Analysis

  • max time kernel
    93s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 01:41

General

  • Target

    setup_x86_x64_install (15).exe

  • Size

    1.8MB

  • MD5

    961ed865e49001eab634e7f1d49d4865

  • SHA1

    ac28f77d1b75703518ebf6df8cdafa77da9a08aa

  • SHA256

    00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1

  • SHA512

    8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a

  • SSDEEP

    24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 3 IoCs
  • Cryptbot family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (15).exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (15).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1972
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
          Pensieroso.exe.com N
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:760
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2064
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:1800
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 30
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.ppt

    Filesize

    872KB

    MD5

    2caf8e89e6a05bb30057c7c470fdf260

    SHA1

    edb048d2d92046e97b2f991e9dbec16247ee5d8c

    SHA256

    492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8

    SHA512

    4f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.ppt

    Filesize

    663KB

    MD5

    9fef53ec7afd145869f53138338e189f

    SHA1

    17d26e52ca0cb3de7083b5737f7b2a84a483b462

    SHA256

    e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09

    SHA512

    b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Isola.ppt

    Filesize

    894KB

    MD5

    0d1cb8e6cc1623b8a86ecabd84613e0e

    SHA1

    353b60c29f0fb219f6b1f49b112038912ec040c8

    SHA256

    05ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4

    SHA512

    0af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sommesso.ppt

    Filesize

    325B

    MD5

    1b4d94eb8f5923f889afcbe5caddd449

    SHA1

    c613c7cfe6db911b07760a7767492de829cd37e7

    SHA256

    812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885

    SHA512

    6b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88

  • C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN\IXGMSR~1.ZIP

    Filesize

    40KB

    MD5

    2be7fb0c4e90a900569d65143b4032f5

    SHA1

    a743ee3385b3ed2c32ddd9def850d0d962e3a9d9

    SHA256

    398e6095d32f9ec973e2058fa1721a6ff90b04b9e12834874f965f7517199c51

    SHA512

    8a50f41fb3604d65a8f5326b475f9d50d915e029ba8e50c68325b686451c33c3226f67c7995eec44ba6253973178e0751eda9386448880b25f200b7708380283

  • C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN\OQDKSO~1.ZIP

    Filesize

    40KB

    MD5

    ce4814ec30a1ea94237d6cafc95b8dac

    SHA1

    88a580da2b36edd3f54c35b8d38f7fb120088fa1

    SHA256

    015d1252f1fbb45a013b63e609a342b7c2fc0b465b725822387bb4005897df69

    SHA512

    c605b5766c2606e3f520935f1b51ff4a0ea25743c0d2c88592b481beafb56b6eadf26b5691d323f45657b560a5fbab305db21a41bef0265c65e217828d82dcaa

  • C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN\_Files\_INFOR~1.TXT

    Filesize

    7KB

    MD5

    c031f0ea96f87bc11dd701e50e445ef8

    SHA1

    2d3b59c37bd11bc0208baa0e8ed66d06fedc114c

    SHA256

    40544db964db2dd60ce68eb54c0ff30915790140dce5a6f72e972710c10a5eb1

    SHA512

    524e7c33b8e599c46d262f100751d9b140b4a82699d4a23d1ce73186bbb787f320d853bb8bccc8962288dc565344c80d2417a9e16bcabc5984ad6141a1523a44

  • C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN\_Files\_Information.txt

    Filesize

    1KB

    MD5

    44023d131e2530e51c3f520eb943c57c

    SHA1

    592546c0ff33ea443cd9a43ae6837c0f91c54b7a

    SHA256

    af16668448b4138dc4361bd4d307025e956655cdcf30fa9419d3c890ba6d80ec

    SHA512

    c70adf1a6eb94750c10db8104c1d4d524a0d735a2ea053e692a29d1cbc6d635ca9782cc018ca077f53814011ca7c7d6505a9f15e87403cd1cc091a2635fa5b57

  • C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN\_Files\_Information.txt

    Filesize

    2KB

    MD5

    be5cc0cd5e61e397d2c0a7b25678f356

    SHA1

    4d630a07f64f73e7fd120e4b1d89057262bfd877

    SHA256

    58e177100094dedc3bf219234e3c5e92a1eaaae8b0e39f6bab84ecd350b6797c

    SHA512

    bbda5057e2f78d0c7e2812ffa404bd9a8d4877bbb3eba12bf18ff200c995dcafa4f8c7b5057c702fdd937bed76d0d58a0fe79cfbe121325c4c1153abd107195c

  • C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN\_Files\_Information.txt

    Filesize

    3KB

    MD5

    b58589a192145fc3648204c0a9377452

    SHA1

    aa59aefdadc0986732d60a84ee7b68d05fa15f83

    SHA256

    d3a34393fc8e9b991c00edaf2708bd6bd89537394f3c268b8f69816c0bdd7256

    SHA512

    0ed0b4d9b5258a47c43f819e7a2fca60af4ae08e5dbb26c0935415ee5be89d505424ad52c283bae1b15108c7e636e39cf401ebbb9f4ac7ef8e9ab453425467b6

  • C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN\_Files\_Information.txt

    Filesize

    4KB

    MD5

    6a85835b2a09d01aad688555a11d5678

    SHA1

    61b7257e1e3b670dcc44d88693e4bfd356e8ba44

    SHA256

    7ec287792f908e1ced52bae94f8d3e5d0b0553eb776dc264689186f5546b201a

    SHA512

    e15c0b2083dd5c8b769bce3528908ec25a50ed783d7cbceb5de400d3a9aa2ef249f4a1b693018353b365d814d1d8c66de7ce3dff2181bc61451f49d41af4886e

  • C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN\_Files\_Screen_Desktop.jpeg

    Filesize

    46KB

    MD5

    173616f7b0d894492640c61951db618c

    SHA1

    7e045ad76e579448dc25847141f4e27036fa44e7

    SHA256

    2c54bfab368afa40a1556e090260b9c1a580c32c044bd580e8a41279cc75c71e

    SHA512

    f474efa312614c37fc7471d8bf67d20d6913144b5e30f5034952f9de8889ed30699554e8841c8233a013082736a86bc334426136e63af7bf9b5904e1af67d202

  • C:\Users\Admin\AppData\Local\Temp\DoRlUbXdN\files_\system_info.txt

    Filesize

    7KB

    MD5

    5fdb75d520b240e28e9c807429f0830c

    SHA1

    9d06418fb1b07b72908640cacf697b0ac31c255a

    SHA256

    4e6a68f21c97e13736d27b3484ff705d2284290f5472f3dc214508828d9203aa

    SHA512

    425ffae341da52ad9d24d03728c21eab5e78d9b2edcab81f07668f74d3eb31c676e8496bb2d84e951d771f9b73ae32c900c5713165c5c56647737950253f98bb

  • memory/760-21-0x00000000003F0000-0x00000000004D5000-memory.dmp

    Filesize

    916KB

  • memory/760-26-0x00000000003F0000-0x00000000004D5000-memory.dmp

    Filesize

    916KB

  • memory/760-25-0x00000000003F0000-0x00000000004D5000-memory.dmp

    Filesize

    916KB

  • memory/760-24-0x00000000003F0000-0x00000000004D5000-memory.dmp

    Filesize

    916KB

  • memory/760-23-0x00000000003F0000-0x00000000004D5000-memory.dmp

    Filesize

    916KB

  • memory/760-22-0x00000000003F0000-0x00000000004D5000-memory.dmp

    Filesize

    916KB