Analysis

  • max time kernel
    92s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 01:41

General

  • Target

    setup_x86_x64_install (2).exe

  • Size

    1.8MB

  • MD5

    961ed865e49001eab634e7f1d49d4865

  • SHA1

    ac28f77d1b75703518ebf6df8cdafa77da9a08aa

  • SHA256

    00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1

  • SHA512

    8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a

  • SSDEEP

    24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • CryptBot payload 3 IoCs
  • Cryptbot family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (2).exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (2).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3100
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1452
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
          Pensieroso.exe.com N
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2032
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2384
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:1012
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 30
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.ppt

    Filesize

    872KB

    MD5

    2caf8e89e6a05bb30057c7c470fdf260

    SHA1

    edb048d2d92046e97b2f991e9dbec16247ee5d8c

    SHA256

    492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8

    SHA512

    4f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.ppt

    Filesize

    663KB

    MD5

    9fef53ec7afd145869f53138338e189f

    SHA1

    17d26e52ca0cb3de7083b5737f7b2a84a483b462

    SHA256

    e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09

    SHA512

    b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Isola.ppt

    Filesize

    894KB

    MD5

    0d1cb8e6cc1623b8a86ecabd84613e0e

    SHA1

    353b60c29f0fb219f6b1f49b112038912ec040c8

    SHA256

    05ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4

    SHA512

    0af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sommesso.ppt

    Filesize

    325B

    MD5

    1b4d94eb8f5923f889afcbe5caddd449

    SHA1

    c613c7cfe6db911b07760a7767492de829cd37e7

    SHA256

    812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885

    SHA512

    6b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\HADPXW~1.ZIP

    Filesize

    364KB

    MD5

    39c6e91fa883a4e312d7e900b4f2af09

    SHA1

    4bf314ea3ecf1250f4ac7657a4210cbfa53edb92

    SHA256

    1fd1b9d820e818e133388bfd7a346ea0ece4ceb602bd6d2e6c57386ca047d97a

    SHA512

    47d5393fe4812b5f5d872bcb456cb1462d06aa1f5dc9bb772e51a143f7ce1cf66f4f94c342c822a818dec89725e03cf41b31a834a9cdf4cf96a5c319cbe7c0e4

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\VVLLHT~1.ZIP

    Filesize

    364KB

    MD5

    3d83a53677a182676e3e3a99c72143a0

    SHA1

    af9764eff551c191efe8dac2ebce3a0bec22a544

    SHA256

    349aea2d80ed7f33b2f7ad500fe4b1293f66feede29d2c8234c33fd3e17ba153

    SHA512

    7f162906414d22ad0a19002fa023cc7b16b5af4411cecc6586902f7e489b45136c2fea448be5817749d054103160dbe7eae5a32b48f67a16243f4be1e3afdbf1

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\_Files\_Files\FindInstall.txt

    Filesize

    319KB

    MD5

    1ee0264370ad118064c30046239c8f02

    SHA1

    8466dcf5793042b1d0a9a0c053f0c6659d61d2a6

    SHA256

    79ceccc17a0e2e6dd7eb88215ad9177ce59b652a79ae9663437cd9f1dd34acf4

    SHA512

    dbe899c2ede0dd12a632f46d80e8873c16071a5b5fd8f387edd26054ae8934c6ebf074effd75e310396f1b8edaf2aa9f01fb2d1a35338847dc8efd8cae3f603e

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\_Files\_INFOR~1.TXT

    Filesize

    7KB

    MD5

    2e19ee48306df24026bdf1873f47ddb5

    SHA1

    978ed486fe41392fdb23cd1439f1872525f066c4

    SHA256

    a77958258dd1bfcf86e9067407de87ab9853a1a20881ec987cea87d94ab4b0a4

    SHA512

    1eb53df167ed44d9ea260ad6f7b9f700ad50860b7a08abba630d235260b5b53c15d5dd72cd09e31f099587393e71287149e674c7b3b231c1f32d9d6520804b63

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\_Files\_Information.txt

    Filesize

    1KB

    MD5

    9b4b9c3ee6a90f683e4d9f765761aedc

    SHA1

    2237a21c4361fc98a6e3339813a92122ff65d6df

    SHA256

    c445b455d9847af2cde224e2432b0084376a0a56076aa40dab27fa664051f0a7

    SHA512

    07251bf558d74e4bdecedf089955b4c8faad830f894ce57419b084fc39f1f686f147e51f42f238b164891fd091d0002611e27559229d88a6be36ac173aeb1065

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\_Files\_Information.txt

    Filesize

    3KB

    MD5

    0014c520ffed30af701112a36cd6efdd

    SHA1

    fd79c6649f028b7736518ef84f9473e583c7036c

    SHA256

    6241388a758aa7421bc85249c32275e07d05a576735529dac5685d16e7e32701

    SHA512

    0edc5b56556dd008dacfc13ec3eb345b7af06da16b9fcf9553a39e42fffa30b3085f8e3cf099f01b35ecfcc8fa8ee1eabfbc1266ef1c36d60adfcf38907898b8

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\_Files\_Information.txt

    Filesize

    4KB

    MD5

    3da8455a99cc49e5d966ed055250310f

    SHA1

    889616671873321074322b7700cd5802d232c058

    SHA256

    238ce7e5d69efcdc80af34b050dafdcf31d5583e5adda2300e274b356d5cc3a6

    SHA512

    eb0c956dc6b1281b7334cf101685b4a921443cfeeb5801a357b436aae3e7a156f842d2ae1fe26b88544c92e3b2d6d4d9892788dbd8015041fe3803f5d2942e57

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\_Files\_Screen_Desktop.jpeg

    Filesize

    50KB

    MD5

    15db660dd75266f357349deda50e9964

    SHA1

    2bf974a051f7d158da560c2586c51a1179940bdc

    SHA256

    ae94d08bd104e3e1fd16cf73f1742ae9b2cbf57e04284c1df3f1ddc01252f578

    SHA512

    e1da9605b7acb344bb7d553153fec97d5d2e824ac27563076b964d91293c653d7e28d98bb411933955a07220d81c8a54386e9b871947adfe68f910339084741c

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\files_\system_info.txt

    Filesize

    1KB

    MD5

    3a7bd07b9f043376517f54cf766d9bc7

    SHA1

    70ab2e944ca3fb85479e62efb1bbeb9c9dae1f90

    SHA256

    b95f8696b85d61aa74d21b23a3f336b5c38740424e672c914c9d027576c4825c

    SHA512

    4a916e1951b361c9b3ec91b6d01d3b187b06775169e5986514f0e1f8fed929b50af355592679848bd4de327d42c3df36b934daa68d06787b5835b0afa92f4873

  • C:\Users\Admin\AppData\Local\Temp\yAJYbTZNvAiKk\files_\system_info.txt

    Filesize

    7KB

    MD5

    0f940c9e341b7dbc92a86a60760f82c7

    SHA1

    ef4f03c13a2ee3198a7a96a36c99d79615c9a50c

    SHA256

    bd152af10ecb6b158d7e3353e5a18c07551363d4decb25e6ba7fc1c32e0fda33

    SHA512

    74ceee727336a2613b6878d3de8c629c927c3f6ae31b8e61b3d106ea5dd6f06d4dc91348ca6233f53df08433401a01f3aacd6c05e3fe7053b3f267721d2b16e9

  • memory/2032-21-0x00000000005C0000-0x00000000006A5000-memory.dmp

    Filesize

    916KB

  • memory/2032-26-0x00000000005C0000-0x00000000006A5000-memory.dmp

    Filesize

    916KB

  • memory/2032-25-0x00000000005C0000-0x00000000006A5000-memory.dmp

    Filesize

    916KB

  • memory/2032-24-0x00000000005C0000-0x00000000006A5000-memory.dmp

    Filesize

    916KB

  • memory/2032-23-0x00000000005C0000-0x00000000006A5000-memory.dmp

    Filesize

    916KB

  • memory/2032-22-0x00000000005C0000-0x00000000006A5000-memory.dmp

    Filesize

    916KB