Analysis
-
max time kernel
248s -
max time network
216s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
23-09-2024 08:11
General
-
Target
_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_.zip
-
Size
11.4MB
-
MD5
e1dcd0e648e6b9a41c93832a3939f0c7
-
SHA1
b6117d817c6114b4d6143bed2521f852b140f6d4
-
SHA256
f11ed152198063b52e70784377b79758d3786efdb5a92fa4c248d9d6920105da
-
SHA512
84f67467ff5a511f832d5e8263b500895dcdedcdc886fb4f674041768dd03caadb844d89b903f344dc8eb481d0f97bc6c34f54a0b45060a7e40844c5e09a7927
-
SSDEEP
196608:1l66/QNc4TuXO84APfLmKvKL4nB+qEbqY2+xkHuKUYIek81EfttWetB8:T66/9MuB4APTNc8UqgqexkOKUYZH1Efo
Malware Config
Extracted
cryptbot
forvf14vs.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Signatures
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 61 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 11 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\~△~LaTe$T░SeTuP░PA$S↳oPeN↳9192~△~.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\Set-up.exe"C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\Set-up.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\Set-up.exe"C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\Set-up.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\Set-up.exe"C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\Set-up.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\Set-up.exe"C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\Set-up.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\carferry.flv"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Documents\_△_LaTe$T░SeTuP░PA$S↳oPeN↳9192_△_\~△~LaTe$T░SeTuP░PA$S↳oPeN↳9192~△~.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD512a1746600b124e34c681ab785c8df3b
SHA11da5f13baf3072030c742fe272ec7831ec153b2e
SHA256f9a0679d519e9c9be2338ce731da18f9bbc8d052aa1db6541a7010b386a66289
SHA5123aca3dec4af8ee8502a92863c74141dadbf75fbdfa415932f8398ab6fdd4f027cc4bc5ea88ec2268d1555a1819c0f75bfe400a84c8d1c07457e43cc81dbb000b
-
Filesize
28KB
MD57b4573c699adca48b24f56d1a87e2bd6
SHA11c38b22075b4d1ee7aadcb64707682ead1f96de7
SHA2566c169f8ac6e828cf567a651b2272af9ad47a1248009faf6ab22ed16d4c0c6b33
SHA51228de00d011a83d55931f8ab6120cc599ae2cefe32f86def3b92e921c8069d76efa4dc9ce65cf73855100520064f1a6aac4f948c85f9288ecd795a4d614049fc6
-
Filesize
6.4MB
MD5c275190b7a27146fcd3c22bd854b5c6f
SHA161647ef2da589ce9592d6e14b4f84ae9948616b5
SHA25648cf8e1f546c7e4e68251a1be5173dc6b8554df7d8708423e0a0e6bd2442919a
SHA5126f035fda134bf089cf6a7707b714ca1c1245c62c313eef34bacc0944e55459109b9db42f6036e05b18b0798f097e1c561edd5e1b55a8915f65d7857662a8a35c
-
Filesize
11KB
MD516a30926e4ebc495d3659854c3731f63
SHA12b46d1ee4f0b9c6b184aad6d9a246745b3b4163c
SHA256dc260b93c358e10fc6f74c0b9f487dd0c2fd58e791ec5b0925b0546258923b36
SHA51204a4893e068a6bcbec340398868b37adcf8d41580b2e6eb7a5cd30396a14acd401e67cfbb0e3ed05fa31601cb0261b82df2a4d9a3713db7e39c61c7fb64ea71f
-
Filesize
12.4MB
-
Filesize
260KB
-
Filesize
68KB
-
Filesize
24.4MB
-
Filesize
16.7MB
-
Filesize
92KB
-
Filesize
96KB
-
Filesize
92KB
-
Filesize
208KB
-
Filesize
992KB
-
Filesize
68KB
-
Filesize
2.7MB
-
Filesize
2.0MB
-
Filesize
192KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
108KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
412KB
-
Filesize
348KB
-
Filesize
68KB
-
Filesize
496KB
-
Filesize
96KB
-
Filesize
132KB
-
Filesize
116KB
-
Filesize
68KB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
68KB
-
Filesize
1.2MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB