Analysis
-
max time kernel
113s -
max time network
121s -
resource
win7v191014
Task
task1
Sample
crypted[1].bin.exe
Resource
win7v191014
0 signatures
General
-
Target
crypted[1].bin
-
Sample
191129-bykghah8ge
-
SHA256
9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57
Score
N/A
Malware Config
Signatures
-
Reads Secure browser user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ 1304 crypted[1].bin.exe -
Reads Waterfox user profile, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ 1304 crypted[1].bin.exe -
Reads Uran user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ 1304 crypted[1].bin.exe -
Reads Tor Browser user profile, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\TorBro\Profile\ 1304 crypted[1].bin.exe -
Reads Nichrome user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Nichrome\User Data\ 1304 crypted[1].bin.exe -
Reads Qip surf user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\QIP Surf\User Data\ 1304 crypted[1].bin.exe -
Reads 7star user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ 1304 crypted[1].bin.exe -
Reads Torch user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Torch\User Data\ 1304 crypted[1].bin.exe -
Reads Pale Moon browser user profile, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ 1304 crypted[1].bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1304 crypted[1].bin.exe -
4 IoCs
description ioc pid Process drive.google.com Process not Found File opened for modification C:\Users\Admin\AppData\Local\Temp\machineinfo.txt 1304 crypted[1].bin.exe HTTP URL http://34.76.145.229/gate/log.php Process not Found HTTP URL http://34.76.145.229/file_handler/file.php?hash=d3a547a5fa34fecef563a4e0d65825c4539a5386&js=8eb1309d3b4163e746e3f66ce26ccf5f269dd5e5&callback=http://34.76.145.229/gate Process not Found -
Reads Sputnik user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ 1304 crypted[1].bin.exe -
Reads user profile for Thunderbird email client, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ 1304 crypted[1].bin.exe -
Reads Rockmelt user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\RockMelt\User Data\ 1304 crypted[1].bin.exe -
Reads Vivaldi user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Vivaldi\User Data\ 1304 crypted[1].bin.exe -
Reads Amigo user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Amigo\User Data\ 1304 crypted[1].bin.exe -
Reads Orbitum user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Orbitum\User Data\ 1304 crypted[1].bin.exe -
Reads Suhba user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Suhba\User Data\ 1304 crypted[1].bin.exe -
Checks for installed software on the system 1 TTPs 1 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 1304 crypted[1].bin.exe -
Reads Chromium user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Chromium\User Data\ 1304 crypted[1].bin.exe -
Reads Dragon user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ 1304 crypted[1].bin.exe -
pid Process 1232 PING.EXE -
Reads Kometa user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Kometa\User Data\ 1304 crypted[1].bin.exe -
Reads Superbird user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Superbird\User Data\ 1304 crypted[1].bin.exe -
description ioc pid Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e 1304 crypted[1].bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d03003000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe7e00000001000000080000000000042beb77d5017f000000010000000c000000300a06082b060105050703091d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e5300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d00520032000000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e 1304 crypted[1].bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e7f000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d50103000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0302000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e 1304 crypted[1].bin.exe -
Reads Chrome user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ 1304 crypted[1].bin.exe -
Reads Epic privacy browser user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ 1304 crypted[1].bin.exe -
Reads Centbrowser user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\CentBrowser\User Data\ 1304 crypted[1].bin.exe -
Reads Elements browser user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Elements Browser\User Data\ 1304 crypted[1].bin.exe -
Reads Mustang user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ 1304 crypted[1].bin.exe -
Deletes itself 1 IoCs
pid Process 1800 cmd.exe -
Reads Chrome SxS user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ 1304 crypted[1].bin.exe -
Reads Bromium user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Bromium\User Data\ 1304 crypted[1].bin.exe -
Reads Chedot user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Chedot\User Data\ 1304 crypted[1].bin.exe -
Reads Firefox user profile, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ 1304 crypted[1].bin.exe -
Accesses Bither wallet, possible credential harvesting 2 TTPs 1 IoCs
description ioc pid Process File opened (read-only) C:\Users\Admin\AppData\Roaming\Bither\address.db 1304 crypted[1].bin.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1304 wrote to memory of 1800 1304 crypted[1].bin.exe 29 PID 1800 wrote to memory of 1232 1800 cmd.exe 31 -
Loads dropped DLL 1 IoCs
pid Process 1304 crypted[1].bin.exe -
Reads Go! user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Go!\User Data\ 1304 crypted[1].bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"1⤵
- Reads Secure browser user data, possible credential harvesting
- Reads Waterfox user profile, possible credential harvesting
- Reads Uran user data, possible credential harvesting
- Reads Tor Browser user profile, possible credential harvesting
- Reads Nichrome user data, possible credential harvesting
- Reads Qip surf user data, possible credential harvesting
- Reads 7star user data, possible credential harvesting
- Reads Torch user data, possible credential harvesting
- Reads Pale Moon browser user profile, possible credential harvesting
- Suspicious use of SetWindowsHookEx
- Reads Sputnik user data, possible credential harvesting
- Reads user profile for Thunderbird email client, possible credential harvesting
- Reads Rockmelt user data, possible credential harvesting
- Reads Vivaldi user data, possible credential harvesting
- Reads Amigo user data, possible credential harvesting
- Reads Orbitum user data, possible credential harvesting
- Reads Suhba user data, possible credential harvesting
- Checks for installed software on the system
- Reads Chromium user data, possible credential harvesting
- Reads Dragon user data, possible credential harvesting
- Reads Kometa user data, possible credential harvesting
- Reads Superbird user data, possible credential harvesting
- Modifies system certificate store
- Reads Chrome user data, possible credential harvesting
- Reads Epic privacy browser user data, possible credential harvesting
- Reads Centbrowser user data, possible credential harvesting
- Reads Elements browser user data, possible credential harvesting
- Reads Mustang user data, possible credential harvesting
- Reads Chrome SxS user data, possible credential harvesting
- Reads Bromium user data, possible credential harvesting
- Reads Chedot user data, possible credential harvesting
- Reads Firefox user profile, possible credential harvesting
- Accesses Bither wallet, possible credential harvesting
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Reads Go! user data, possible credential harvesting
PID:1304
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1800
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1333835286-1054468390-1472936826-787043865-20918172221881988614-2562341841526789034"1⤵PID:736
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30001⤵
- Runs ping.exe
PID:1232
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1081
- T1130