Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 02:24
Static task
static1
Behavioral task
behavioral1
Sample
737d02c261755ff5c920fa52d4f03fce.exe
Resource
win7-20231129-en
General
-
Target
737d02c261755ff5c920fa52d4f03fce.exe
-
Size
758KB
-
MD5
737d02c261755ff5c920fa52d4f03fce
-
SHA1
bf966e82d41c1fe537763339fa779e3ba9236331
-
SHA256
50f41c07db1d0d625cd0746a78dc15a1193f4fd0f80e6a4df40315f24efe2110
-
SHA512
83f0abaacb5c470d31372d97a0aae5e64bfbb73c401341e71be9d65984346d4ea68cae09a400f36567daf604e81db4d3806dfffbf5e2c4668e8c079688382bfb
-
SSDEEP
12288:LfzsUnViD0DUj9rIS7M1NAFZaquBKFrj+59APMQme+alY7WSmdAon:LYUED0YjdIALar0OADR+afSy
Malware Config
Extracted
cryptbot
ewaisg12.top
morvay01.top
-
payload_url
http://winezo01.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2772-2-0x0000000002300000-0x00000000023E1000-memory.dmp family_cryptbot behavioral2/memory/2772-3-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/2772-213-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/2772-221-0x0000000002300000-0x00000000023E1000-memory.dmp family_cryptbot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
737d02c261755ff5c920fa52d4f03fce.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 737d02c261755ff5c920fa52d4f03fce.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2572 2772 WerFault.exe 737d02c261755ff5c920fa52d4f03fce.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
737d02c261755ff5c920fa52d4f03fce.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 737d02c261755ff5c920fa52d4f03fce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 737d02c261755ff5c920fa52d4f03fce.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2660 timeout.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
737d02c261755ff5c920fa52d4f03fce.exepid process 2772 737d02c261755ff5c920fa52d4f03fce.exe 2772 737d02c261755ff5c920fa52d4f03fce.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
737d02c261755ff5c920fa52d4f03fce.execmd.exedescription pid process target process PID 2772 wrote to memory of 3416 2772 737d02c261755ff5c920fa52d4f03fce.exe cmd.exe PID 2772 wrote to memory of 3416 2772 737d02c261755ff5c920fa52d4f03fce.exe cmd.exe PID 2772 wrote to memory of 3416 2772 737d02c261755ff5c920fa52d4f03fce.exe cmd.exe PID 3416 wrote to memory of 2660 3416 cmd.exe timeout.exe PID 3416 wrote to memory of 2660 3416 cmd.exe timeout.exe PID 3416 wrote to memory of 2660 3416 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 16562⤵
- Program crash
PID:2572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2772 -ip 27721⤵PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD556ded12bea87b6f5880a194cf8faad2f
SHA1cc54fa871dbf7f84b6ee3bd56b27661adfc56abc
SHA256f0a0f5b8fb43be5e7ded0ca56153671b7a6bb8ecf3f11128c3a914aa3aef3c9e
SHA5123308772fc97088f88924aa21538df92038a768caa04ce1087e78d4222d9621ac57abcdfcc133b8d776096620c3f6ade53107b2aa55fa55a530d16170739c46cb
-
Filesize
43KB
MD5e7840dfe3037e9c89b7eaffd6749ae60
SHA155fd95b3282d9c6437384b5aadee80f29e943859
SHA2561be96545295c6b68198df2e4f98de0bc49111075cb595165ef3ca4a9a4424af0
SHA51208d2b34743d37cb8ab3c62df7cde1981b150270f1ccc663562485df8f3a9240032aa284290a3f5c1cfd5d0831dfbe64ca2dacfcad7bb194046762dca3ca8028c
-
Filesize
7KB
MD5c9b7579ebca5a7ee3753ca300169e6bf
SHA15235868e6b7801d2219c74fa0c939335c9155292
SHA2568050792c02656151d1c5b79de5d71b59cfa56095d83ae5561853753d13235bd0
SHA51202d5d6369754f0fdb4caa061ad2aae4d5cfe36a077ed17ee02b5d375612027b90f27122760ea3ab085f446f0cd4f55a3763845bf1a214ad5b2bf5bc02679f111
-
Filesize
1KB
MD529e8bf252fb4de044be8b2ce9a9e8dcf
SHA1c40c3c71c42fc88a030ae312534ed10b358a1e01
SHA2563b4e9cf2ebeb4529fd678617995d624621ec8c6bc7d37f80a3cfb4a77b87f5ef
SHA512eacbcee49c2e1f3e12235f08645891bdca34f26d1ef2222832a95e53d0b2f07e70c784a237c6a567532953ebb3925df530adccac9dbb90467b3568201b9b6bb3
-
Filesize
2KB
MD52c026d96645dfcb8ae0efcb02ff3d247
SHA1861e4c644c78a2cf9e813b6e52d465a661e0e39b
SHA256ba0adeca6da6f7f4b7ff6b232fbec518c336ddd30aa6a01aafed0c07a23cd5ad
SHA512f4158a1f890556d748abde57451a0748823ecb738860f7e90a2e35c55fe864d546ab28cde2031fc029cfffa885b92e6f9e604960bff495130a0bed2cd169d5ba
-
Filesize
4KB
MD5fbea420b3d024d7f0ae2569fa85359d3
SHA16567fa01a19f8205adcf0cc4022c46be3eaf4140
SHA256d1031948e743b06fda23504a1c2deade6f398f2cd4e0ca37248e859eb6e17e49
SHA51210417e1d71aec20da3ac9f0418b4c4303c3551c3671a415d6acbeea415b5e07deb6ae435e0f12c001e1c6a039f09534d9a3f90f30627a3f25f25181617baa2b5
-
Filesize
49KB
MD5d1b9c80cd1079a8ad77271bd076e14c9
SHA1216c0bea5a938c8b188e3a710100333bd139216d
SHA2569e8a4bbb555a8ce13a54aba7c6376fc157f93423cc38c4e39c05783350bc075e
SHA512027498e8e98c90988cd10f43444d3f83a46f38d875014231cf2ce9803ec12fcac39760f32ccfb02875d720af17cbfddd8db54ec76d4ddd0a7171029fbcdb88e9
-
Filesize
7KB
MD50b772839a39ab50f56954d664c3dba2f
SHA17ef34102ca329a9f9ea063af19d7470af8f30c45
SHA256ccb2d57daaf39acca1673a72baf122cbdbcc97744201ad0ee9ebb2080f434270
SHA5126c9031acfc01ac83ad7574a76f386a9d1608df5bf0e235b6e204ebe533c54fd3d5e21a6cc157dc277a595cac671c2aab8b46af710f127c4bb63250759b9f9020
-
Filesize
1KB
MD52858d3392008fef526bf489a093aa339
SHA19665f1023d35869d4777b7bf1aca385f6054f60b
SHA2563d451743022a5a227c7364757bca38ee2a8c5183e45b53254e3db216005fbfb7
SHA512c5f4edb487c466f95a4ede869035bf271f7a19bff357718eaeb4face8b71fa8b4eb6e8bd2235b20b639343ba729a91f0e267c46aed114680ebdb75d83313dd6c
-
Filesize
2KB
MD589799f775ed03f1f0e101e476d96e24c
SHA118f475e120ffc7ea6cef2813a56ebbc7affc9b0f
SHA256f7978077b305d519988098ba441fce2f1cdf969fbad6d5d9154561c04bd06416
SHA5126aba83268cf3a429fa3806ac07e68f54fe95f4757f666d7e0e3038e4c487a36164d4619a519b3831fc5fd04c253e5f308e959f743df7768c167bd632d8522cb9
-
Filesize
4KB
MD5ba6187ae0e05c7aa0ccd39fc62f2b403
SHA16df44d482be9d8a025381a5d1283c4ccf6e837e4
SHA2564cd1fb56edf733227097b7c0b37ab23ab50293346e74799ed85aa0e006a995cc
SHA51202f51ff7cab50d62b44e1cb76581ab7938ac00ee702dd812e407e90d4be76e9027df62be151e97e20f60b3a99458d57eb86f0846750fc71cd3bd31e6428e69cd