Analysis

  • max time kernel
    95s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 07:41

General

  • Target

    1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe

  • Size

    1.8MB

  • MD5

    f268f8707a3c2a9a2ed4663e60c9cdc0

  • SHA1

    c7ccc88111ad400b1ea72000c3179b1672c440b9

  • SHA256

    1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a

  • SHA512

    2947657f8bf3f9258eb221e348310035c1ee059cc4693864b2e97a531b2a5df08d7c151bf9e5c7b9bb55be7b6309a349323fe548984985e59cb8bca20c0b2b97

  • SSDEEP

    49152:hJlNAYShf3weGZt+chWw5jqOjfKRaLxIbg3Yzj:hJwYGPrGZt+chlLQCxIlv

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 3 IoCs
  • Cryptbot family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe
    "C:\Users\Admin\AppData\Local\Temp\1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Violenza.xlm
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^CqkmdjjEEOlhgKWkVPYcnfwRywfbkgpkcVeqBydFDmsMHRGnJZYuMEIjZxzfXOafFYSaIWJPmzSYYfphxQNkdrmQj$" Folle.xlm
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3288
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com
          Perse.exe.com Z
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4928
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com Z
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            PID:4120
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 30
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disconosci.xlm

    Filesize

    829KB

    MD5

    47a97b0be63ac1f3bacea1e6f1252414

    SHA1

    780ed9c620ab57fdd4128c415c8ce5a871bb7e91

    SHA256

    d1ca88afce9adccd5a856c6ebe3f939633e43e69fef6554d8009ab5e58ef6172

    SHA512

    6f3945988dc05e0777f0ccda2c97fda5d1b6ec964b4d355258434dd488536a8f49eac445c63643c9c5a612557f2a6ae6c4d74d5c73981ef9d48574250b3a314c

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Folle.xlm

    Filesize

    872KB

    MD5

    8eed5811e1194fc2cca2a5c05ec04875

    SHA1

    42f36d12872242b859a61efb432d5907e16c275f

    SHA256

    2498de94ef57fc7b9e65a3c5768cc96883d3ed263b69c1c1ab609956fa74418f

    SHA512

    826cb4ec2215e4241617e13e584ef288b1f6252e6bc956567db83136f2aecdf1bb1aad71391a9476461e257a5ed9ad74e4437cf75f561239bee3462ef6765af5

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mondo.xlm

    Filesize

    725KB

    MD5

    c23f6997c92075f624a8ff943a52a4d1

    SHA1

    d6217f1e58bce99f5456b722b6d9ecc53f2f204c

    SHA256

    0492d29054f1e924e85738b3518d14f34daea68e4916cd44c6d938be9efde7f9

    SHA512

    ac8f7bd986d81c522976bd75eb479ed3d0821da5a5e009ccb98481834fc9695afe5bafb4702b22fb3062c602e1b790c1a626bac34ec9f71db028743622075991

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Violenza.xlm

    Filesize

    443B

    MD5

    9efd882674409221ea08ee263d3bbefb

    SHA1

    ab08b0c74dd9e12dff755392248d4b8163d51958

    SHA256

    039d5b6b3f5b6d2f8cf11cf47e9597a881d12935d7a5bb5c806a3dfd390f0091

    SHA512

    8c14b5ab47aa1e64827fe0d1d43b1b5c16c705067c5333dcf21637a00f10b4ea72c5390361955ade298656f5bb3169957b725eaded3b13c8be9a463e1deac37c

  • memory/4120-21-0x0000000004360000-0x0000000004435000-memory.dmp

    Filesize

    852KB

  • memory/4120-22-0x0000000004360000-0x0000000004435000-memory.dmp

    Filesize

    852KB

  • memory/4120-23-0x0000000004360000-0x0000000004435000-memory.dmp

    Filesize

    852KB

  • memory/4120-24-0x0000000004360000-0x0000000004435000-memory.dmp

    Filesize

    852KB

  • memory/4120-25-0x0000000004360000-0x0000000004435000-memory.dmp

    Filesize

    852KB

  • memory/4120-26-0x0000000004360000-0x0000000004435000-memory.dmp

    Filesize

    852KB