Overview
overview
10Static
static
1006ffb7bbd7...da3906
ubuntu-18.04-amd64
06ffb7bbd7...da3906
debian-9-armhf
06ffb7bbd7...da3906
debian-9-mips
06ffb7bbd7...da3906
debian-9-mipsel
154080c584...95.msi
windows7-x64
6154080c584...95.msi
windows10-2004-x64
1650ced30c...c5.exe
windows7-x64
1650ced30c...c5.exe
windows10-2004-x64
1a70a7de8a...4a.exe
windows7-x64
101a70a7de8a...4a.exe
windows10-2004-x64
10ISSUES INV....1.exe
windows7-x64
10ISSUES INV....1.exe
windows10-2004-x64
10350fbd43ce...ed.exe
windows7-x64
350fbd43ce...ed.exe
windows10-2004-x64
44faf11719...12.exe
windows7-x64
144faf11719...12.exe
windows10-2004-x64
14853dc09bb...6.html
windows7-x64
34853dc09bb...6.html
windows10-2004-x64
34ba637df90...3f4a9e
ubuntu-22.04-amd64
14f8c1840d6...92df06
ubuntu-22.04-amd64
1623534bf15...72.vbs
windows7-x64
10623534bf15...72.vbs
windows10-2004-x64
1065df637db2...00083b
ubuntu-22.04-amd64
1717ad3ee2b...47.dll
windows7-x64
10717ad3ee2b...47.dll
windows10-2004-x64
1071ba20bdd8...99.pps
windows7-x64
1071ba20bdd8...99.pps
windows10-2004-x64
107696fa9654...4f.exe
windows7-x64
37696fa9654...4f.exe
windows10-2004-x64
389ab99f572...b8.exe
windows7-x64
189ab99f572...b8.exe
windows10-2004-x64
18bcc9ea07a...a8.dll
windows7-x64
3Analysis
-
max time kernel
95s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 07:41
Behavioral task
behavioral1
Sample
06ffb7bbd7dd6a47bd3fdb77f86e2bc3b3a9d0112496eed24f75581164da3906
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
06ffb7bbd7dd6a47bd3fdb77f86e2bc3b3a9d0112496eed24f75581164da3906
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
06ffb7bbd7dd6a47bd3fdb77f86e2bc3b3a9d0112496eed24f75581164da3906
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
06ffb7bbd7dd6a47bd3fdb77f86e2bc3b3a9d0112496eed24f75581164da3906
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral5
Sample
154080c5844ed76332320fcf3f1773391d80200f18f9025fd05b55b86f8ff795.msi
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
154080c5844ed76332320fcf3f1773391d80200f18f9025fd05b55b86f8ff795.msi
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
1650ced30cfb68451bb432b44f72fa93687d95d83f70fa039658d8cb665508c5.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
1650ced30cfb68451bb432b44f72fa93687d95d83f70fa039658d8cb665508c5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
ISSUES INVOICE E-4136 REV.1.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
ISSUES INVOICE E-4136 REV.1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
350fbd43ce6f7d1d3d636aa5b94187d4dcc8e866527cfdc9c9ce226aea3500ed.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
350fbd43ce6f7d1d3d636aa5b94187d4dcc8e866527cfdc9c9ce226aea3500ed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
44faf11719b3a679e7a6dd5db40033ec4dd6e1b0361c145b81586cb735a64112.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
44faf11719b3a679e7a6dd5db40033ec4dd6e1b0361c145b81586cb735a64112.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
4853dc09bbd4a61610a354d5fcd0f9e376e284124c5ff949ba49457eed1f55f6.html
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
4853dc09bbd4a61610a354d5fcd0f9e376e284124c5ff949ba49457eed1f55f6.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
4ba637df90076330cdace697a87aafc6dd1d1b3a35b4ad924aad80aa7c3f4a9e
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral20
Sample
4f8c1840d692d8248f3b7cb478acfbb7e65bdeecd64790a163eaa0db5592df06
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral21
Sample
623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
623534bf150f2538edb27e51ed56b92f464adb5da8e2db378ec3a666fcb64772.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
65df637db227ff1685bdf82ab676de4ed70bffd4c96e6cde70d575217700083b
Resource
ubuntu2204-amd64-20240729-en
Behavioral task
behavioral24
Sample
717ad3ee2b9ae94aac5bd01bce9bb945d8c620e3a60f241864dede3646f3dd47.dll
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
717ad3ee2b9ae94aac5bd01bce9bb945d8c620e3a60f241864dede3646f3dd47.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
71ba20bdd899fde2a4e2967bc6c719f2c96146cc80c3dd8953431cb82d4df199.pps
Resource
win7-20240903-en
Behavioral task
behavioral27
Sample
71ba20bdd899fde2a4e2967bc6c719f2c96146cc80c3dd8953431cb82d4df199.pps
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
7696fa96542ff737b9eb4152fb3e2c0c04c5972d724d93efe7666fb4b7038f4f.exe
Resource
win7-20241010-en
Behavioral task
behavioral29
Sample
7696fa96542ff737b9eb4152fb3e2c0c04c5972d724d93efe7666fb4b7038f4f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
89ab99f5721b691e5513f4192e7c96eb0981ddb6c2d2b94c1a32e2df896397b8.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
89ab99f5721b691e5513f4192e7c96eb0981ddb6c2d2b94c1a32e2df896397b8.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
8bcc9ea07aa49b1c774327cb2fffaea269806805538b40aa8b7d2a89b8cfbca8.dll
Resource
win7-20241010-en
General
-
Target
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe
-
Size
1.8MB
-
MD5
f268f8707a3c2a9a2ed4663e60c9cdc0
-
SHA1
c7ccc88111ad400b1ea72000c3179b1672c440b9
-
SHA256
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a
-
SHA512
2947657f8bf3f9258eb221e348310035c1ee059cc4693864b2e97a531b2a5df08d7c151bf9e5c7b9bb55be7b6309a349323fe548984985e59cb8bca20c0b2b97
-
SSDEEP
49152:hJlNAYShf3weGZt+chWw5jqOjfKRaLxIbg3Yzj:hJwYGPrGZt+chlLQCxIlv
Malware Config
Signatures
-
CryptBot payload 3 IoCs
Processes:
resource yara_rule behavioral10/memory/4120-24-0x0000000004360000-0x0000000004435000-memory.dmp family_cryptbot behavioral10/memory/4120-25-0x0000000004360000-0x0000000004435000-memory.dmp family_cryptbot behavioral10/memory/4120-26-0x0000000004360000-0x0000000004435000-memory.dmp family_cryptbot -
Cryptbot family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe -
Executes dropped EXE 2 IoCs
Processes:
Perse.exe.comPerse.exe.compid process 4928 Perse.exe.com 4120 Perse.exe.com -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exefindstr.exePerse.exe.comPING.EXEPerse.exe.com1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Perse.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Perse.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Perse.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Perse.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Perse.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.execmd.execmd.exePerse.exe.comdescription pid process target process PID 3924 wrote to memory of 3552 3924 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe cmd.exe PID 3924 wrote to memory of 3552 3924 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe cmd.exe PID 3924 wrote to memory of 3552 3924 1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe cmd.exe PID 3552 wrote to memory of 3440 3552 cmd.exe cmd.exe PID 3552 wrote to memory of 3440 3552 cmd.exe cmd.exe PID 3552 wrote to memory of 3440 3552 cmd.exe cmd.exe PID 3440 wrote to memory of 3288 3440 cmd.exe findstr.exe PID 3440 wrote to memory of 3288 3440 cmd.exe findstr.exe PID 3440 wrote to memory of 3288 3440 cmd.exe findstr.exe PID 3440 wrote to memory of 4928 3440 cmd.exe Perse.exe.com PID 3440 wrote to memory of 4928 3440 cmd.exe Perse.exe.com PID 3440 wrote to memory of 4928 3440 cmd.exe Perse.exe.com PID 3440 wrote to memory of 4596 3440 cmd.exe PING.EXE PID 3440 wrote to memory of 4596 3440 cmd.exe PING.EXE PID 3440 wrote to memory of 4596 3440 cmd.exe PING.EXE PID 4928 wrote to memory of 4120 4928 Perse.exe.com Perse.exe.com PID 4928 wrote to memory of 4120 4928 Perse.exe.com Perse.exe.com PID 4928 wrote to memory of 4120 4928 Perse.exe.com Perse.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe"C:\Users\Admin\AppData\Local\Temp\1a70a7de8a393638b80336e9d2b225c2fd199d9d3eed3ad2c007656cc20c2b4a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Violenza.xlm2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^CqkmdjjEEOlhgKWkVPYcnfwRywfbkgpkcVeqBydFDmsMHRGnJZYuMEIjZxzfXOafFYSaIWJPmzSYYfphxQNkdrmQj$" Folle.xlm4⤵
- System Location Discovery: System Language Discovery
PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.comPerse.exe.com Z4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Perse.exe.com Z5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4120
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD547a97b0be63ac1f3bacea1e6f1252414
SHA1780ed9c620ab57fdd4128c415c8ce5a871bb7e91
SHA256d1ca88afce9adccd5a856c6ebe3f939633e43e69fef6554d8009ab5e58ef6172
SHA5126f3945988dc05e0777f0ccda2c97fda5d1b6ec964b4d355258434dd488536a8f49eac445c63643c9c5a612557f2a6ae6c4d74d5c73981ef9d48574250b3a314c
-
Filesize
872KB
MD58eed5811e1194fc2cca2a5c05ec04875
SHA142f36d12872242b859a61efb432d5907e16c275f
SHA2562498de94ef57fc7b9e65a3c5768cc96883d3ed263b69c1c1ab609956fa74418f
SHA512826cb4ec2215e4241617e13e584ef288b1f6252e6bc956567db83136f2aecdf1bb1aad71391a9476461e257a5ed9ad74e4437cf75f561239bee3462ef6765af5
-
Filesize
725KB
MD5c23f6997c92075f624a8ff943a52a4d1
SHA1d6217f1e58bce99f5456b722b6d9ecc53f2f204c
SHA2560492d29054f1e924e85738b3518d14f34daea68e4916cd44c6d938be9efde7f9
SHA512ac8f7bd986d81c522976bd75eb479ed3d0821da5a5e009ccb98481834fc9695afe5bafb4702b22fb3062c602e1b790c1a626bac34ec9f71db028743622075991
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
443B
MD59efd882674409221ea08ee263d3bbefb
SHA1ab08b0c74dd9e12dff755392248d4b8163d51958
SHA256039d5b6b3f5b6d2f8cf11cf47e9597a881d12935d7a5bb5c806a3dfd390f0091
SHA5128c14b5ab47aa1e64827fe0d1d43b1b5c16c705067c5333dcf21637a00f10b4ea72c5390361955ade298656f5bb3169957b725eaded3b13c8be9a463e1deac37c