Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://href.li/?htt...

windows10-1703-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    131s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18/09/2024, 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://href.li/?https://cdn.discordapp.com/attachments/1285506775860379794/1286022925752729722/Latet_setUP_PASw0rdoPen9192.zip?ex=66ec65ae&is=66eb142e&hm=d9ce995feebb9fc7c233afeb249de1b96b15636a117222d3753718d987f003d0&

Score
10/10
cryptbotcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

twovdf2ht.top

analforeverlovyu.top
Attributes
  • url_path

    /v1/upload.php

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://href.li/?https://cdn.discordapp.com/attachments/1285506775860379794/1286022925752729722/Latet_setUP_PASw0rdoPen9192.zip?ex=66ec65ae&is=66eb142e&hm=d9ce995feebb9fc7c233afeb249de1b96b15636a117222d3753718d987f003d0&
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff813de9758,0x7ff813de9768,0x7ff813de9778
      2⤵
        PID:32
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1756,i,10305186133467422238,4803410768900618292,131072 /prefetch:2
        2⤵
          PID:1504
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1756,i,10305186133467422238,4803410768900618292,131072 /prefetch:8
          2⤵
            PID:1460
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1756,i,10305186133467422238,4803410768900618292,131072 /prefetch:8
            2⤵
              PID:4736
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1756,i,10305186133467422238,4803410768900618292,131072 /prefetch:1
              2⤵
                PID:2316
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1756,i,10305186133467422238,4803410768900618292,131072 /prefetch:1
                2⤵
                  PID:440
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4384 --field-trial-handle=1756,i,10305186133467422238,4803410768900618292,131072 /prefetch:1
                  2⤵
                    PID:3500
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1756,i,10305186133467422238,4803410768900618292,131072 /prefetch:8
                    2⤵
                      PID:1596
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 --field-trial-handle=1756,i,10305186133467422238,4803410768900618292,131072 /prefetch:2
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4136
                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                    1⤵
                      PID:3188
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      1⤵
                        PID:784
                      • C:\Program Files\7-Zip\7zG.exe
                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\" -spe -an -ai#7zMap3040:116:7zEvent10841
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        PID:2340
                      • C:\Program Files\7-Zip\7zG.exe
                        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻\" -an -ai#7zMap26195:292:7zEvent19445
                        1⤵
                        • Suspicious use of FindShellTrayWindow
                        PID:2472
                      • C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻\Set-up.exe
                        "C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻\Set-up.exe"
                        1⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Checks processor information in registry
                        PID:4760
                        • C:\Users\Admin\AppData\Local\Temp\service123.exe
                          "C:\Users\Admin\AppData\Local\Temp\service123.exe"
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:820
                        • C:\Windows\SysWOW64\schtasks.exe
                          "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
                          2⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:4976
                      • C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻\Set-up.exe
                        "C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻\Set-up.exe"
                        1⤵
                        • Executes dropped EXE
                        PID:2360
                      • C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻\Set-up.exe
                        "C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻\Set-up.exe"
                        1⤵
                        • Executes dropped EXE
                        PID:1840
                      • C:\Users\Admin\AppData\Local\Temp\service123.exe
                        C:\Users\Admin\AppData\Local\Temp\/service123.exe
                        1⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:2484

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                        Filesize

                        20KB

                        MD5

                        85eef58b10ac30033fc2f45b461c3bc7

                        SHA1

                        8d0a601017f91497a24c29566f461522c156bc77

                        SHA256

                        58797cf30c3aa30bc6681c1c392dd0ea0ba1a66096aeffd5a580ae7ec24a4b3b

                        SHA512

                        460cbca54d4953d6c13165ca97eb076603169e24a27d5fd1a21159fe944f1bd4e15e383b7e901b0f66184325d4e4275b9cea3a10c8bd8db4fc651230761ef0e3

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                        Filesize

                        861B

                        MD5

                        fa2add0e608f8cea39813f7af265d6b3

                        SHA1

                        8ee7426b00463ce356dc6d2abb133fde87f448e3

                        SHA256

                        c08979f7aca9663a72a9f0209fb81803d43a19fc7f2ebdcd2847e97213010e92

                        SHA512

                        bb126998101fdbb3bfc05f507eaddfe45aea112301f65848455ad5ae58490617ad58a4001e58e5eab7aa01fa3c4d899209077aef2d04021a2f3fba7a44b1abd5

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                        Filesize

                        537B

                        MD5

                        9b5807eaaf6c0e1bac5d5378412d312b

                        SHA1

                        1cccda40b124bb0a81c64aada37ce0d0e783dfe2

                        SHA256

                        974b25248c552b5b9a7a892552add0a05954ec5c80eac81b91321a47c8306171

                        SHA512

                        70124afdaec0bc0ab9f7e6a28c2c4b6af9f8a79e77eb5dd64865365e027e0a193b8906a8215724651142ba13efeaa500be28910939ad0ab5ab6c1396a0848c2e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                        Filesize

                        6KB

                        MD5

                        deaa10d72ab2e612ddf67682270ea18a

                        SHA1

                        a0c126eb122f3ed66445715856e5ded52ee9f4c8

                        SHA256

                        e0222b734917b7760fba3dc759a08faf6dbc5c5e5f35ecb08f1ad00e1dacab3a

                        SHA512

                        665a6dc0f39de26a64e1da5c9a9b7c87fa47e83087f5a7f802b4947aff2b67ca38b51c2b31565aa71761b0830d6d3484714c1a77f3e424ca26bca861ef9c8894

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                        Filesize

                        6KB

                        MD5

                        5058f9cefc08fb8dfa7b52e6987cf9f9

                        SHA1

                        b9687ad71adc010bb9e056d442f621aaebe2e765

                        SHA256

                        046e7ec361b687c7689bec3b1b942777411bb4b5cbce0596acc813568a06225d

                        SHA512

                        f25b850e3bc12fda38bb45490265901af81a7a9f704f5f807c70437af82f8f92e98200ea9ffb74e05d8b3c962afe0d5506cb37c29ef9f5ed1cc0a1f77554c18e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                        Filesize

                        6KB

                        MD5

                        18dacf47b5a4c72a20723e4ad0b18656

                        SHA1

                        cf0320e7870861deba639dd2b317870966e89551

                        SHA256

                        40278bd3f59b5888d017727a1178a3f09c8cb117137f5184a23259d6564e8d73

                        SHA512

                        004e46e5db1fa7da81d40dd441c722af3a1bf1b136571cbe9f08da141118c6e5eb639dc45baca4b8b52bd851924db9dd303642c14a992d13afa24252c44ca36d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                        Filesize

                        5KB

                        MD5

                        fd5acaad2798bcb556451b74ed39ad4b

                        SHA1

                        7c18c029e2ba54bb599fc423f555b49e5ac7038f

                        SHA256

                        f7b7e9cd37e417d58ba973db266a1b74165d3f4bb82081d26a21e0cb973aa32b

                        SHA512

                        5d2fd0e70c9ba37bf4302e5b6610298e2a27d213ebc8a04c79751418630f42a98c9617ccaacc633c05a17ef4bd961bea52304216467a01154220fa55fbad56f4

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                        Filesize

                        136KB

                        MD5

                        9d556137b26d7bfc392e3713bc60a71f

                        SHA1

                        d6b948a7f4d7b64a3b50b7a00a032c506b0cd647

                        SHA256

                        a36a630b24a026c6368be25cb6ace55d8d18c460a389e70eef4e3d1243ad2376

                        SHA512

                        ef2acf07dd3fad95eb290ba02f4346eff79c20044ba75e1de3949b3a9e4a6b7b692635785a34ac53170a0bc4c895d91a4051e8603a1db4f9eebd271b484cd60a

                        Download Submit

                      • C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192.zip
                        Filesize

                        21.6MB

                        MD5

                        32b1d3878ae673cd74f8217d255226e8

                        SHA1

                        69885bc43921a281e6f4c475c9f5a7d66824f73a

                        SHA256

                        2bb5aa4e5cd1bb67b5e753f07bd0c220c7e61ae71e5778c388c4d863f825f772

                        SHA512

                        d2e0c596ab152b0c595a29c787aefbbd567d36247bedda2dfc0dd81684a4308b7bce89fdb9a6d79d26417bb887db91ee8583ab132bf5d68b859a0226675835cd

                        Download Submit

                      • C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻\Set-up.exe
                        Filesize

                        6.3MB

                        MD5

                        214cbb6fd1ceda2a3b90fe0747f0bedb

                        SHA1

                        1e3474ae6dfe1cc800d1ad25fadb87ddeb2e419d

                        SHA256

                        d07019ea6973706c4bda9a2a36f618fee4d3a99b1e1a2e22e7e0b11ef597ea3a

                        SHA512

                        daac2c6a0890259f72bddbc748719c4c46e2ac80c0763e111ab5c662034d944106e2c1cc7c3cd61ba716c59bd6251c39767d227464964f018224557f286eb963

                        Download Submit

                      • C:\Users\Admin\Downloads\Latet_setUP_PASw0rdoPen9192\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻\⋯◎➤Late$t_setUP_◉PA$Sw0rd$$☆oPen➤◎♯9192♯⋯◎∻.rar
                        Filesize

                        21.6MB

                        MD5

                        dd784d1b7d3708a2d3863ca8e5846cc6

                        SHA1

                        aa52a01b9a4dc21c0bad712d03190b0536591145

                        SHA256

                        a73a05e4eb30451f436e50bde951a5045c2e9537d679634557b4c4b3ae791b58

                        SHA512

                        395742c107936ff744c043db0c62bf65ced9f943229f90d97bf0fdc78e5400a0b4a768e76f078bc3722d5210bdccda1c5f999e384ccd5cf26837123e286f6650

                        Download Submit

                      • memory/820-309-0x0000000000990000-0x00000000009A1000-memory.dmp

                        Filesize

                        68KB

                        Download

                      • memory/820-310-0x0000000074670000-0x00000000747AC000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1840-281-0x0000000000400000-0x0000000001063000-memory.dmp

                        Filesize

                        12.4MB

                        Download

                      • memory/2360-279-0x0000000000400000-0x0000000001063000-memory.dmp

                        Filesize

                        12.4MB

                        Download

                      • memory/2484-315-0x0000000000990000-0x00000000009A1000-memory.dmp

                        Filesize

                        68KB

                        Download

                      • memory/4760-266-0x0000000000400000-0x0000000001063000-memory.dmp

                        Filesize

                        12.4MB

                        Download

                      • memory/4760-284-0x0000000000400000-0x0000000001063000-memory.dmp

                        Filesize

                        12.4MB

                        Download

                      • memory/4760-306-0x0000000000400000-0x0000000001063000-memory.dmp

                        Filesize

                        12.4MB

                        Download