Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
78f92ab7f036ac56b81b11c26bde3f04.exe
Resource
win7-20231215-en
General
-
Target
78f92ab7f036ac56b81b11c26bde3f04.exe
-
Size
663KB
-
MD5
78f92ab7f036ac56b81b11c26bde3f04
-
SHA1
487731245cf2d514d8500d41820ed05badccf9ab
-
SHA256
63634e6216314ba19543cd53527712010c3a1b9538b52081478072f2ef1fbbe8
-
SHA512
d343ea01d91a644fb032902af92c011803e6374ed0bcba76c8a06ac04079efead0fd46f09f75905fe2a56ce92eeca8837ff9399af0816ba1306c2b16d52e9ea9
-
SSDEEP
12288:ot9YDdx9JdlBCxLWa94q20dnp1yNh+LSVU1LkpgU502yuwnHXnlawOYYyMbX5VQq:ooXlBCxi+n8wLk+UauCXnEwYJjcXYx
Malware Config
Extracted
cryptbot
ewafxq25.top
morzup02.top
-
payload_url
http://winqoz02.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2164-2-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral1/memory/2164-3-0x0000000000310000-0x00000000003B0000-memory.dmp family_cryptbot behavioral1/memory/2164-221-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
78f92ab7f036ac56b81b11c26bde3f04.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 78f92ab7f036ac56b81b11c26bde3f04.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 78f92ab7f036ac56b81b11c26bde3f04.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
78f92ab7f036ac56b81b11c26bde3f04.exepid process 2164 78f92ab7f036ac56b81b11c26bde3f04.exe 2164 78f92ab7f036ac56b81b11c26bde3f04.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD572ae031302d13f537d1905acc1c3a360
SHA14363827fd7dc6aa315ef04611a2bfa2f4cf39d7c
SHA256f8b70550a42f0b58145bf360cfb83be18541951e7dda4f4c48fab6652aee736d
SHA51227d16f7e8554909cd43df18eddbd7cad86302ddb46affb6dc12b439b81a22f79bef4734ccdeb0a97e936b2c6c17b5986b79c49d6f515c64ea1734386a2f0decd
-
Filesize
1KB
MD5d0de8cc2ed8f22cc0d9d4c28b7d72ad6
SHA1e8379373de1fed5284b4211d4bdfd76179ce2011
SHA256748a40753d8feff9eba6b496a05d3c101a5245371f3a67c8f27b30037769183b
SHA5121b65ececf3db85385536f58b81588a97cfcfee56f09638ef98dcaa673523188b587a6384f8ff9715963588400cdfebd8ace3f42bcf67b2e43766a0bed4f899cc
-
Filesize
8KB
MD5fd95f68c43906a5570cff1e5cd184aa3
SHA1313ee501d56fafe5332117a2e332b383d36ef75f
SHA2566afc67c97d3be96eb41ac83ecc7d589c7fd2f7d653e22f21f1b09dd3446369a1
SHA5128425d4475661b96bb0b3116b682c05ed33780ed2b447ee98ed1cee3b3de1662795efbf5408b846450ec5076618b6776af5de26e28afb3f59426f1311ebe55213
-
Filesize
42KB
MD5242f8cf826146fef8e06f754b98d6f21
SHA129db1573df81ace41f4a2c7650fe45ceb2e2a13f
SHA256010a7cf8503e0750980779aacd44f9999ec177fcb7a6e34c93ba361a3b273731
SHA512879e1335a1f39fadeac70782c4d2cc4a5a14ff6e7d46207f7f845de29b037498095b47f8c1248cf5d7af5358cc39be56d5770022fde3f5b1e39d06aa737dc550
-
Filesize
1KB
MD57c9912ef456bc3bab65bd5fbdcf02ac4
SHA1172d77b4c72746c0ca128baa6c7e2246411d1b9e
SHA2567f9548856ec227458c6bc5fd64cef0ed8fabc7a6dfee157ffe834efd836f59bb
SHA51275594853f20b51b934caa3f329545d0a50c6b995bad9364244f2f77ef754081ba39182aec4efddc033ced60444be8d453786015f7eb4a92349a5f45675bf5756
-
Filesize
2KB
MD54e3555b631f3bba55f132e0754b519f1
SHA1ca2bde11e0617bf24142aff81516a4617f618a14
SHA2567f0dfb37d2c8f755333851106d44bd74eddab176f2915d54c84b8e47bb7d5ba1
SHA512b2b7b2a59eda0f82e54706ea84a99e50ae0832cb8ed0bdc31b9fdcd697f756f4cb9ac583d6d8789f5ab115a10a075786f00a0138f8f860e7af9c0f67bfba9ba4
-
Filesize
3KB
MD57ec690cb013c5fd23dd8fe271cd5a55f
SHA1186ee75cf5d3fb93f1d6257e5c4652628c4e0e4c
SHA2565079ad9ace3287baf7833b5a511e3faac342ed51fe42bbab895a63edae348634
SHA5120ece96a332f719a06f4fea5f2d39f5a445588a55ede583fdcaa804acef7b379f9311f01394968ba8a8b048ad47e9574043a0663b4a64ed09a111ec09db8e7bde
-
Filesize
3KB
MD54426c8d7b94ae359dec2bb162c27d6f4
SHA1f004cfb6dc7d4f50e91b9020045b752ab564e855
SHA256e78a6542a48d697910550bc7485688e68350d5c803da3284bdec4d0e33873be1
SHA51247ce66710c9bb5ebf803e259c6bf9bc0b386d2c405c60cf6cf78e25d90c89e06811623692fc1e351a9623bea501a688e404152ab42d0d7d7f9b8e272f6babd38
-
Filesize
4KB
MD5c086e84d1c465310a8724ae54ac762e8
SHA1c0253a97a77e7a980dc860103a4dad0b90935679
SHA2566a7abc43463edc2b446ce9354ecf293986499dd6dc8c9bd9c4ab96e10f4e4128
SHA51299bd613e563dbb883e62259b1b9bbb48cc4bd23cea3150f7d945828c35193d2007ff81dc4c62fc2aaf5b3d3d4c420e2bd3809f4fe9b31cc0b3ef798aa01073ed