Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 01:58
Static task
static1
Behavioral task
behavioral1
Sample
6c0f27024f875a94386862cfb5f0d2c8.exe
Resource
win7-20231215-en
General
-
Target
6c0f27024f875a94386862cfb5f0d2c8.exe
-
Size
773KB
-
MD5
6c0f27024f875a94386862cfb5f0d2c8
-
SHA1
d104d6a3977eb2eff0a2ffdf6d6214fbfb25ce6e
-
SHA256
f2dae5d58761bc67d2fac18381a2ee7e61d5eea79c32c718a7b97ec183a2489a
-
SHA512
1f3aa6a4fa0b1ddfd009c5fcf901d51f16f9bd220ccfeb84cf9f457d3d54f5377e8e627578b5499b0726679771648bc7a56f4bff0c49a9e8d2391680ae2cdde4
-
SSDEEP
24576:FZxGgT1VmLaPXuQCyqph+y48dlT000Hp:8gTmbZhW8bTh0
Malware Config
Extracted
cryptbot
ewaosm65.top
moruat06.top
-
payload_url
http://winazr08.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2160-2-0x0000000005020000-0x0000000005101000-memory.dmp family_cryptbot behavioral2/memory/2160-3-0x0000000000400000-0x00000000032BB000-memory.dmp family_cryptbot behavioral2/memory/2160-228-0x0000000000400000-0x00000000032BB000-memory.dmp family_cryptbot behavioral2/memory/2160-229-0x0000000005020000-0x0000000005101000-memory.dmp family_cryptbot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6c0f27024f875a94386862cfb5f0d2c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 6c0f27024f875a94386862cfb5f0d2c8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2720 2160 WerFault.exe 6c0f27024f875a94386862cfb5f0d2c8.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6c0f27024f875a94386862cfb5f0d2c8.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6c0f27024f875a94386862cfb5f0d2c8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6c0f27024f875a94386862cfb5f0d2c8.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2044 timeout.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6c0f27024f875a94386862cfb5f0d2c8.exepid process 2160 6c0f27024f875a94386862cfb5f0d2c8.exe 2160 6c0f27024f875a94386862cfb5f0d2c8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6c0f27024f875a94386862cfb5f0d2c8.execmd.exedescription pid process target process PID 2160 wrote to memory of 4792 2160 6c0f27024f875a94386862cfb5f0d2c8.exe cmd.exe PID 2160 wrote to memory of 4792 2160 6c0f27024f875a94386862cfb5f0d2c8.exe cmd.exe PID 2160 wrote to memory of 4792 2160 6c0f27024f875a94386862cfb5f0d2c8.exe cmd.exe PID 4792 wrote to memory of 2044 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 2044 4792 cmd.exe timeout.exe PID 4792 wrote to memory of 2044 4792 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe"C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 13082⤵
- Program crash
PID:2720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\bsFArovHkIJc & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6c0f27024f875a94386862cfb5f0d2c8.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2160 -ip 21601⤵PID:5028
-
C:\Windows\SysWOW64\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
PID:2044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c8966061e2be4b7ad0b946dcf7e3671f
SHA1883936c77ec37a6d4c9458b69a98d6e15c06531b
SHA256a68b4918a5f1f1b9e147bb6d519bbec42c98172599d5ba5eb6e14b3eeb27a6d6
SHA51271066af5fa8d35ee8d0076c090569c8c8b62e8b8ff89424ca2443c3d2b4ce35b5037bbb471eb6fa4c772c5afc7c9736cad6ca94258046a9565b94e25bac540f3
-
Filesize
35KB
MD522385b170fac0a8121f2e75608cce056
SHA15040b812270250469ce48cdbfa115a78b4b68c42
SHA25656ee88480492f06149f94c774dfe0664bbc1dedd22fc0e1017e51fd280081b0a
SHA512428227703241dd9a41f0d9ea8e6775aef2df4dc994799c0701ee2cb894ea5551c1847c7d9c61ed1a11b76a4e5f74fc0d19ee37cc713546b452f366687cd0fc60
-
Filesize
1KB
MD5dae15c9102d56c76a5e594f48d73354d
SHA175645c198825e0345b161b3bb48743928f083a92
SHA256b8a6377c6c151a474e14669a0f178c0690f8ca6aa5460d65440014083f5f5b4c
SHA512b66b8c0dbb1edabe42d3b32643038a02fa9227f3675a079c89b05dc033bcc882d916f662532a351676a163aa3a6f0ec5d7f01390dbdcfb8af3f85d33294dadaa
-
Filesize
745KB
MD56b4364950e66f6bc2e3c0e626344420b
SHA1367460cda5692d82802999b0ee358d401acff294
SHA2562a94b8c796d9dc175199377b3d5e4053820c56e1d02ced3c72b9f16728d8f778
SHA5126a386f4131124d06c40f370b5cb8b401c04542062f3f90f9830d0dd05a114e8f0493fe95d1b57ad503357dc2d9b770f9eb3687693d0a3d4cb9170a27c1971e7a
-
Filesize
7KB
MD576aeb41e2dd1bc01f2b5710ae780f372
SHA1434e1f6a666cf5c2353569cc7fd74ad38bfe9c9d
SHA256119ae36f18f3c18ad69c28ce4837eceb255ef83cf53d9c4df0b27033832235e7
SHA51274cabc8e3055b72458488fea54c3962b4a689d7e29ede1a3ac9960851d9dadb0343b35592642ce52baf89186521f44e1c6db1715b54658b5619ae1d7106efb4e
-
Filesize
1KB
MD549cb7ca6411cc6d8aed9597f13720fcc
SHA17ad448d5d80da29a96bc259e2cf59d8dbe95fddc
SHA2560ec0a24f7e41ef0d28f0d918ee2acd7ce7b7dcde77f89c4b93478d73559f8d0a
SHA512dac85dd0a3216be027fdb90f5495038470d9ced5201880f5f794e7fa2e2d65adb405afd35e4e880805dd8991aa8b1d24534dc36e15612c8414750fc813be6080
-
Filesize
4KB
MD5275e1cd686eca41cc2555e23c9bcc5d3
SHA151f5123394dd39c2d84781a24067f87ba766ba13
SHA256141333ca32bc50c5f871ee9d34c76161be9f35cbb3642f2752ea75f22538e91b
SHA512433824abab9f898477b28a51c6509a5f6d6aaa005e680eb8f08634732e5035ab88098534f924579a69f4d8d00d07099050b8cd935bdefcd5f6a050717d4b13e4
-
Filesize
45KB
MD567225e72cdd67b115c292d28ae4de38b
SHA1e0e65cfc7b5a25d77fdab3d4004972850b76a25d
SHA25657360b37423133d44e27ac175716d11494cf89aff3c0723318f8e75363be7f11
SHA51251ad1c56f71caf932d5bf678a8aa83a8afe2bed1dd699f510282e5ebf7a6c58518450bd092adb03eb4489a3e61026c5fc5843eb100f80bb441bdcad327ef701b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
116KB
MD5477be82ce3550ed325609b046543dbfb
SHA1db3b6ae0cf4ea8d07fdfcab0c96d9f931dcd86fd
SHA25613f75dadffd4c9b4396d0b32a2f0aa03bef11a459e98657c72223ffc5dc45f8d
SHA512d13545fe8eeb1816f84ce488787e0636a23ae990ed91db38400c3d825b189ada0f04356d69636b290d2e2a1beb0ea2759bb509710cf73c300a92e7302987b6a9
-
Filesize
1KB
MD54f919450645e854c8783e0adda9f92c9
SHA1aca9d337cb0d3065d525343d9564f354bf3bf0a8
SHA2562c2a44a3c79b8e49f79565d15d3b85c2f841c5e4b4fb647249e1e604f974ef17
SHA512b25dfe656161fac4fdeec79ae016a7dd25a63ef6fd5b8fc6d2082da2f36d6d49f11df9a0f530481cb218c78ff5c1ec319ae5be05b3bb7511afb44ec056d2d9ce
-
Filesize
4KB
MD501cd50508f63d2c65b61a047270ecb08
SHA143699badfcce8a5b5b36ecff3077bd341ad297f2
SHA256f086edb06fd3583c25a9f49056c672837261112fa366d364a1504478f8e2ac09
SHA512c1c8a662cf1156deb89fc3851b4b254ceac55476abf6afec0efc19c0d3f83ec73b2284dd4018fb493bdbab4823960afe9b4b9df9adca106291d9cef639dbfdc3