Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2024 08:02

General

  • Target

    6f25a0962565b1974bedce661c201529.exe

  • Size

    706KB

  • MD5

    6f25a0962565b1974bedce661c201529

  • SHA1

    6a15e67dc15ea4603376d465e03dba4dab229f6a

  • SHA256

    89425ed57b370731f3eb964d7d2bfce74b8e9e4be1be23ad76990c2d3da93579

  • SHA512

    75a6d5533f6a23a0a42e43a2c3c66673ffa0d17156f070c044ce959a8b8f35023173a7c03089ac4d371d078edba5e5cef693db97423faeba0f52cc7d5972e5d6

  • SSDEEP

    12288:tt8TopznXPq9thtx1nFMWS9Ov2GIVBh4W0TIu2FHsucoQHerza:JdXPq9drwn/u2FBcoQHqz

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe
    "C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:1032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Datar

    Filesize

    92KB

    MD5

    c5ab22deca134f4344148b20687651f4

    SHA1

    c36513b27480dc2d134cefb29a44510a00ec988d

    SHA256

    1e9bd8064ca87d8441e2702005ef8df9a3647d5542740737abb8a70be7ec9512

    SHA512

    550f45132525e967d749106b9d3b114d17b066967527bfd5c66613d61b6f3995f87b0f3c09def19eed14b5b757f2501645b5103505d126f1dd66994f50e1257e

  • C:\Users\Admin\AppData\Local\Temp\wkusYT6\WWKr3o1Tvz.zip

    Filesize

    41KB

    MD5

    610ddca0af15f5ec9d2b43c05ddc4536

    SHA1

    35e018d5798f99cfbb0ed8e51df8c021d664fb6b

    SHA256

    e474d941116286e0326167badd970972df41b5aa97753e3226d0fc682b2d86e8

    SHA512

    775fc10742031a0b70b65de6b504a2edf72d1c446f1b5979799ceeaa36f802842c575d66354da8d2b2beefdac965493a6768301e1db4d74d3f48ded5409c1934

  • C:\Users\Admin\AppData\Local\Temp\wkusYT6\_Files\_Information.txt

    Filesize

    6KB

    MD5

    ed83f3066a915cc1f8e9d02206cca3e1

    SHA1

    f7ee5d8c68dc6370961283fcfa5ba8e81476012c

    SHA256

    c6a5232084fce611bd18ba42c0c1c94192d577d50d650d39ee780022b9933ec7

    SHA512

    b774ef12fb8573a46c4af266d05e6a934246f3206491c8b63ac48320f1f7ec2e8f751136a47ef9951608dcbec1e17c4afa9347276b23e7511de8ac8c71d01a90

  • memory/1032-1-0x0000000000690000-0x0000000000790000-memory.dmp

    Filesize

    1024KB

  • memory/1032-2-0x00000000002B0000-0x0000000000359000-memory.dmp

    Filesize

    676KB

  • memory/1032-3-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/1032-18-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

    Filesize

    4KB

  • memory/1032-128-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/1032-132-0x0000000000690000-0x0000000000790000-memory.dmp

    Filesize

    1024KB

  • memory/1032-133-0x00000000002B0000-0x0000000000359000-memory.dmp

    Filesize

    676KB

  • memory/1032-134-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

    Filesize

    4KB