Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 08:02
Static task
static1
Behavioral task
behavioral1
Sample
6f25a0962565b1974bedce661c201529.exe
Resource
win7-20231215-en
General
-
Target
6f25a0962565b1974bedce661c201529.exe
-
Size
706KB
-
MD5
6f25a0962565b1974bedce661c201529
-
SHA1
6a15e67dc15ea4603376d465e03dba4dab229f6a
-
SHA256
89425ed57b370731f3eb964d7d2bfce74b8e9e4be1be23ad76990c2d3da93579
-
SHA512
75a6d5533f6a23a0a42e43a2c3c66673ffa0d17156f070c044ce959a8b8f35023173a7c03089ac4d371d078edba5e5cef693db97423faeba0f52cc7d5972e5d6
-
SSDEEP
12288:tt8TopznXPq9thtx1nFMWS9Ov2GIVBh4W0TIu2FHsucoQHerza:JdXPq9drwn/u2FBcoQHqz
Malware Config
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1032-2-0x00000000002B0000-0x0000000000359000-memory.dmp family_cryptbot behavioral1/memory/1032-3-0x0000000000400000-0x00000000004CC000-memory.dmp family_cryptbot behavioral1/memory/1032-128-0x0000000000400000-0x00000000004CC000-memory.dmp family_cryptbot behavioral1/memory/1032-133-0x00000000002B0000-0x0000000000359000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6f25a0962565b1974bedce661c201529.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6f25a0962565b1974bedce661c201529.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6f25a0962565b1974bedce661c201529.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
6f25a0962565b1974bedce661c201529.exepid process 1032 6f25a0962565b1974bedce661c201529.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5c5ab22deca134f4344148b20687651f4
SHA1c36513b27480dc2d134cefb29a44510a00ec988d
SHA2561e9bd8064ca87d8441e2702005ef8df9a3647d5542740737abb8a70be7ec9512
SHA512550f45132525e967d749106b9d3b114d17b066967527bfd5c66613d61b6f3995f87b0f3c09def19eed14b5b757f2501645b5103505d126f1dd66994f50e1257e
-
Filesize
41KB
MD5610ddca0af15f5ec9d2b43c05ddc4536
SHA135e018d5798f99cfbb0ed8e51df8c021d664fb6b
SHA256e474d941116286e0326167badd970972df41b5aa97753e3226d0fc682b2d86e8
SHA512775fc10742031a0b70b65de6b504a2edf72d1c446f1b5979799ceeaa36f802842c575d66354da8d2b2beefdac965493a6768301e1db4d74d3f48ded5409c1934
-
Filesize
6KB
MD5ed83f3066a915cc1f8e9d02206cca3e1
SHA1f7ee5d8c68dc6370961283fcfa5ba8e81476012c
SHA256c6a5232084fce611bd18ba42c0c1c94192d577d50d650d39ee780022b9933ec7
SHA512b774ef12fb8573a46c4af266d05e6a934246f3206491c8b63ac48320f1f7ec2e8f751136a47ef9951608dcbec1e17c4afa9347276b23e7511de8ac8c71d01a90