Analysis
-
max time kernel
290s -
max time network
255s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-09-2024 05:02
Static task
static1
Behavioral task
behavioral1
Sample
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe
Resource
win10-20240404-en
General
-
Target
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe
-
Size
6.4MB
-
MD5
3d1a9c6cc39f62d16e607e3024c34945
-
SHA1
980dfcb714b0de1470f94e243af75811d0fb4552
-
SHA256
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3
-
SHA512
8f30abba9f60200fd1695d2ccbf24f54652f27cf6a522cf58e003baea0c8f1e7c22112570ce34545ca61418b093d642804f9bc0dc570176d55194eddc0fd25dc
-
SSDEEP
98304:yuEL8PrbbdWhkhysgPMQtupecLz8K9U4J+x3lDO2Nh5:yuO8PrbbiH9OAK9XJAD3h5
Malware Config
Extracted
cryptbot
tventyv20pt.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 5 IoCs
Processes:
service123.exeservice123.exeservice123.exeservice123.exeservice123.exepid process 2532 service123.exe 224 service123.exe 3560 service123.exe 3996 service123.exe 592 service123.exe -
Loads dropped DLL 5 IoCs
Processes:
service123.exeservice123.exeservice123.exeservice123.exeservice123.exepid process 2532 service123.exe 224 service123.exe 3560 service123.exe 3996 service123.exe 592 service123.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
schtasks.exe4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exeservice123.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exedescription pid process target process PID 3620 wrote to memory of 2532 3620 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe service123.exe PID 3620 wrote to memory of 2532 3620 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe service123.exe PID 3620 wrote to memory of 2532 3620 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe service123.exe PID 3620 wrote to memory of 5052 3620 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe schtasks.exe PID 3620 wrote to memory of 5052 3620 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe schtasks.exe PID 3620 wrote to memory of 5052 3620 4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe"C:\Users\Admin\AppData\Local\Temp\4a5a3e78f26afc3439ad4c1f5245353f5cb429355471d025919435c06af89ac3.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5052
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:224
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3560
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3996
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592