Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2024 07:43
Static task
static1
Behavioral task
behavioral1
Sample
71a9d91cfbd2cfa97dba3bcf47af4a4f.exe
Resource
win7-20231129-en
General
-
Target
71a9d91cfbd2cfa97dba3bcf47af4a4f.exe
-
Size
526KB
-
MD5
71a9d91cfbd2cfa97dba3bcf47af4a4f
-
SHA1
e9351cf7f8c362765edfa34cb1b70119b08dbf19
-
SHA256
3f03a1ba7c95be04ee555c6277ba4f70609f6f75e81c4ed7e0e630bc2e33c081
-
SHA512
d89dc144fdd7f37cfb4c051505589b7845d94e7cd21c9abc19accc2126d7fa4a03c6c96358f689d033e4dd0ad729116dc5675582fb0c024b122e44b56d693cde
-
SSDEEP
6144:PIn2LFH8IAwJ9BiS6eG6dfJ39YB1rDFK2qwfX0miJCHnt5f2YuMPIA:gn2L0+i1enfPEUfiFistQi
Malware Config
Extracted
cryptbot
knuxua32.top
mornui03.top
-
payload_url
http://sarpuk04.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/5004-2-0x0000000004AF0000-0x0000000004B90000-memory.dmp family_cryptbot behavioral2/memory/5004-3-0x0000000000400000-0x0000000002D13000-memory.dmp family_cryptbot behavioral2/memory/5004-207-0x0000000000400000-0x0000000002D13000-memory.dmp family_cryptbot behavioral2/memory/5004-212-0x0000000004AF0000-0x0000000004B90000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 21 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4876 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 3824 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 1672 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 3400 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 316 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 4964 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 3900 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 3816 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 4512 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 4004 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 2504 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 3388 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 2380 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 3732 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 2904 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 4700 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 224 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 4896 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 4648 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 2716 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 4368 5004 WerFault.exe 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
71a9d91cfbd2cfa97dba3bcf47af4a4f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
71a9d91cfbd2cfa97dba3bcf47af4a4f.exepid process 5004 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe 5004 71a9d91cfbd2cfa97dba3bcf47af4a4f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71a9d91cfbd2cfa97dba3bcf47af4a4f.exe"C:\Users\Admin\AppData\Local\Temp\71a9d91cfbd2cfa97dba3bcf47af4a4f.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:5004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 6042⤵
- Program crash
PID:4876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 6882⤵
- Program crash
PID:3824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 7682⤵
- Program crash
PID:1672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 8762⤵
- Program crash
PID:3400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 8762⤵
- Program crash
PID:316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 8762⤵
- Program crash
PID:4964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 11442⤵
- Program crash
PID:3900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 11682⤵
- Program crash
PID:3816 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 10402⤵
- Program crash
PID:4512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 6922⤵
- Program crash
PID:4004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 13042⤵
- Program crash
PID:2504 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 7962⤵
- Program crash
PID:3388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 7562⤵
- Program crash
PID:2380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 9722⤵
- Program crash
PID:3732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 9802⤵
- Program crash
PID:2904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 13362⤵
- Program crash
PID:4700 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 13362⤵
- Program crash
PID:224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 9842⤵
- Program crash
PID:4896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 8082⤵
- Program crash
PID:4648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 14082⤵
- Program crash
PID:2716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 7842⤵
- Program crash
PID:4368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5004 -ip 50041⤵PID:688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5004 -ip 50041⤵PID:4372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5004 -ip 50041⤵PID:2904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5004 -ip 50041⤵PID:4240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5004 -ip 50041⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5004 -ip 50041⤵PID:772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5004 -ip 50041⤵PID:3036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5004 -ip 50041⤵PID:1992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5004 -ip 50041⤵PID:2772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5004 -ip 50041⤵PID:1212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5004 -ip 50041⤵PID:2284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5004 -ip 50041⤵PID:4160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5004 -ip 50041⤵PID:2760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5004 -ip 50041⤵PID:2524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5004 -ip 50041⤵PID:1252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5004 -ip 50041⤵PID:4836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5004 -ip 50041⤵PID:1076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5004 -ip 50041⤵PID:4984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5004 -ip 50041⤵PID:1396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5004 -ip 50041⤵PID:2072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5004 -ip 50041⤵PID:180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD55941adf247ea051fb93b594e2e953948
SHA172ef3fac98b95427692fe9b7bcf7d9d2336172f0
SHA256996b1bbda43ee7050226a895befaf23745536995a7bcf1fd7efad9580563f385
SHA512104e6f6efc0e31704f6f081b1ae797f922c75b33891c5772cf7ac8959ab295cf3a02bf7386335299be8c5a634a08c89b9a6d0befc3eca74b61da5db6a18d78a7
-
Filesize
1KB
MD598ebf81d2ca411a73a9831a5aec7cb87
SHA1235d30f35d554296fdf1a610f3a5f986faebe3c2
SHA256d972e6976a258b16a828b60f4009fd89dae340e975ce8baa7ed2a3fb15356c7b
SHA5125eb45bb2b8b01b8b554a45f5c48713d1dec7d58ff487b96c25f30143079c625a86de7fdfd7cef0e9400efe7919f088a945265100fc8d1d65b014ba89f72b899d
-
Filesize
4KB
MD59246cce0f801b0596efe1c8ca4c5ebbe
SHA161007a952402d05c4ab731a02fcedc9947159536
SHA2563adec67e002095705b0a84634636cd6a0915945ba6ca26266ac2ed9f73dc0d9e
SHA51252d561720bba3c176ee0a110e866d684a647dcb9970d96f2edf39332aaa250d7b704516841247df458d99b187344d6a77d5056ab204fde227dd73de1d1bb130d
-
Filesize
48KB
MD5aae2bffbd650aa1cdda4950badd5c242
SHA1c73497738df267e04b1884cd16190bf838629f38
SHA2566c695409ef065d17e4fd61fcbc665f7dabd14878704e755d50d7ba7fb02b2b70
SHA51255bbfddf2fb329ea6a7bef51f2193e8a52fd6b1e8ef9dfcdb496068549cc027fabb5b530a62c47a5c14f87116ad4d6fe356dd7fc3ec848445b3e8901d61c5225
-
Filesize
1KB
MD506d1bafb983175a5ca6218d3ca54848d
SHA1c68542fc4fc90256b5fc48756c01e94e604dc2d0
SHA256408520ecebc4202bfad6f07f4f671c27b82f3a995291251df5519333dc543a18
SHA5125c0a98f7b404d5fb231fb0ac8bfe018c21182a814d5dcabe40719cb2dc29e403988636f8c3580f84dc6d17c8cd27573613ec5bfb3f6caecb16ec5aecad469b4d
-
Filesize
4KB
MD547709dc216d97810d13d74a2208336d1
SHA13bf4d51562c31cd63814ac1e20b56ac3fbd62fa1
SHA256b77ed176423241558a0761bdd8ad8c8a421175101ba5a3d2cf15cb6d3317879b
SHA5125ed8a4e237fe01b5010208ef78d2bb8a22fbc0f33a561d1b3987d74dc8a8f27f9c66a89193ce7dcd3ffd6798a46aa67cc33f82b2c3e40410ae881340ec2d2e2f
-
Filesize
6KB
MD5dda8a010550de3b0e37c882a44220d5a
SHA1b918166afcbf1e54088b3276efa580c5d31782e1
SHA2569ee00b05ec5123f360d6fca11191e8998232d2933694b7cb99df0a4d4b381c6b
SHA5120006c8c645c0ed911b0b96f88b1cdf7a7ae5ad07b413e337015d04d18c6e9a1e5a94749c9715ed841af87293999ee5fc4a8678d5269cf0c51c7a09d583cdf9d3
-
Filesize
42KB
MD57d54b705cb10dfa1c24c929de9abfbc7
SHA17aa03b819b5f955f8e7d84171da9c07f7427a5d9
SHA2560ecf4f2beead22780402f5b4743172188e8df8c84641c2db35380ec763cc3423
SHA512dc8588ed8df878797386381ad8ac9ab3428f066284e937f92c00b8b5d6dfce6d8ff6ecdaab439b6f125aa19301915f9f548b760b399dfcf9affad2a8af3c3f62