Overview

overview

10

Static

static

3

4363463463...2).exe

windows7-x64

10

4363463463...2).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4363463463464363463463463.exe(2).exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
cryptbotdeerstealerdiscoveryspywarestealerupx

Malware Config

Extracted

Family

cryptbot

C2

fivexc5pt.top

analforeverlovyu.top
Attributes
  • url_path

    /v1/upload.php

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • DeerStealer 13 IoCs

    Detects DeerStealer malware - JaffaCakes118.

    stealer
  • Deerstealer family
    deerstealer
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(2).exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(2).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im FLiNGTrainerUpdater.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4824
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im FLiNGTrainer.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:392
    • C:\Users\Admin\AppData\Local\Temp\Files\spofrln.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\spofrln.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4040
    • C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      PID:432
    • C:\Users\Admin\AppData\Local\Temp\Files\Team.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Team.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2404
    • C:\Users\Admin\AppData\Local\Temp\Files\wget.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\wget.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4624
    • C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c net use
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Windows\SysWOW64\net.exe
          net use
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3576
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe
    Filesize

    214KB

    MD5

    70bd663276c9498dca435d8e8daa8729

    SHA1

    9350c1c65d8584ad39b04f6f50154dd8c476c5b4

    SHA256

    909984d4f2202d99d247b645c2089b014a835d5fe138ccd868a7fc87000d5ba1

    SHA512

    03323ffe850955b46563d735a97f926fdf435afc00ddf8475d7ab277a92e9276ab0b5e82c38d5633d6e9958b147c188348e93aa55fb4f10c6a6725b49234f47f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Files\Setup2.exe
    Filesize

    6.3MB

    MD5

    37263ede84012177cab167dc23457074

    SHA1

    5905e3b2db8ff152a7f43f339c053e1d43b44dfc

    SHA256

    9afd9e70b6f166cfc6de30e206dff5963073a6faeff5bcc93ee131df79894fc2

    SHA512

    6b08af27c18fcaadcdc72af7e17cf9fe856526eab783ed9eb9420cf44fd85bf8a263c88d0f98bc367156bc01d61c6e0c8d098246760b20ed57efae292b68fe7e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Files\Team.exe
    Filesize

    12.0MB

    MD5

    ed70e5d82d1df62bb07a6c57c6e8d4ed

    SHA1

    73abd9b0af7b27a3ff0d109d896837f308070ff4

    SHA256

    daf28c33a9cb1d8186fc2bf78613cf4131941812e081facc2ad7d29f4af10808

    SHA512

    d355c525c671a5b239b187ee2c81cb1a2de8abf88e1705954c5c101d86729c0978f30ebe80fa1c4b148ba4076e4cab970433256eb56dff36cba99f1d96e1f76b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe
    Filesize

    2.1MB

    MD5

    8a2dc89841d6446317ecaab55c854bff

    SHA1

    9852e4ef42da54ea8f399946eefdc20df14299d3

    SHA256

    324cf60dacf248b91cda9793b5eba4fa3ce312fdaf99a20d721f515231b0357e

    SHA512

    28eeaf891e79051bdd4f55e34309992ccd45ff550ba4e5255d787614c43330f0f1881a7304c64709ff5973293e91934669cc4bfb63145649754064e825cf52e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Files\spofrln.exe
    Filesize

    37KB

    MD5

    fdf0546d58297a6e51596876a12239b8

    SHA1

    e3a107f3f5a3d42548a1be0e8a23fc24206f70e5

    SHA256

    f224346929620555fc8ffea8a7814cccd5073434c3607583e4e87414cb599352

    SHA512

    56ab06704bb457c332afb7ea0703c826c1bf94dcc83912d8478d9b81d67e7e3eaffe25ba8883df39fb9ee3c0b0644b87cd0970274a6fc1717fa620af9e9deac7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Files\wget.exe
    Filesize

    392KB

    MD5

    bd126a7b59d5d1f97ba89a3e71425731

    SHA1

    457b1cd985ed07baffd8c66ff40e9c1b6da93753

    SHA256

    a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

    SHA512

    3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\System.dll
    Filesize

    10KB

    MD5

    b0a81b7b1bd6bbfe15e609df42791d22

    SHA1

    1b6f6726740b02aafdbe19cdc7b9dc5a2fdc4f75

    SHA256

    f9c47cf365f3607bc9abbce76839d02e6309a0d4389f1d2e0efb8d01e32459e9

    SHA512

    e105e7a3d4a908e59a8c8ab480d228bc4106e93f7fb833e6a5dea5ee0f2757c8617bda181324a059568d4b4c0b72b8628e60cf520c4f1b282305dbb34b5da194

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    2fd10d2f8ae885cc7e34ff21703aef6c

    SHA1

    7a1862a0240684a423c2d988557ab5b306af85e1

    SHA256

    e0959b690f25160d590cfd7e2467bb9ce7e9d959663e7e203f502dce5246507d

    SHA512

    fde884c9e988dd04a0e6b1e14b295e911b3d835ca92ed1a7a4c8bdc05326446092d17f75013a4ec9dc3e05cb351fd42b87d9ed96df70d0d5e4c9048f5fb5a546

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nscFDE9.tmp\nsInstall.dll
    Filesize

    3.9MB

    MD5

    b0226b0a6420641a1ad20bd264ef0773

    SHA1

    d98ac9b823923991dad7c5bee33e87132616a5be

    SHA256

    77b9de16e105274d91379597dded837027a669d244138d7ca08274d89cf5fe43

    SHA512

    bdd25200b2c81eceba4206a404c58b15317f16fc748978848eb22a0db41e94153324915d0942277fccc490956b63bee5c148363f5982899e0a6a447531d212e8

    Download Submit

  • memory/432-68-0x0000000000400000-0x000000000106A000-memory.dmp

    Filesize

    12.4MB

    Download

  • memory/2404-104-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-102-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-115-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-114-0x0000000000400000-0x0000000001018000-memory.dmp

    Filesize

    12.1MB

    Download

  • memory/2404-107-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-98-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-100-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-101-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-103-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-127-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-135-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-92-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-99-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2404-105-0x0000000140000000-0x000000014028D000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3964-161-0x0000000007F60000-0x000000000848C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3964-160-0x0000000004D40000-0x0000000004D4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3964-159-0x0000000004BB0000-0x0000000004C42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3964-158-0x0000000005160000-0x0000000005704000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3964-157-0x00000000002E0000-0x000000000031C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4040-42-0x000000006FBE0000-0x0000000070191000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4040-40-0x000000006FBE2000-0x000000006FBE3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4040-59-0x000000006FBE0000-0x0000000070191000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4040-43-0x000000006FBE0000-0x0000000070191000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4624-91-0x0000000000400000-0x00000000004EF000-memory.dmp

    Filesize

    956KB

    Download

  • memory/4624-88-0x0000000000400000-0x00000000004EF000-memory.dmp

    Filesize

    956KB

    Download

  • memory/4672-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4672-41-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4672-39-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4672-3-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4672-2-0x00000000053C0000-0x000000000545C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4672-1-0x0000000000A20000-0x0000000000A28000-memory.dmp

    Filesize

    32KB

    Download