Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 07:43
Static task
static1
Behavioral task
behavioral1
Sample
71a9d91cfbd2cfa97dba3bcf47af4a4f.exe
Resource
win7-20231129-en
General
-
Target
71a9d91cfbd2cfa97dba3bcf47af4a4f.exe
-
Size
526KB
-
MD5
71a9d91cfbd2cfa97dba3bcf47af4a4f
-
SHA1
e9351cf7f8c362765edfa34cb1b70119b08dbf19
-
SHA256
3f03a1ba7c95be04ee555c6277ba4f70609f6f75e81c4ed7e0e630bc2e33c081
-
SHA512
d89dc144fdd7f37cfb4c051505589b7845d94e7cd21c9abc19accc2126d7fa4a03c6c96358f689d033e4dd0ad729116dc5675582fb0c024b122e44b56d693cde
-
SSDEEP
6144:PIn2LFH8IAwJ9BiS6eG6dfJ39YB1rDFK2qwfX0miJCHnt5f2YuMPIA:gn2L0+i1enfPEUfiFistQi
Malware Config
Extracted
cryptbot
knuxua32.top
mornui03.top
-
payload_url
http://sarpuk04.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2956-2-0x0000000000330000-0x00000000003D0000-memory.dmp family_cryptbot behavioral1/memory/2956-3-0x0000000000400000-0x0000000002D13000-memory.dmp family_cryptbot behavioral1/memory/2956-227-0x0000000000400000-0x0000000002D13000-memory.dmp family_cryptbot behavioral1/memory/2956-230-0x0000000000330000-0x00000000003D0000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
71a9d91cfbd2cfa97dba3bcf47af4a4f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
71a9d91cfbd2cfa97dba3bcf47af4a4f.exepid process 2956 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 2956 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
607KB
MD53d49640c2d7c38e2e141b90528e62671
SHA150c7748e55e501e9b6e698891cac2cfd35d7778c
SHA256546a6d28271643b9693c091fdb7a9e83160f07648b48d21fe6d5e3c2a4311672
SHA5127c010924a191b993bbb301c895bcfaf645a34713ed1cd7ad4c6edf139aa8a320c989090e79b040d0279d0ebca004d401043b7e0fdc1a76a4bfceb8c782d76108
-
Filesize
571KB
MD5e7361b7db20d01ba23108e7221a68afd
SHA125d6f99e878d9a4266bf952239e5ea6804892d3c
SHA2567f7fca70056aa02b4f9e6b1a26ca02751bea988b8a7f0ae238856942e2ef492b
SHA512aa361d48a39d51c5e74b65159445e0a9cb70470a6a4b61b6c7611ecbf648452e3398a42b0021462f1d7aaf51b10c37b0e3ece96babf3deeac41961d9c75fe66c
-
Filesize
1KB
MD503c5695e6c9d4b5d68168a74da93cb99
SHA1910a21edf2a12bbc2655f5d9bc7e0ac28512ea9c
SHA256769cb5b1cc0d56593082dd6cc07707a0d06fe97f5a143edc125b2af96e5f597c
SHA5128e9bd175404cfaf1b495023f61623822bef097a1243991ccf184839d9728105112c72eeb21e00cc6b75f42cc5daf502c0759a2d6fb4b6da7849586aa4e7f74e0
-
Filesize
3KB
MD574f3ae4ea4ea068676a3b4a202ba3690
SHA1b58a071603e1230c67139eb8bf118c816a33ca80
SHA2562f313c91e0c2a5deed882676ee419df79ae3765842509076a646646aeb9aaced
SHA512a52fdddd56f92f35958c8d2d2a22b7966b38b3bf58afd8502b44d7f172eaf059e8455e516c29f18ad4cd573d3424558ab57a428ba40de70783cdad8dc9afee63
-
Filesize
5KB
MD50d9ba3c8f2fa598bc6b3ec560aba52e9
SHA17dd9dc12a90035f8ccdd549ea55bb883c0ce1c48
SHA256b22e438adc5b0f45c5cfda71986486480fb157de441d76508c31381c96687641
SHA512419ce121932fd1ec85fa4d61fb06f65e5ab0d94fdca5518039e48d838b2dbc7a8e44e5eb82962f5a2b1c24be1359e9ff1e59124b35398db91ff126e0a14df970
-
Filesize
43KB
MD56cc7d9802d376aa0d2ec7c9fdf02a3b0
SHA117a2aa1514a6c86a94e014d0349287d8b6679f73
SHA2561566381a63327ee6c744e76886c27115547c67db52c57732b8d03008afaf1889
SHA512c697164b70cf14b18b37e456081c1f9c0a238b4c00e2895f08c64249203a437a0ad466f2a8a633c81e9b52ea30d0706b5cbb135d9d9876e790a9c999eaa91b43
-
Filesize
1KB
MD52419e46f8772a0f8b93a22f48cfec291
SHA1027c34242103afce998ded6d998e32d05f169b70
SHA25618099607e14ed644d7766efd71fc17779d30f44173883a98187d6f36564d605c
SHA51230351a16c6d03d171cdccd0ec0260aea0a2d5cfb1e5b74f8804b4af649b2a65d1357d55f2238ba3ebbd6c4a1820c03572b9c4d6879d3835fd4adb93bd374b593
-
Filesize
3KB
MD5ed9bb8585a3011a606467eb080c8fea0
SHA1c1a1cd1d52b6d1597b946ef71eb74b82eaf2c15a
SHA2568d179f3c0fe457f4ca7418fd9b8406d302efc97e9de9973de3475cb9eb8968d0
SHA512ba7f025cd3fca6ef087771ffad9c9ec75b9ac8d1f2c3a7908e466011ccff072d421ce49e81117bf2938622df9c6b2d165b1254eabea3c5bf6de1efb5f45a32d5
-
Filesize
4KB
MD544d67999dfdc5e9e38d0fd5ae4b22f1f
SHA13d1126455be9f119f2d02f4a286f6620e18906ca
SHA2566e2442c3d87e73fc2ae63489f6e87003ae8761d69489bac781d40a64c9f1eb5e
SHA5120b0fc2863e591d4788f4f266fabb63793e83382ef22c8e9a06a1175ad21ac9e9faf6c3c37b7e5db1cb0bd67180390b14e0697219f623113230e0a75728ffbd20