Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-01-2024 18:58
Static task
static1
Behavioral task
behavioral1
Sample
6dc81b421428a561e64da3e3d54e3994.exe
Resource
win7-20231215-en
General
-
Target
6dc81b421428a561e64da3e3d54e3994.exe
-
Size
556KB
-
MD5
6dc81b421428a561e64da3e3d54e3994
-
SHA1
947bba29bb9728131d43fe92fcd7d90b5d5a7d73
-
SHA256
05da0612d29c4c2d08bd90ca30551c109bd6501aae8fe06807f0864e26848637
-
SHA512
cc21a4bd46f9d6b0d7411cfd14a2159dee021c731c8f7ba556e6a843eec1a48faab11404fdd55dfceb849032965f85ba6d5c764bd0583b8d60ec8215c6ee19b1
-
SSDEEP
12288:RwLODyMNNU42SAL9Dwvkgmz+a6qqKFNF3ID5wTOlWi:RBDyMNNn2SuevkgUCqYm2Wi
Malware Config
Extracted
cryptbot
lysano52.top
morecj05.top
-
payload_url
http://damyeb07.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2900-2-0x0000000000220000-0x00000000002C0000-memory.dmp family_cryptbot behavioral1/memory/2900-3-0x0000000000400000-0x0000000002CC1000-memory.dmp family_cryptbot behavioral1/memory/2900-221-0x0000000000400000-0x0000000002CC1000-memory.dmp family_cryptbot behavioral1/memory/2900-223-0x0000000000220000-0x00000000002C0000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6dc81b421428a561e64da3e3d54e3994.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6dc81b421428a561e64da3e3d54e3994.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6dc81b421428a561e64da3e3d54e3994.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6dc81b421428a561e64da3e3d54e3994.exepid process 2900 6dc81b421428a561e64da3e3d54e3994.exe 2900 6dc81b421428a561e64da3e3d54e3994.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52c2823577fc219b818f37d357c810d58
SHA1c6dbe7f00765f3e15f117aeb037bdfa414005ca7
SHA256b7f2528ee8ca2dc4fb6181372d0d9b7cefd19ca652d304d69114838d2a9df11b
SHA512aaae930a4ff51b3e444a43c4681a3ba3dc28f3eb46aef13a072ced3b02e9481a05ee5cec462c4d5fcaa3cc9356327bed8f6b257e5560a8cc6e2e9ce2182f5358
-
Filesize
43KB
MD5a6e538bab21bc7f2b2bb09993467c0c9
SHA11b20938914be8193f28472d6e2717d05995f6312
SHA2568687636ac1aceac64f17998e693135161cd5486b533ec1b3d4567a35dd4ef662
SHA512bfded190b308ec4dab9442031556fe8fd293291836fd9f6a6a57238e3fead0a1ff23ca67bf6f137cf48baed0d9210beaa3f5d6aead91d9e2c70528b8823b32cb
-
Filesize
8KB
MD570b95c65d9691b69f3a809eb7ffeacef
SHA1423a4ba66929edca5e41d0ee5de2f723b24accff
SHA256e4db95b4058bbea132d42666c98ddbfaa09e27ac65fb1b8496f0e5e3473f5b89
SHA512ca87ba34b8d0e219c883dec445a84ab952bd499f2cc06608bcb27bf35231e262581455b80cdfbefc6a22ef7057ea533c0a975698348e49ef712f3270ef5abd6b
-
Filesize
36KB
MD5310a40867f9b3b67046a23c1cbc4b2f7
SHA15e661bd860f88cbe37b9fdbb1bff95081aca9b92
SHA2565b7981b9eee65da8fdb5f281faf7cb4e6902842f7c2ad5accee1d6eef995711b
SHA512892353ddf32519a4da0b35c040373cb1d6c959b80d0baa1e8bd97b9638058d626e64ce85f11fb4bfb6033def7476dfb4a73c6349f67991511d4e69512bfabedc