Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 08:02
Static task
static1
Behavioral task
behavioral1
Sample
6f25a0962565b1974bedce661c201529.exe
Resource
win7-20231215-en
General
-
Target
6f25a0962565b1974bedce661c201529.exe
-
Size
706KB
-
MD5
6f25a0962565b1974bedce661c201529
-
SHA1
6a15e67dc15ea4603376d465e03dba4dab229f6a
-
SHA256
89425ed57b370731f3eb964d7d2bfce74b8e9e4be1be23ad76990c2d3da93579
-
SHA512
75a6d5533f6a23a0a42e43a2c3c66673ffa0d17156f070c044ce959a8b8f35023173a7c03089ac4d371d078edba5e5cef693db97423faeba0f52cc7d5972e5d6
-
SSDEEP
12288:tt8TopznXPq9thtx1nFMWS9Ov2GIVBh4W0TIu2FHsucoQHerza:JdXPq9drwn/u2FBcoQHqz
Malware Config
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3556-2-0x0000000002190000-0x0000000002239000-memory.dmp family_cryptbot behavioral2/memory/3556-16-0x0000000000400000-0x00000000004CC000-memory.dmp family_cryptbot behavioral2/memory/3556-121-0x0000000000400000-0x00000000004CC000-memory.dmp family_cryptbot behavioral2/memory/3556-127-0x0000000002190000-0x0000000002239000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6f25a0962565b1974bedce661c201529.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6f25a0962565b1974bedce661c201529.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6f25a0962565b1974bedce661c201529.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
6f25a0962565b1974bedce661c201529.exepid process 3556 6f25a0962565b1974bedce661c201529.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5d63e3a8d4109b7212d419e17141dd862
SHA1c9637da0763277477e60128ae2cd26fb314fa80a
SHA2560cdd05fd9d9515c99e713a0cdf201fae20cd5db884c08a292ce16471725c521f
SHA512dfee6ccabfe03415bea0d817ac0c393e98b54a0dfff102f0eee21c8e85d903e11a073aa97b7a3e8b95d88d5f86afd4c9782e7618e3119727da1e01d4895315e2
-
Filesize
1KB
MD559378601b3e5dff7077189d9e88edd4e
SHA1f8fad865550fc83baffcd14c63a9043423b6cef7
SHA256fdc3cc7b6801278364279ecaae8a67cbab8a88fecaac2d1004f2c9aed050a3ff
SHA51220d93ef7c567a206cc310240598727dbc84e3ba10464315b8e1a63e19452f18f2e1cdfb0376ccca37e9076e0e7e6386783d2e119545741d1ef5c9aec1b8d77ab
-
Filesize
4KB
MD5851e61f67e428ba4c08837784ad10173
SHA125e58c4e6d603c07e1cd165aceac15abdab9f0e0
SHA25610d963505f5dbd25180e2c9aa2b93637fb1d224b87af6d56e73c0a08df87e157
SHA512872efab6d6af65d9e00a98c3c74e1abe93a0d18b1086bfad36a239ca69c4b12f3a2ba19c568b5633f917cd5f6ada8410f99b7765a87d38a37582e91c1169dbdb
-
Filesize
38KB
MD5e38a6436d8821813c7509cb0e861d06c
SHA12a3ae589abe31b98b20c8f3beac13744bc275a4b
SHA256b0041af3dbd4f36964fe66be3b1b380fbbf15f57d9a7d4e055e3b0cc6dd7a8de
SHA5120dbf85b2604a9f6903c859aa0347025922f6ff6fc573e62ae6723dc39be3ec435e90e8ad15cea6027c6d34f5e9ec2ddbdb7e9f369fc3b7a3efc483ccac905e49