Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
78f92ab7f036ac56b81b11c26bde3f04.exe
Resource
win7-20231215-en
General
-
Target
78f92ab7f036ac56b81b11c26bde3f04.exe
-
Size
663KB
-
MD5
78f92ab7f036ac56b81b11c26bde3f04
-
SHA1
487731245cf2d514d8500d41820ed05badccf9ab
-
SHA256
63634e6216314ba19543cd53527712010c3a1b9538b52081478072f2ef1fbbe8
-
SHA512
d343ea01d91a644fb032902af92c011803e6374ed0bcba76c8a06ac04079efead0fd46f09f75905fe2a56ce92eeca8837ff9399af0816ba1306c2b16d52e9ea9
-
SSDEEP
12288:ot9YDdx9JdlBCxLWa94q20dnp1yNh+LSVU1LkpgU502yuwnHXnlawOYYyMbX5VQq:ooXlBCxi+n8wLk+UauCXnEwYJjcXYx
Malware Config
Extracted
cryptbot
ewafxq25.top
morzup02.top
-
payload_url
http://winqoz02.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2348-2-0x00000000020F0000-0x0000000002190000-memory.dmp family_cryptbot behavioral2/memory/2348-3-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral2/memory/2348-4-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral2/memory/2348-208-0x0000000000400000-0x00000000004C1000-memory.dmp family_cryptbot behavioral2/memory/2348-211-0x00000000020F0000-0x0000000002190000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
78f92ab7f036ac56b81b11c26bde3f04.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 78f92ab7f036ac56b81b11c26bde3f04.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 78f92ab7f036ac56b81b11c26bde3f04.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
78f92ab7f036ac56b81b11c26bde3f04.exepid process 2348 78f92ab7f036ac56b81b11c26bde3f04.exe 2348 78f92ab7f036ac56b81b11c26bde3f04.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD547edf0f7993b3fc971a0c81d9dbf9723
SHA101a4f849c6ec64818c32e27f494ed5b3781b3bd0
SHA25679691e0f07b2dd1ac31711570553212d4e23b46631d8f8955efd878d00fd2a4c
SHA512559eb5b381cd313c2ad4599603aa6d3b657ea72a17a0a35e6b3a3efe165260a59d3d59b5eaeb9b6095f88e1ab6b5076ea71edd8370062597f9b0308b2a2131cd
-
Filesize
3KB
MD52e6d1f9715cd85fb66beaa5f00f14a08
SHA143c1adbcaf15ff5356df185ae0cb8ea3d35d2d60
SHA256393db304c4e6a5132f01f495514f9aed22c1f68226e33c570891dc24bb693b18
SHA51223a42878c2a6bef2c254aa89f79952266a1dfa605ca468cc6fa2ed623dfe78129fe430bcb58018e8f9250f6afe90152618023b9508e2db0a7bf736f6669a87bc
-
Filesize
4KB
MD5519a50303fb00332581cee46fdd7ba85
SHA1083f55f36d37d6b1b5d4bed11d0b00489ca4fa10
SHA256a246ecfbf198d93561a13f13fbc1afcdd6ee9a31cb28417f5f34f51fb25961e1
SHA51263dec744c186dc4a08df2f5c6550538a9d026328c671799b254919b0f6f280a72ba3d35f2694aaae23af9f123221c235742b078fcdb02fc8d241b6b6f4674acb
-
Filesize
49KB
MD5d024721a7143412d574f21e43afe606b
SHA1b31fe8ee8fe2493945b3a298b2715a603b5c3674
SHA25641dff22f03e4c72be0d461046088d2b70e74ee41bfa41c21d55dbea39d6add0e
SHA512376abc4be47d397867538f826562382f7e110815c18c48e8ccf488e9e11d45f291053d24cb1a24ab9ed2805f556ff19e77606c57c4c75c0365c12ca51bd88d4f
-
Filesize
808B
MD5ec5c17b55260bb99d4481655f594936a
SHA17560dd42cdee6827fbb16ec48436aa7c6962dfcc
SHA256e68b979104a1511b20ef9ec8d04cb9a7079ca32e9f9a121f6ed6aa7a1c17f160
SHA512a6d218b1fff01263dc7decbbe53c943a97b91d9f70cb339d8b6daf37d98f9cbfa8db1ed9a83d27dc70c5d3ecdba849cac527ff9f10da4d1a2ee2ba600dfbcb22
-
Filesize
4KB
MD56286f4f6c98ffe4acebb8de123400907
SHA16b5af520ce29b3e270ed4d60b10ace5e83b87eeb
SHA256903777a510fa7d4b056f8bd0e8a1cc09d1fa2f4b73799cf7fb21050f604d21e6
SHA51264a052f587c96c82922fa442fbc1cd854391a80e07ddd0656fbc21c1694d5d0b7389c73e3c1c0da73dbe504ffddf4e3284834d2f3c5b10f15569414052b3c8b4
-
Filesize
7KB
MD55e4a241ab0c42ca0741fb5a038c321a9
SHA1575fda6baf57a5a58e39b08a36ccda5b7f78abf2
SHA256e2449fc8a0f2a499c7f4b99ec19b24e36d18da20f14f311d1a17d9346721847c
SHA5123851914e085280c176e60f39ea225864de32aca0187d05cdf8af0bc8635557699387474063321fe9486ecb99a43194f557587f7277fd69976946e763d0b4437c
-
Filesize
43KB
MD5e7cd7c5fbb774dfb83b089de03f0be94
SHA1205cba93ce83f702d87bc9040998f20b8bb314bf
SHA256980a46f3494071436dc0a15a571ba68f9f6c51a0c55ede1a4793bbe1624e7b91
SHA5129775a819e5e4da7336a2bc1e11cc58c107548f9ba7b64ce59746c8d41bd53a5bf75251564e78df107c38076c2a04d83b4cae32d94b87bc5fd9ec73f03d117771