Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 06:43

General

  • Target

    253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe

  • Size

    583KB

  • MD5

    004f3bd262190bd79a6a90744be507c9

  • SHA1

    069a52de16b7f52f7de55cee23689212a0695736

  • SHA256

    253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a

  • SHA512

    64004a74065783d888066660f77a216dbb0c23f6a1b319ea66410fcd19aa13c82a79386f83e220ea53a2458d6a64aba4ea3453d137fa55fd236b1d7c2ae2c4b9

  • SSDEEP

    12288:5NRddvGBjE0F4OQkviP2k4eE3TRVROKDsH6Bx4BO7aG:nRcAvOQgwYzO6Qlya

Malware Config

Extracted

Family

cryptbot

C2

basessrn17.top

Attributes
  • payload_url

    http://dfgggloadt11.top/download.php?file=lv.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 5 IoCs
  • Cryptbot family
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe
    "C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:4020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

    Filesize

    1KB

    MD5

    4ae55559cad102385dda060c2d981e2a

    SHA1

    2000dfac7ac9f32b932aa0ae764391c647420e7b

    SHA256

    6d050e6b7d4ff70a9693d972cdaa959a00e7f4f4ce1b2d8ae0f58061c687846b

    SHA512

    06605fc8dd8a51c2f252edbf058c29a7b42e6a446069fd332671742413ecda013b96de3062c7c8e1ba4121691c8f6185131018d672d3e192813087bbbdad4975

  • C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

    Filesize

    1KB

    MD5

    630b6add90911ca328640c68dfc2e36d

    SHA1

    0ce9facc0ccb37901f96e1a20c6955dc7997d019

    SHA256

    6c9781064642ede95f0112ed15e8a91378c862f9e0b6a4381e7d4b3b12f249a3

    SHA512

    b2ad2b35da0ef89c992f014682df7d5a4a9cf363dcf625dc1611418566201ee083fb082c4ece7403538cef145e3e7647aa1da801499632c8b3d5007e5d8cbcc3

  • C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

    Filesize

    7KB

    MD5

    3fe2c0481e0d417eec5ca141b97f75d7

    SHA1

    37f522b1849b333000dc32b44e5171f4571154c3

    SHA256

    d4ac0fbc0e1c0f93c0f648a1e9cc82a7fcc981bb01ead846d323d1f632ff32ac

    SHA512

    d6b20002b762958e1d2c10d29284cbd4873a17a30e57eec4c8de8651cd9bf23a24191d67bfaec314e4ae867d62ccb8db90a4133bd4c408eeb91aa15d8f4b0cca

  • C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg

    Filesize

    46KB

    MD5

    937a08bdbad1b0756ff169cf99b0fad1

    SHA1

    bd2b00ce406c8b42a1ba9dda4574d33de2b1bc68

    SHA256

    22dab6a07f2981561a63b28cd38707f5b3946100a888a42fafbea67460741681

    SHA512

    db8e480c83fa251fcada152b8a0ac77df22c700c9c6a3f45293d721ffb5cde1b9bd421724506910a397066534c5938b2372c2064bf7056a8d96a4d1da1743aef

  • C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip

    Filesize

    40KB

    MD5

    8de88e8d9f16a4bd681bf4aedd208aa4

    SHA1

    9a5478d2fd7237f68dbe3fc5456c058ad197be8e

    SHA256

    2089ad11cc2ee99809a63450611ed878fa5ea582ef7d735ef4d2882bfbc0873e

    SHA512

    1a937906dbb86bbdf42eb7d79bd28c2fc70dd4c6b10e5841563317414fc94955c06599d812759ab344a237554cbc7b5cbb3ee2bbdba7a7d2425d894990e63fe3

  • C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

    Filesize

    3KB

    MD5

    d5fe614c40a2e75e74fdd7aecbc400db

    SHA1

    2d1d6710964f3253dad143eda303a63750b4157d

    SHA256

    e8803fb3ee4311276b4f9a6bd7b050fb540969765da15e0d6cd7993ea1b7bd3d

    SHA512

    c1a3ee1a75a7fe15f15a9e7db10b48570eb5cfccf85909c2ee3aba1b9fba6b50c377a1782d49148182821e8f40bcc84d99a5ea3d5d11e5f9af132b0288e9ab42

  • C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

    Filesize

    4KB

    MD5

    8ee2dd478c09b1849ba8a43d72f3982e

    SHA1

    d56506c99664dfb6042f0c01dcaf74a97d656143

    SHA256

    c984d2a20376dedd04f11ae1d76dd82f3ae0e1ae75a7b62796d4b33732b07ed1

    SHA512

    44b34e0ff048a7592f124e7addfae8045591616e3efd1bdcb616341c069bbd04c033d6b3cdef31f991fb960fe662c446d49a12466f7b395c3fc43d380359bf89

  • C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

    Filesize

    5KB

    MD5

    269a6974de4f24c645e419845d8d0724

    SHA1

    a9ce214e6b46d69a2a6ee658c61fb621d8d40da2

    SHA256

    2e9d4aef672af71b239c82f345b0a13e87b72c47ea2a552e7cdb3d913ee8d0d0

    SHA512

    15e0e42a356ba47297e392f212e348a0ed5f53a441db8effe465f6bc3d68ac623e7bfd4371c783bdf75595e21ce38bcd508cbabecdb67f527860ec54ccb75ad3

  • C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\ubMtZf6KK.zip

    Filesize

    40KB

    MD5

    6602dd0c07e4f7b9e2afd805dd6f5db7

    SHA1

    f62865ab53a187f778f0eb7eab9c8988706f12dd

    SHA256

    63ff5d141ee8611f8f95e012c8578507b8bae360882c83752c5b503aba2ddaf4

    SHA512

    20d7e0c8694814f5871891cdcaa1c7819dca2c2dfa98c98ecf4a9df14a8a926e1574c386407370f52cb7295c3b4bfab6ad60951b99963d39efa0a2c061756442

  • memory/4020-4-0x0000000000400000-0x00000000051B5000-memory.dmp

    Filesize

    77.7MB

  • memory/4020-1-0x0000000000400000-0x00000000051B5000-memory.dmp

    Filesize

    77.7MB

  • memory/4020-3-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/4020-219-0x0000000000400000-0x00000000051B5000-memory.dmp

    Filesize

    77.7MB

  • memory/4020-221-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

  • memory/4020-2-0x0000000005650000-0x00000000056F0000-memory.dmp

    Filesize

    640KB