Analysis
-
max time kernel
292s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-09-2024 05:02
Static task
static1
Behavioral task
behavioral1
Sample
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe
Resource
win10-20240404-en
General
-
Target
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe
-
Size
6.4MB
-
MD5
3d1a9c6cc39f62d16e607e3024c34945
-
SHA1
980dfcb714b0de1470f94e243af75811d0fb4552
-
SHA256
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3
-
SHA512
8f30abba9f60200fd1695d2ccbf24f54652f27cf6a522cf58e003baea0c8f1e7c22112570ce34545ca61418b093d642804f9bc0dc570176d55194eddc0fd25dc
-
SSDEEP
98304:yuEL8PrbbdWhkhysgPMQtupecLz8K9U4J+x3lDO2Nh5:yuO8PrbbiH9OAK9XJAD3h5
Malware Config
Extracted
cryptbot
tventyv20pt.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 5 IoCs
Processes:
service123.exeservice123.exeservice123.exeservice123.exeservice123.exepid process 2836 service123.exe 576 service123.exe 1636 service123.exe 712 service123.exe 3048 service123.exe -
Loads dropped DLL 7 IoCs
Processes:
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exeservice123.exeservice123.exeservice123.exeservice123.exeservice123.exepid process 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe 2836 service123.exe 576 service123.exe 1636 service123.exe 712 service123.exe 3048 service123.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exetaskeng.exedescription pid process target process PID 1972 wrote to memory of 2836 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe service123.exe PID 1972 wrote to memory of 2836 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe service123.exe PID 1972 wrote to memory of 2836 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe service123.exe PID 1972 wrote to memory of 2836 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe service123.exe PID 1972 wrote to memory of 2764 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe schtasks.exe PID 1972 wrote to memory of 2764 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe schtasks.exe PID 1972 wrote to memory of 2764 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe schtasks.exe PID 1972 wrote to memory of 2764 1972 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe schtasks.exe PID 2168 wrote to memory of 576 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 576 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 576 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 576 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 1636 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 1636 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 1636 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 1636 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 712 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 712 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 712 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 712 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 3048 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 3048 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 3048 2168 taskeng.exe service123.exe PID 2168 wrote to memory of 3048 2168 taskeng.exe service123.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe"C:\Users\Admin\AppData\Local\Temp\4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\taskeng.exetaskeng.exe {64ECB856-43B4-4C44-8205-01B8082F5351} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:712 -
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048