Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe
Resource
win7-20240903-en
General
-
Target
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe
-
Size
4.2MB
-
MD5
f1aefbe49a406f12313f1c56deb2e3cd
-
SHA1
182c4978fd940c4d7f504fe985477fe0512cf1f9
-
SHA256
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52
-
SHA512
69e0f083e93b3c0a5ee153e4c6b89cb50bc5bbc4fc9c589606856de518e5705d54219f5e0fda01a6b9d53e03ab76836d335bc3d4a47047590438abd51c36ef78
-
SSDEEP
98304:4otD52k8suSvvYB9QkFhQ1wl+iuIW9sjOE9hr0bTBB98:4oSkld4bQkF6Cl+Vh09hrkBBC
Malware Config
Signatures
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
Processes:
resource yara_rule behavioral1/memory/2496-23-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine 5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exepid Process 2496 5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exepid Process 2496 5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe"C:\Users\Admin\AppData\Local\Temp\5e8e38f8b153083db2940a4a7e169f3118880ae012c12e87a7a976060d0b1b52.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2496
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1