8d8c6e7f25ac1bf242321d657bcde48d7d2f5be58bf2772c394abdbcf53897914726a06a12aa3c6c387fe28b54bf6bd3a2109f083a0d3

  • C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\_Files\_Information.txt

    Filesize

    7KB

    MD5

    6794f748f24c56146c5b6121afca3729

    SHA1

    5cb28a27c4466428b8244dff3395c208782b1988

    SHA256

    a2ce1bab81642f1064779bbd2deb91ed6b9dc3324e98c18e7f32c1375f214229

    SHA512

    3f056d278d6ef2e6fa5461062ea0fbfb44740af9c7689f5970d7ebb5e6ff413e163cc16fb1d45c19e72c9de0fc3fd9573b0719cfd9fde44e46c93b0bba9632a5

  • C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\_Files\_Screen_Desktop.jpeg

    Filesize

    27KB

    MD5

    319dd9d403a1257cd941f68e4d9488b4

    SHA1

    155ec2457035abb9505ec6924b84c757e9fcc3ad

    SHA256

    b738887d185378270ece8f1ce18fd01c7f9283eb3b2b697f526dba862b6ba581

    SHA512

    18786ced575535b332491340616dba3ebd6665839843b15ee24d1d42b021ce92d2ab4d6826ac36b99028eea84c01eefb6b23e14253ecd84ac0eccd2b2962d4ae

  • C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\files_\system_info.txt

    Filesize

    1KB

    MD5

    a45826fdc4d83fb9728260eb2b092521

    SHA1

    a49d1c5323f8994957779bdfa75fab9261f4a634

    SHA256

    a774d50b57662437f46d57ee727ee88ee423681dd34d28061591387517ef456b

    SHA512

    c6a7bbdd67f04a0da504d419fc3c5f136567a54781cce6c5efc5713a3e503f117e962136ae1012921c188e6a63275f81bee9dc8ce2317b51e3e0d1c1e5bd5b97

  • C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\files_\system_info.txt

    Filesize

    3KB

    MD5

    5e8a27102fd6ecda086fcd491a2ab23d

    SHA1

    f597fa8b60da67fb0ebaa85c983fc47028a1953f

    SHA256

    508e474adbba2ee9b45d83382b5b5352673f4614b2daad516501c80b26080c9b

    SHA512

    81233f527dc0b532cdf1a5eedda70ae8c78e1a48dda8cc6d67327aa6e527ceee4cf4ce872d4d0957cffa1d77c7dc7566c0b33c96b4682d28809ede5c35bbf672

  • C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\files_\system_info.txt

    Filesize

    4KB

    MD5

    6db0063e17d10d709b613891f7ac21f3

    SHA1

    399adcf95f0758b0411fd3ba0770f999d01f3acb

    SHA256

    8853a90b71c67e4008be5a1c618d227f93cb61f643e667c46865105f31700bb3

    SHA512

    dabb18e7926086c3e006afe81f035b185be60ab9d18dc42c8edebc1ed4fd453a04a33b7518abf7a1e7bf48d1db450c2d5838e08c772146582c7dc7d68bb65c0c

  • memory/4008-2-0x0000000002260000-0x0000000002300000-memory.dmp

    Filesize

    640KB

  • memory/4008-208-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

  • memory/4008-3-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

  • memory/4008-212-0x0000000000620000-0x0000000000720000-memory.dmp

    Filesize

    1024KB

  • memory/4008-213-0x0000000002260000-0x0000000002300000-memory.dmp

    Filesize

    640KB

  • memory/4008-1-0x0000000000620000-0x0000000000720000-memory.dmp

    Filesize

    1024KB