Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 18:58
Static task
static1
Behavioral task
behavioral1
Sample
6dc81b421428a561e64da3e3d54e3994.exe
Resource
win7-20231215-en
General
-
Target
6dc81b421428a561e64da3e3d54e3994.exe
-
Size
556KB
-
MD5
6dc81b421428a561e64da3e3d54e3994
-
SHA1
947bba29bb9728131d43fe92fcd7d90b5d5a7d73
-
SHA256
05da0612d29c4c2d08bd90ca30551c109bd6501aae8fe06807f0864e26848637
-
SHA512
cc21a4bd46f9d6b0d7411cfd14a2159dee021c731c8f7ba556e6a843eec1a48faab11404fdd55dfceb849032965f85ba6d5c764bd0583b8d60ec8215c6ee19b1
-
SSDEEP
12288:RwLODyMNNU42SAL9Dwvkgmz+a6qqKFNF3ID5wTOlWi:RBDyMNNn2SuevkgUCqYm2Wi
Malware Config
Extracted
cryptbot
lysano52.top
morecj05.top
-
payload_url
http://damyeb07.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2816-2-0x0000000004A30000-0x0000000004AD0000-memory.dmp family_cryptbot behavioral2/memory/2816-3-0x0000000000400000-0x0000000002CC1000-memory.dmp family_cryptbot behavioral2/memory/2816-207-0x0000000000400000-0x0000000002CC1000-memory.dmp family_cryptbot behavioral2/memory/2816-212-0x0000000004A30000-0x0000000004AD0000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 21 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2000 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 5112 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 1868 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 4060 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 4648 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 2864 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 3736 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 4084 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 4520 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 3556 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 1448 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 1312 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 2476 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 5060 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 1592 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 2444 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 4800 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 636 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 3244 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 4340 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe 4644 2816 WerFault.exe 6dc81b421428a561e64da3e3d54e3994.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6dc81b421428a561e64da3e3d54e3994.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6dc81b421428a561e64da3e3d54e3994.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6dc81b421428a561e64da3e3d54e3994.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6dc81b421428a561e64da3e3d54e3994.exepid process 2816 6dc81b421428a561e64da3e3d54e3994.exe 2816 6dc81b421428a561e64da3e3d54e3994.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe"C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 6042⤵
- Program crash
PID:2000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 6882⤵
- Program crash
PID:5112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 7562⤵
- Program crash
PID:1868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 8522⤵
- Program crash
PID:4060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 8602⤵
- Program crash
PID:4648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 7602⤵
- Program crash
PID:2864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 11322⤵
- Program crash
PID:3736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 12122⤵
- Program crash
PID:4084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 8722⤵
- Program crash
PID:4520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 6922⤵
- Program crash
PID:3556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 7962⤵
- Program crash
PID:1448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 13722⤵
- Program crash
PID:1312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 14002⤵
- Program crash
PID:2476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 8442⤵
- Program crash
PID:5060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 11402⤵
- Program crash
PID:1592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 10122⤵
- Program crash
PID:2444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 7642⤵
- Program crash
PID:4800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 9762⤵
- Program crash
PID:636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 7922⤵
- Program crash
PID:3244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 13362⤵
- Program crash
PID:4340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 8482⤵
- Program crash
PID:4644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2816 -ip 28161⤵PID:1444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2816 -ip 28161⤵PID:4708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2816 -ip 28161⤵PID:4856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2816 -ip 28161⤵PID:3000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2816 -ip 28161⤵PID:3284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2816 -ip 28161⤵PID:3040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 28161⤵PID:1556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2816 -ip 28161⤵PID:920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 28161⤵PID:1364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 28161⤵PID:4208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2816 -ip 28161⤵PID:4356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2816 -ip 28161⤵PID:3216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2816 -ip 28161⤵PID:1944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2816 -ip 28161⤵PID:3260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2816 -ip 28161⤵PID:2488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2816 -ip 28161⤵PID:3752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2816 -ip 28161⤵PID:3000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2816 -ip 28161⤵PID:1368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2816 -ip 28161⤵PID:2416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2816 -ip 28161⤵PID:4324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2816 -ip 28161⤵PID:1696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD5b2c7826f4cdaa667b450688f559bfced
SHA13eaa7ce61b859217a524e7050d784891740d0984
SHA25674c9195262578a3ebd97fe70f687671703161da45ee059430b2d940b01f67efb
SHA51275de0f2a129f7b7d745fcb709cb005f735b0e5d9ebb9735d4dbac5558f3ab6f67b6f3e66b40caec9502511f7f40af40085814879b4294101b15816c2ee342e6f
-
Filesize
42KB
MD592b1dbb17a65323768f9f80988f197bf
SHA169a2a983bc91cb49a6f0723d793dbb426e1d7982
SHA2565c003ce5869ad507c6c4425b3f70e6374dfd9d2a9eae96517c2c057fe0f9d285
SHA512405c52a723dbaf7a180320b2afb656d13979a203458daf2787b377114eb89f899ff6676692887de81510065bdf7931e6581850b67c3f43a66537a00e525310de
-
Filesize
2KB
MD507c9668aefdee73703d14d9ccb32e7b3
SHA1399b54ae8c56c15167cc8b27d39ef899ce20137d
SHA256812b1d5feb830b547673b5ed55208768028555439b1f6bd3f4da07c2b0d8486d
SHA512d641fd9df67eb34644ec3a167a91988ed34db0ebb4584aa7f3575eee9a5dd96382a028a06a0606d82dac2a5ad57914906699f141070e5ce2a16172481b480ea5
-
Filesize
3KB
MD5fa6746b9a8cce76ede5e30696c4a3f02
SHA1998d5c841bf112e9f1cf44d472a94b5522aa5183
SHA25679c8b2c8a6684cfec6b381886fbced89f66e8aedf20375a60254bdb9d07829df
SHA5128afc88adb2aa56e0fa8ba874545c5bba919533dd92a74e67ad759a0f05dd490e6ba172c7d678a3fbdd846b9b40bf8f111f9144f5009172a6ddeb870348033093
-
Filesize
4KB
MD5556ee95ed74ee26186bc4129dca44ffe
SHA14ed2ff9e66a3034a5523b075dba4b8f599d9b2bf
SHA25637ed3ceb2bfa99ed51513ed7a740850ea9862bf41bea07c54dc31bbc0a32de1b
SHA51270a8123ffd04b84cd2ffb3623fc07c3b8f9c1cf9062c10b297eab9552c9c6bdf3e3f531c1a118469e87ff8e97b95bb23296d212831853ac43085ed2e5f809930
-
Filesize
48KB
MD5d36c2d46e692b9d2ac7d166a4b8463a1
SHA1cde298f2900a15e18422831f21fb6ee4eb1d330a
SHA25634401d99974a776adf6d3935c3e3a77e21c1765e6e9356f6cdb02ff5219701d2
SHA512366901cb2f25806b1faa278bef904e9940586ded5e4846b12866009a446a6b854984fa22aa9d25c9454caa85b9440ea06b7b08ee98c2bb64840c55de83f605b2
-
Filesize
7KB
MD52ae185af5eddfa4de3d0544562362bf2
SHA138216e85cf1b6327b726a2ee1d937cc941f28638
SHA25632d07a67fabc7fb5acd071afa1b889bf9a8e3901ec70c8ecde5ae72ff762e3ae
SHA5129af005039c4be5dd7cafa03c2b0ccd51e1ad76da2c3479c21cb579c2d97480e6de34638728cf23c1b74ac522faf566eee1483eef079d49c2ae5b2353a40f0571