Overview

overview

10

Static

static

3

Main-Installer.exe

windows7-x64

10

Main-Installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Main-Installer.exe

  • Size

    2.1MB

  • MD5

    54ce61c4a0a44b61eb0cdfd8f2a2d9de

  • SHA1

    b7768927797cc3bda4d5b049aeba68f2b3712d3c

  • SHA256

    c65c74893e884b5f4109608289b4b38200d7f8eff0f04e2dc244a1bbcdb3f233

  • SHA512

    50e5da3227a05c410fec148099289574196b1039007f0da687762e0fc746cb597ceaf7101df03de9b34dce92018cc440a2f19cbf56c73a469337ce65adcbdc80

  • SSDEEP

    49152:Z7UA42umT5om24Ljd0bQaPa0nv63j210D2JBHPCeI:ZoT2umlon8d0bQc9/1tBHaeI

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 3 IoCs
  • Cryptbot family
    cryptbot
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Main-Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Main-Installer.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Consolato.tiff
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^CVYCRORZuebEyJkvJtosaPWIaoqERlLjlkgMnPrkCQCNVdgPGQimJxQNYfpIOjiWdlxUcnXTqXOBhpMeUlYwrjCPxBNo$" Lineamento.tiff
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3048
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
          Riaprirmi.exe.com z
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com z
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            PID:2744
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 30
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ali.tiff
    Filesize

    894KB

    MD5

    e10283439c190db013c3e5b1f524e91b

    SHA1

    0698f42be2164626390656a360323cfff9198773

    SHA256

    e42642ec415f7e760c51a5264f0c45f2ee97fbdbe5f359300973f0bb7f644de9

    SHA512

    48a94dc39ae79372dcf230f56598b63ed7d41dab5d02a4eb32fcd97d4808dd1b184e18d7b125ba09456bc6dc3786e43d1747adcc314f7bae5c1667135dc80103

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cancellata.tiff
    Filesize

    603KB

    MD5

    87bcbfacde09406114109eb7e13402d9

    SHA1

    7e9220e1f7a0ef7dcc0adc045140a8f22f8c5116

    SHA256

    421b0d3b2595a4b16545363d243a3ef7cc1c54cc2828d2c839d59ceaae7582b2

    SHA512

    781275caf4fee8c6b399ae7c3ed3c66fd494dfdf7db5d234fa71bfca238dd0847a8ebaddaf47d27bc189aa9c8e90279df1cdceb3acb1bc997e272153451855ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Consolato.tiff
    Filesize

    306B

    MD5

    3b10b75b93db8ecb14b58c28de83c2bf

    SHA1

    eb0361b53d27049a8f4d53af84bf9c6e8c490616

    SHA256

    c93e16629655420a024d75e837adf71791200b35648b41ea91326adb19e51f1a

    SHA512

    bd83d572947a954ca905aa0129f91167fe16ff37096791c2fcd44b30285249706bb7b89e9afa7626dbc961aeb1d183aac0a47d1adaa26f191c780b0ad1319205

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lineamento.tiff
    Filesize

    872KB

    MD5

    c6a8a536c1cd7c3f9cb464cf5f5f495b

    SHA1

    d4f344cdf59d0be87d54e953039446c8137889fb

    SHA256

    02afb6e64292ff7caa21c9027cd5b27924ad0bc556c5db5f137a572ebf85b3a3

    SHA512

    e3ce924cee057cfe92f32c8539d2335317ac4f70efd40680c6b09a8daa33f879f39116927e929ebb95094a943c7b583c573e826c34fd3cea313d638c519872c4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • memory/2744-24-0x0000000003B00000-0x0000000003BE5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2744-25-0x0000000003B00000-0x0000000003BE5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2744-26-0x0000000003B00000-0x0000000003BE5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2744-27-0x0000000003B00000-0x0000000003BE5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2744-28-0x0000000003B00000-0x0000000003BE5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2744-29-0x0000000003B00000-0x0000000003BE5000-memory.dmp

    Filesize

    916KB

    Download