Analysis

  • max time kernel
    92s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 01:41

General

  • Target

    setup_x86_x64_install (16).exe

  • Size

    1.8MB

  • MD5

    961ed865e49001eab634e7f1d49d4865

  • SHA1

    ac28f77d1b75703518ebf6df8cdafa77da9a08aa

  • SHA256

    00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1

  • SHA512

    8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a

  • SSDEEP

    24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 3 IoCs
  • Cryptbot family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (16).exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (16).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1432
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
          Pensieroso.exe.com N
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:4956
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\SsnMGhsa & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2816
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 30
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.ppt

    Filesize

    872KB

    MD5

    2caf8e89e6a05bb30057c7c470fdf260

    SHA1

    edb048d2d92046e97b2f991e9dbec16247ee5d8c

    SHA256

    492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8

    SHA512

    4f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.ppt

    Filesize

    663KB

    MD5

    9fef53ec7afd145869f53138338e189f

    SHA1

    17d26e52ca0cb3de7083b5737f7b2a84a483b462

    SHA256

    e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09

    SHA512

    b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Isola.ppt

    Filesize

    894KB

    MD5

    0d1cb8e6cc1623b8a86ecabd84613e0e

    SHA1

    353b60c29f0fb219f6b1f49b112038912ec040c8

    SHA256

    05ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4

    SHA512

    0af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sommesso.ppt

    Filesize

    325B

    MD5

    1b4d94eb8f5923f889afcbe5caddd449

    SHA1

    c613c7cfe6db911b07760a7767492de829cd37e7

    SHA256

    812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885

    SHA512

    6b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88

  • C:\Users\Admin\AppData\Local\Temp\SsnMGhsa\DKIJIW~1.ZIP

    Filesize

    42KB

    MD5

    3db1db0e32722987dbddaddb45fd59e4

    SHA1

    96239ac402974abb55127fa25fe15d9d9af4199f

    SHA256

    5053a58094c039a1cbec3fd860ac1ecc0809578007c62fe4ccecca9aa2eeade5

    SHA512

    6257445ce47b15500b42d21a34b8c6fd4e792284b89a577e7aba049e645e1f4b42f6976534c446c4c281642df1c2773cb012a2f80c1ded3b824ad361abed06df

  • C:\Users\Admin\AppData\Local\Temp\SsnMGhsa\EEYVTW~1.ZIP

    Filesize

    42KB

    MD5

    90c60eadb6a3a0a13c2b0ca110cf70ef

    SHA1

    b255d8cf6fbc7f8de852a4f12bd33a19172d8d47

    SHA256

    e9e888e191eba439cf4b22c6fc3db6d57c8f0b690c2a78d0abf3f8256b04c90c

    SHA512

    a0e1131ee45f37d4a7d325fe1a14cd42750ebb906c67ea3dc555c642b26cd8343ab8f0e976abeaea585e047a8162541eda1f28e690a08f8b09b6c2c6dac3cae3

  • C:\Users\Admin\AppData\Local\Temp\SsnMGhsa\_Files\_INFOR~1.TXT

    Filesize

    7KB

    MD5

    da0fc9d68b77c83ef87d2d3aa92ea3f6

    SHA1

    8c9a854535a7ec2b96d8e570d6d53b0a3f679681

    SHA256

    a61c55449f760e0f86809e7da68e5b9fcf36cc5896f2810364505fe515e91662

    SHA512

    a4ab2bbeddd09cb56d55b95ceecbbc64db67294dc33c84ceafb938f719944cf016b0eb1db25f54897032b669cfbecee3c65e673630e923666fd4ea005e22dc9f

  • C:\Users\Admin\AppData\Local\Temp\SsnMGhsa\_Files\_Information.txt

    Filesize

    1KB

    MD5

    85783f52ca236e29bb31695871750e55

    SHA1

    85d0b898972f0fec0f0d1e3f5b738fe1ff8a2ed5

    SHA256

    5eaf98e27534143c7f71c467a9a99cb767c4ba6e88b888373ef522c39dceef94

    SHA512

    737b90febf4e17ce16487795bb97730d83807c71fddd0d4c1fc3a9ad6f8d8fd13ff10558b6647b54ae9a790035daf2e53d6cd234a271127ec4fefad9337e91e4

  • C:\Users\Admin\AppData\Local\Temp\SsnMGhsa\_Files\_Information.txt

    Filesize

    2KB

    MD5

    3c6d5b61eb391e8916b9325c07217998

    SHA1

    8b832be63fb2d313cb7fab3b7474fa88057b1fdb

    SHA256

    48d79d98c7c3257c5e88707f36f053403e3bf58a1bcf7a2c1de9b62574355e88

    SHA512

    bb6e75df8e86792aed00c2f1035a2cbb46876ad73dc51d897e8915db76d49233433751e1f8fd284d18104f79ec8bd5c4478da09b80bc1ecba6cdc891d166bc8e

  • C:\Users\Admin\AppData\Local\Temp\SsnMGhsa\_Files\_Information.txt

    Filesize

    4KB

    MD5

    6825516ef32542039b25bbfb3c5ef273

    SHA1

    968a46652d70c2833cee20e7313cf11ae85fc62c

    SHA256

    1fd7037417347cdadb56cfdae4ff119095e774e1335d3daff5f64e8da5ac903e

    SHA512

    bc81e930c720a511879e54396b87c88bd0f1e98643cc8b30e6ee506ac0d0c246a22cc9a3694d8a88a8e5cb31e005f6226dcb59b1b7ea6ca5e334f7ff4d57c019

  • C:\Users\Admin\AppData\Local\Temp\SsnMGhsa\_Files\_Screen_Desktop.jpeg

    Filesize

    47KB

    MD5

    0dd8b3ba5e37399add7cad430f171d27

    SHA1

    3708f4220f90eb226bb17e024ca18b87b5d06853

    SHA256

    ede7c01ff70fd0d451975897df02b0905ccb864e0424fb7696155bc626767633

    SHA512

    a773c39620373b735b281b94e045328013398cec3fcab2eb1b19fc7398fbbdb347ce066ed1b14e49d3a7c920f74edf3ec38346fdbd91f3484f1e575b2652602d

  • C:\Users\Admin\AppData\Local\Temp\SsnMGhsa\files_\system_info.txt

    Filesize

    1KB

    MD5

    1e389ea7108f88f8cd6998caafa6ea6c

    SHA1

    8cda12473510c6fb8a467c590c03719500ffe17a

    SHA256

    1e90b544c745a3c7df817f73c030ee6c018c3a86733797474c1380f9e1714e3b

    SHA512

    0a102b0dbcb0e6b33416d0a307591c9d1e0f01abc459d354c2013c8a0856956a9208c7a6cbd3c9df10a413b4ab3332556a7be587cca1645f79562d8f135e51e4

  • C:\Users\Admin\AppData\Local\Temp\SsnMGhsa\files_\system_info.txt

    Filesize

    7KB

    MD5

    0b9301f49787000b4310711e67f68f75

    SHA1

    0911039acf3465e1b6bb3aa50be5507db92d258d

    SHA256

    23a02b8c87270d8e92c74807ab50b6427a7d5142dedac5034c2f4886b704d3a6

    SHA512

    ab6c9565fce2c46a10790900483e90194ba4c2780d6e5caade6a9a4e2f76c03d0cb7d1d701f969b1a6bd73375d92c8d251a665f313eb0e7378af6618ed0460ce

  • memory/4956-21-0x0000000004A80000-0x0000000004B65000-memory.dmp

    Filesize

    916KB

  • memory/4956-26-0x0000000004A80000-0x0000000004B65000-memory.dmp

    Filesize

    916KB

  • memory/4956-25-0x0000000004A80000-0x0000000004B65000-memory.dmp

    Filesize

    916KB

  • memory/4956-24-0x0000000004A80000-0x0000000004B65000-memory.dmp

    Filesize

    916KB

  • memory/4956-23-0x0000000004A80000-0x0000000004B65000-memory.dmp

    Filesize

    916KB

  • memory/4956-22-0x0000000004A80000-0x0000000004B65000-memory.dmp

    Filesize

    916KB