Analysis

  • max time kernel
    113s
  • max time network
    121s
  • resource
    win7v191014

General

  • Target

    crypted[1].bin

  • Sample

    191129-bykghah8ge

  • SHA256

    9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

Score
N/A

Malware Config

Signatures

  • Reads Secure browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Waterfox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Uran user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Tor Browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Nichrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Qip surf user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads 7star user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Torch user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Pale Moon browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 1 IoCs
  • ⋅ 4 IoCs
  • Reads Sputnik user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads user profile for Thunderbird email client, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Rockmelt user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Vivaldi user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Amigo user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Orbitum user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Suhba user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Checks for installed software on the system ⋅ 1 TTPs 1 IoCs
  • Reads Chromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Dragon user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Runs ping.exe ⋅ 1 TTPs 1 IoCs
  • Reads Kometa user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Superbird user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Modifies system certificate store ⋅ 2 TTPs 3 IoCs
  • Reads Chrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Epic privacy browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Centbrowser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Elements browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Mustang user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Deletes itself ⋅ 1 IoCs
  • Reads Chrome SxS user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Bromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Chedot user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Firefox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Accesses Bither wallet, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 2 IoCs
  • raccoon family
  • Loads dropped DLL ⋅ 1 IoCs
  • Reads Go! user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Reads Secure browser user data, possible credential harvesting
    Reads Waterfox user profile, possible credential harvesting
    Reads Uran user data, possible credential harvesting
    Reads Tor Browser user profile, possible credential harvesting
    Reads Nichrome user data, possible credential harvesting
    Reads Qip surf user data, possible credential harvesting
    Reads 7star user data, possible credential harvesting
    Reads Torch user data, possible credential harvesting
    Reads Pale Moon browser user profile, possible credential harvesting
    Suspicious use of SetWindowsHookEx
    Reads Sputnik user data, possible credential harvesting
    Reads user profile for Thunderbird email client, possible credential harvesting
    Reads Rockmelt user data, possible credential harvesting
    Reads Vivaldi user data, possible credential harvesting
    Reads Amigo user data, possible credential harvesting
    Reads Orbitum user data, possible credential harvesting
    Reads Suhba user data, possible credential harvesting
    Checks for installed software on the system
    Reads Chromium user data, possible credential harvesting
    Reads Dragon user data, possible credential harvesting
    Reads Kometa user data, possible credential harvesting
    Reads Superbird user data, possible credential harvesting
    Modifies system certificate store
    Reads Chrome user data, possible credential harvesting
    Reads Epic privacy browser user data, possible credential harvesting
    Reads Centbrowser user data, possible credential harvesting
    Reads Elements browser user data, possible credential harvesting
    Reads Mustang user data, possible credential harvesting
    Reads Chrome SxS user data, possible credential harvesting
    Reads Bromium user data, possible credential harvesting
    Reads Chedot user data, possible credential harvesting
    Reads Firefox user profile, possible credential harvesting
    Accesses Bither wallet, possible credential harvesting
    Suspicious use of WriteProcessMemory
    Loads dropped DLL
    Reads Go! user data, possible credential harvesting
    PID:1304
  • C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Deletes itself
    Suspicious use of WriteProcessMemory
    PID:1800
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "-1333835286-1054468390-1472936826-787043865-20918172221881988614-2562341841526789034"
    PID:736
  • C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    Runs ping.exe
    PID:1232

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation

                  Replay Monitor

                  00:00 00:00

                  Downloads