Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 04:55

General

  • Target

    6ec80a2e8194a457f2f555506986e490.exe

  • Size

    610KB

  • MD5

    6ec80a2e8194a457f2f555506986e490

  • SHA1

    d561118b72aa3852bfd1f53d9813cd4c2fa8d50e

  • SHA256

    48ab70d33532409f5394c271fe0fba6234b15b36584234d5b595b9791972bec1

  • SHA512

    d142eab913e11d339c5f38603a98e84414f4dc71d0ad2a9e53b8a90486782313530955af22c3f222c2392e75c62c3b22dba653bc7071658c8713e2f9f109c4a1

  • SSDEEP

    12288:saPvmpW5Iq67dFPV75v9RUxz6hPuGnq/HETpnAnBvRmH88nKLw9:sSmpW5Indhve6hr0HETpnAnmznl9

Malware Config

Extracted

Family

cryptbot

C2

ewayab32.top

morxeg03.top

Attributes
  • payload_url

    http://winxob04.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe
    "C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:5016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\ZhjtyYCiM.zip

    Filesize

    39KB

    MD5

    c189d7bf8606cb60894236a7a6d43019

    SHA1

    4d3792fe786e9ecba3bb473d77a75953a05a1c33

    SHA256

    f703f42aef42e9f62876ded850caac3978b0e3b7bb68db2d55d3f22996b3c2bc

    SHA512

    45533ef418e9dd33e43fc66e9b6ed0e872a065bec0b5b5b583053da9b46d25cd07557ad9d11c82dcdd65aa60906f76e3777424ba665204a233ac9ebc3df649fe

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\_Files\_Information.txt

    Filesize

    1KB

    MD5

    f81e0a1e03870d9264a43f7fe8e7a94c

    SHA1

    62c0bb4c5234d417ceab896693260a3a55d8c64f

    SHA256

    9ae1b95f19618228214c7954f412cdebdc1f0b99d0bd8432d7bb9fef0301a7d3

    SHA512

    e037f64689596bc50cc8973110d29ea511181e749a97f7f751893c3c4188f8c10462f0b8e96643916852a92028e5547c132c9b3ad14f6e2d0f9a8ba716b6efb4

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\_Files\_Information.txt

    Filesize

    4KB

    MD5

    d0474047dbe87fabc657fef78ee45b23

    SHA1

    aa3074df1faf0d4c959bd6ecede2d10e687f9a49

    SHA256

    b4dadb9c063b6876b247041f42400e0120f1ef44fb1993314001ba62cfcf7efd

    SHA512

    a52b724232d39797f427935b82052d1a4a116844fb1060e29c27bfa28b208292fae5a6ddd5b0badd04a1dbdac65796a23a68b143c76a73a2d59dfcbdce5d7603

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\_Files\_Screen_Desktop.jpeg

    Filesize

    45KB

    MD5

    774081a8ccc56ed0e9bbd7df1f01249a

    SHA1

    b5a22c89a49cf3e8748582dbec7a02c294c682bd

    SHA256

    f9772ebf0cd4987ddd9b42df44b50959150688a79df82abf824c44d31fe5c90e

    SHA512

    0fcfb42f257fce9bb8bbc70f048811febdaea76694ec196dbfbbb1f9f68cffa1ed22a7a63959fbf1237144a01266c51efe79a9f2ece4b7860ccdd0a25480aa58

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

    Filesize

    718B

    MD5

    0255332dc6670a1a4315beb31f2b5583

    SHA1

    9d8f8bc1a99b23dc3fbcfbb8957e2532d36726e3

    SHA256

    24e5f522cee8ac191f6019e71cd0d44cd4482b0cf49fa0c52851abbf0095e6d6

    SHA512

    27b3be19590559d1756681db0868f3d770a1f7c5885151b03633b188d5cf5eebeafb41eb0d3486de297c47838243534595e3a6f24de69465cd751489b27d4144

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

    Filesize

    1KB

    MD5

    fd35fc9d91abb1c23b967ea1280349c9

    SHA1

    2e7b0591883f78cfc8a4c3b5c1aa244d8c7302e7

    SHA256

    b746ae11f722311cdad620c221d46e24f858192c9132e6066e9c9a467a2298f9

    SHA512

    137fc5ffaee74412756cc5022029c7a473ebf34c9dfc28eae20a385e8ea2ebc6ef27e2bfea5c372fa1b6ec7a908cfd4f76d36a6fad30f372063671fa45c172e3

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

    Filesize

    1KB

    MD5

    1c2d8d0c21f2df423b31c819f12cf5a2

    SHA1

    cd05230d8c988299549ef37f3060f75b4867ca61

    SHA256

    c99873e5569df8472c8d4cef35cb4cee93f50675c03fa75361df8c43cb6212d5

    SHA512

    50e5ad2b87fd9889f630348c011466ea27c4117eee40b8c9986117601222ecfbf65851228213bbd0318723d10e59613ca88f150935330d4559780c999d0945be

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

    Filesize

    4KB

    MD5

    37769fff937f3cdb56086916cd587ee9

    SHA1

    82f58aa10d170714c93df517f4d178075fc983c5

    SHA256

    10275f334bf55560f82b9b90521c3f8bc3612c156b50962578f7cda5058ee05f

    SHA512

    a4198d456cccf0f8f03a7e6cf51a6fc424225bf879706bf497944f4134af5afcd8f343ed6a18096112fd3c114f43188e235293b17f29bc1392791a41830696ee

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt

    Filesize

    4KB

    MD5

    4f724cefa97bb4fca3804fa468bde6a0

    SHA1

    d7a28ecb7f866873da085d848c4b14faa9931489

    SHA256

    5912ec80b75ecdbd11ec07d94fd3e77e06f4ce1fcef216d918c05054a61176eb

    SHA512

    1f314e92b60a674312692dc3ba78192499d5344f98095ca53bc55ce9c8f0fc64477a35c17f501711d35941f1394a3072076559459d0486cfb2284892c92c02e9

  • C:\Users\Admin\AppData\Local\Temp\EGsZqzd\tlpouQWYxBOd2g.zip

    Filesize

    39KB

    MD5

    25f6e6c21ed122f9cf7c61749d88a0e4

    SHA1

    3bc265074b1164e53b635c99d7571b73d6cc0c1c

    SHA256

    3a0c80f1d57b3e60df2649630f016abb498a361161a2ac1785768beacaa66d44

    SHA512

    afb9e50c8edba170a4affbe8c5c05cb00f877cbe780c08068cd5edebad36848d8cf7a0d4b955e8fad68c7cadad406e7bb0493113b5103d099b726a80b37d2565

  • memory/5016-1-0x00000000008E0000-0x00000000009E0000-memory.dmp

    Filesize

    1024KB

  • memory/5016-3-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

  • memory/5016-208-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

  • memory/5016-213-0x0000000002280000-0x0000000002320000-memory.dmp

    Filesize

    640KB

  • memory/5016-212-0x00000000008E0000-0x00000000009E0000-memory.dmp

    Filesize

    1024KB

  • memory/5016-2-0x0000000002280000-0x0000000002320000-memory.dmp

    Filesize

    640KB