Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 00:32
Behavioral task
behavioral1
Sample
70f6d008869f17c3e7a0331102af159b.exe
Resource
win7-20231215-en
General
-
Target
70f6d008869f17c3e7a0331102af159b.exe
-
Size
3.2MB
-
MD5
70f6d008869f17c3e7a0331102af159b
-
SHA1
e22527ec22fd44d25e31a32c0048f09494de7581
-
SHA256
ad7a74ddae7cc81d8610ab6bedb94857f38c03b795c4a612fbacc47941286709
-
SHA512
9f81b856d0e477c03bfe34581316661d79c1b8d34f1c69033b93be9e638d42653caca94ee38384b4cd889ee26a9b2bcbea9b0e1fbb5fb5a9f2b1cc6e34072c36
-
SSDEEP
49152:nZOi6qmoiGguu1bzMKmkwGYU7n5qLwAO+PCEMSOvkJgaEYotide9O5m9x4lPytUp:ZSXuuNZwRU7UnZrOv8gvqOMRdgUr
Malware Config
Extracted
cryptbot
bundky32.top
morfug03.top
-
payload_url
http://tobhay04.top/download.php?file=lv.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
70f6d008869f17c3e7a0331102af159b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 70f6d008869f17c3e7a0331102af159b.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
70f6d008869f17c3e7a0331102af159b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 70f6d008869f17c3e7a0331102af159b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 70f6d008869f17c3e7a0331102af159b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4884-0-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-2-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-3-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-4-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-5-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-6-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-7-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-8-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-11-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-217-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-220-0x0000000000470000-0x0000000000C5C000-memory.dmp themida behavioral2/memory/4884-226-0x0000000000470000-0x0000000000C5C000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
70f6d008869f17c3e7a0331102af159b.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 70f6d008869f17c3e7a0331102af159b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
70f6d008869f17c3e7a0331102af159b.exepid process 4884 70f6d008869f17c3e7a0331102af159b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
70f6d008869f17c3e7a0331102af159b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 70f6d008869f17c3e7a0331102af159b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 70f6d008869f17c3e7a0331102af159b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
70f6d008869f17c3e7a0331102af159b.exepid process 4884 70f6d008869f17c3e7a0331102af159b.exe 4884 70f6d008869f17c3e7a0331102af159b.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
70f6d008869f17c3e7a0331102af159b.exepid process 4884 70f6d008869f17c3e7a0331102af159b.exe 4884 70f6d008869f17c3e7a0331102af159b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe"C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d833b41d54d47aed7bc762786e3bdad8
SHA1b68aa241ec672d0ecf3746b9a18f95d8a85f2123
SHA2566d990b8d524c08f810b49826fd032fd665da34dd055a191ee7a82a7f2783fc50
SHA5120eab9b53a88afc526d5c3aa21a2bc8bdc82a5a698b14b7965d11b50e76ccc28a61ea2fbb93b8be5eb6a9dba206b741461b4394b50f7e9fe92051bb55c9e1d6f3
-
Filesize
4KB
MD5005306321219f19c072a205d2fb854e1
SHA1e5370940cc32745c975c072a99e060615ee33c61
SHA256a3efc7e529b500e39f7655eff7aecad4d54b496d094fcdd8d04bc2849586d570
SHA512c0ff490c670a0b48e77c2647404d39ee9901ad2e73d893db84cea1f6c5c3e186b779cdb4f971608423c959d483c5b96ef0f65d1522af52a163a145966fd5e3c1
-
Filesize
52KB
MD505efd7dd968d5559336850142e05aa7f
SHA18c15802bec9d36c2a427ba944e4149f24cba85f6
SHA256faaabb8bf77f7a36fd38578199a80336e880a56e4c6ee71ab6448b5919e406fa
SHA512730d07a01af346688f24a5878e27bee12758f2a569d22b0c5c571e9234b4b224b9dd53e2db67ce15d0714a5b6b7d626a57f636b8b4cadb63fc8102b653e2f014
-
Filesize
718B
MD51f1caafdc1691b749520e6afefb2487c
SHA1d64f39b6e6158204b11b938fab6d9160fa212c3b
SHA25660f3c380f8e666a17b8f7698241f84c33ecee72895458d42c383fba56d976514
SHA512776d42c2572e196498ce4358b41c1b4dcefb15aec1c85958c3f8ab6e3d1684a551f2b39a3be88b0f689b38703500300048e42d09f3d89fd1988e3623ecaae5af
-
Filesize
1KB
MD5cbf13a030532a2c5b7514989290273b5
SHA198e4c9b1de21e84bdea0b8dd7ecb2f1f2937e01c
SHA256f94e0ae38ee503d36a2fab7962947388631614fd0dc030a53ce88f99c826b5f1
SHA5126d533f5fb10c8026b44b49adf5e4abfaca7bde4e17ee9cde473438768c167ba3e626d6769393a76f805fa835a95090f3c9b5f5ac336ac8227617d7e91225628d
-
Filesize
1KB
MD56f4462229c1ae64a5e0fb4b5aebea08f
SHA1aefd4b3f1a57cf699892229e5997990633d385d0
SHA2567143033f7bf773ba8f5ca759844f9d69f0105ec168e0d0be3fade84282100b3f
SHA512e41996a552945c0e68d6c790e7d095fbbccf518d1797713ad30f1f0e34e9bde5395fdad52b3c29985b79b33fe619d074f96b2c4c519cca03b20d147189f226f0
-
Filesize
4KB
MD5a8d666f80b1fbeb1ab1a4250286081a9
SHA1bc3017b0bff38239307d3a21e09bee6823b720f5
SHA2562e600e1eba6d8e30ae9283a1c4ed339a393575dbdc238910ab93a9dd8d553426
SHA51246e67b9ee036b638d7b1a1a33c3fde0654294a9ee749c88a9a70ec691f90a0b410500512233734939deab74f0f075d9cd3959ea72c4e694745968fb68e644114
-
Filesize
46KB
MD50603583d33d065aa16ec9551c184a6e6
SHA152655d16f016b64644dc8454cad5a7de449b59c0
SHA256028cbfe24496e291e0029b2e9f94543f46fbb8e2fdd7f5ec93da3c74f53d4d76
SHA512002037438cea27c6ed20596c4fbb800de757f5900d854d717f12dc04f2b43a505e795c7d69c73294c6addde95925be290bbfff933d8491b6be92b97a9c51eb1f