Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-10-2024 14:12
Static task
static1
Behavioral task
behavioral1
Sample
f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe
Resource
win7-20240903-en
General
-
Target
f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe
-
Size
9.7MB
-
MD5
716ffa7e2ab8e4bfe383c80904f76d91
-
SHA1
5bf25f73bd33d43555da18f200f0ef338b72170a
-
SHA256
f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a
-
SHA512
c1c557fae4c49c12af1298644a5fc4e9db2f4bbe05080c26f67adfe8a88d54373c56d2b79ba9a2de31108f314833d3001458446e7ef5f1915780b1390631a7f9
-
SSDEEP
196608:plV3EW4TmMdfGxSd8LZ94pgV12JiPgFE96gGzJPihnWW:R3ELTmuaSd8LZ94ZJioFE9bGBiRb
Malware Config
Signatures
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
Processes:
resource yara_rule behavioral1/memory/2716-37-0x0000000069CC0000-0x000000006A377000-memory.dmp family_cryptbot_v3 -
Executes dropped EXE 5 IoCs
Processes:
VC_redist.x64.exeVC_redist.x86.exeservice123.exeservice123.exeservice123.exepid Process 2824 VC_redist.x64.exe 2716 VC_redist.x86.exe 2168 service123.exe 808 service123.exe 1536 service123.exe -
Loads dropped DLL 13 IoCs
Processes:
f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exeVC_redist.x86.exeservice123.exeservice123.exeservice123.exepid Process 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 2716 VC_redist.x86.exe 2716 VC_redist.x86.exe 2168 service123.exe 808 service123.exe 1536 service123.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
VC_redist.x86.exeschtasks.exef147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exeVC_redist.x64.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
VC_redist.x86.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 VC_redist.x86.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString VC_redist.x86.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exeVC_redist.x86.exetaskeng.exedescription pid Process procid_target PID 2132 wrote to memory of 2824 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 30 PID 2132 wrote to memory of 2824 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 30 PID 2132 wrote to memory of 2824 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 30 PID 2132 wrote to memory of 2824 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 30 PID 2132 wrote to memory of 2824 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 30 PID 2132 wrote to memory of 2824 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 30 PID 2132 wrote to memory of 2824 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 30 PID 2132 wrote to memory of 2716 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 31 PID 2132 wrote to memory of 2716 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 31 PID 2132 wrote to memory of 2716 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 31 PID 2132 wrote to memory of 2716 2132 f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe 31 PID 2716 wrote to memory of 2168 2716 VC_redist.x86.exe 33 PID 2716 wrote to memory of 2168 2716 VC_redist.x86.exe 33 PID 2716 wrote to memory of 2168 2716 VC_redist.x86.exe 33 PID 2716 wrote to memory of 2168 2716 VC_redist.x86.exe 33 PID 2716 wrote to memory of 2936 2716 VC_redist.x86.exe 34 PID 2716 wrote to memory of 2936 2716 VC_redist.x86.exe 34 PID 2716 wrote to memory of 2936 2716 VC_redist.x86.exe 34 PID 2716 wrote to memory of 2936 2716 VC_redist.x86.exe 34 PID 1624 wrote to memory of 808 1624 taskeng.exe 37 PID 1624 wrote to memory of 808 1624 taskeng.exe 37 PID 1624 wrote to memory of 808 1624 taskeng.exe 37 PID 1624 wrote to memory of 808 1624 taskeng.exe 37 PID 1624 wrote to memory of 1536 1624 taskeng.exe 38 PID 1624 wrote to memory of 1536 1624 taskeng.exe 38 PID 1624 wrote to memory of 1536 1624 taskeng.exe 38 PID 1624 wrote to memory of 1536 1624 taskeng.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe"C:\Users\Admin\AppData\Local\Temp\f147eab77e47eaf9918459999736497adfb050debc66f6aad6df371418acb27a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2936
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B7E254FF-6907-4202-ADDC-DF28AF63AC7F} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25.8MB
MD51f65158f40309a29deb2ce69ee7721c9
SHA102eea9bf4b759c394562b0489bd3690931be7f39
SHA2565e8b81dbcbb004a2d5de8adb3d781fde6d90b488a8fb4854f5131cde89e949dc
SHA5128f4ee5b643e0d751e4aca3511d4c080941fe0a2c0cad6da91c41ecb5231cce69e796c172080bdc4c30220681510fcceab048662a995d1a37fdd087090e403fd2
-
Filesize
7.3MB
MD51db6fa87cecb24c09d0e62f6d3e408ce
SHA17b4e6b91f381150e284f1651067e8cf4744d3ef1
SHA25600591b3b479fcccfb2796ae513e98a7c0bcbaef9842e40342b163cc2118a17d3
SHA51295fb95d641e8c22f91882f940fcbbca69e77dd8217f5cb06d7d757766a6308d9d76cd851052a67b2323d1bd0cc094be61aec76308be735ac89b7dc7c477e9dfc