Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 04:55
Static task
static1
Behavioral task
behavioral1
Sample
6ec80a2e8194a457f2f555506986e490.exe
Resource
win7-20231129-en
General
-
Target
6ec80a2e8194a457f2f555506986e490.exe
-
Size
610KB
-
MD5
6ec80a2e8194a457f2f555506986e490
-
SHA1
d561118b72aa3852bfd1f53d9813cd4c2fa8d50e
-
SHA256
48ab70d33532409f5394c271fe0fba6234b15b36584234d5b595b9791972bec1
-
SHA512
d142eab913e11d339c5f38603a98e84414f4dc71d0ad2a9e53b8a90486782313530955af22c3f222c2392e75c62c3b22dba653bc7071658c8713e2f9f109c4a1
-
SSDEEP
12288:saPvmpW5Iq67dFPV75v9RUxz6hPuGnq/HETpnAnBvRmH88nKLw9:sSmpW5Indhve6hr0HETpnAnmznl9
Malware Config
Extracted
cryptbot
ewayab32.top
morxeg03.top
-
payload_url
http://winxob04.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2024-2-0x0000000000310000-0x00000000003B0000-memory.dmp family_cryptbot behavioral1/memory/2024-3-0x0000000000400000-0x000000000051D000-memory.dmp family_cryptbot behavioral1/memory/2024-222-0x0000000000400000-0x000000000051D000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6ec80a2e8194a457f2f555506986e490.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6ec80a2e8194a457f2f555506986e490.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6ec80a2e8194a457f2f555506986e490.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6ec80a2e8194a457f2f555506986e490.exepid process 2024 6ec80a2e8194a457f2f555506986e490.exe 2024 6ec80a2e8194a457f2f555506986e490.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50c43cfb68af2109f0c277371a7b6daf1
SHA18564c9996910cd8292a7cb7630b8d2e83d0f92a3
SHA2566660737f23a35608a609193f1cb74b3f9b234d3bf102f584af0266ef5104dbd2
SHA512eaed2d40cd2d695d49b43d971309c0e1dcd86229df2766b7bf44828a5be5d5f3f54f069e7361679712857b420b80b753bd58f53b1289872e3747ad3fddf4607b
-
Filesize
3KB
MD5213e63ab19d7decb83c253813ddf76af
SHA18ba0c69b9eb042a19904ed4e2adccbb605fa6306
SHA25698bc228c80efa014bc77a49dbafaf29a1d12e3b379b7b6a9cf9e50f77d2479e5
SHA512b84d21d64038ac74419a94e2ade8c3e74c631750749ba23db39b717cb7e65add7ea9eaa14fdc50428e81c971cfde80da065ac31c790e110c1ab62a4ffebd5237
-
Filesize
3KB
MD566830ac012a3563ec7d14de3a09d77ee
SHA13628cce373fd075ac009ae843d3264fdb88a1ebf
SHA256f67e18b1d0b585ce8a8f35c9de41376bc538a2ab2b008013330b43540470c4f9
SHA5125c51acbca7e15eaf1375d7df2678c2680498cd27921b1025153e15ecc184f51f97fc494108f19b978b4d002d0a4fa008d2f333723b27fa97a2c50336088f27f1
-
Filesize
4KB
MD5bf29f9cddfd81b9116bcce6775cc39f7
SHA1d0f49372295e0bc98c7273eda1240f8e91eeaf7b
SHA256ba8347de95d826dac29789ea28d39706614c2b0f8fb79539f146bb506e646925
SHA5124c0bdff0501c97a4d93c950a710f462495e7cbb120f89d49aab2f6f8a985a0c0365af7be44ce1631d8c06b7d7fb93c3f669ba6abde24c6f13641d2b7c8360330
-
Filesize
48KB
MD5a881dabf737d7817908cc26aa471d8d6
SHA197c2e25cba9c356a4f52b94f87ad08a2be6b67ce
SHA256994a53be4febcda1534f6dd3b257c8db28e6cf787ec8e136906ed789def682c5
SHA51244d9cc5bd4c63700b1eb3484d5c3ab074239e7bb081971ebd0b21faf48dc85cd514a9aee8ad38f53000bb611550b375312464efccaad6e26375cf3195f2c0f5b
-
Filesize
1KB
MD595fc5ac6bfeaa486af470eb4f0d1a680
SHA110e7fac789107c73d057ab0bf30d8c6c26f34d64
SHA256b21a1553ebb95d8a894e7c5b2bd27ae3cad74374a696cb412ccb52682f9c2ff8
SHA512c77b741ed886eae0dec6ecc0259560b32417e796eb3aa5eb6dc7dade8bc7bc268cb4cf99c053e5ee5646109abca6d1fff0bfe0b7c81c2bf4b8b396539973e432
-
Filesize
3KB
MD5e0c53319d8ac3414eefe798ab79bdd10
SHA14bace5f5b1c3805a95e629bb2a83de78d835ad6a
SHA256a9d08c0a178ee1f405dd7b0c470eb962d0a1d72696908e2d60891a33578dc249
SHA512f03a61db0c7868a2c7f8d166a2b4ae902c1530e53119e7efd28b9697d1d40381d233e684e5f09cb5f5f7c5c2246a52f4836449da5d432ff7050a70e46671fb57
-
Filesize
3KB
MD5a0e153cca20254757c789969bc462d5c
SHA17402d4a15d63784ffb8c7604339665416d97ef49
SHA256e77c0f1fd0413f20fb14ae6def1b1faf479b3857c3275dc5fbbad92ed3b02762
SHA5121f1f78e606147b1ca69362c79f8dc438e6a49ca90aa6d7e73ad502a490d5985b926ff48599774717fa851991aa6d8ce62ddbfe10e8e8a39ad7a5fcd30b312236
-
Filesize
6KB
MD5bdaebbad51f1d45481c6487d1478166b
SHA1dfd8532c7a969fbef603cfa77155caddb44d381c
SHA2566eda7a621fe064fea5db1b5ca64bc4698e4ea4a7eff143b0e9cf0ada4c8e2d28
SHA51272f54b169e8dedabb81629700aba64e44e103344b992b20e056fe60937e2b57a7ffb40f8d586114faf8e7a8cc46e73a2e3b278bebdd72de1d9cd9c68285fe870
-
Filesize
41KB
MD571b72055997ddff01da3b102fe7de6d9
SHA1a040c8f78734960f1e821eaf40b54ad708d3557f
SHA25616b5277220a4474de6034d503d83b0af04e0fbbcd58dbd54659d080d6b704dcc
SHA512465bd5bc3b99ef65a0a38b7cf68082b4e48aa2c9451fefbfce61436943a4e02554ee03c655e06f3e5f6e5037772e21e3b1dca48a09e208a0740719b9862dbded