crypted[1].bin

General
Target

crypted[1].bin

Filesize

N/A

Completed

29-11-2019 16:22

Score
10 /10
SHA256

9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

Malware Config
Signatures 41

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
  • Checks for installed software on the system
    crypted[1].bin.exe

    Tags

    TTPs

    Query Registry

    Reported IOCs

    descriptioniocpidprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName4964crypted[1].bin.exe
  • Drops file in system dir
    svchost.exe

    Reported IOCs

    descriptioniocpidprocess
    File opened for modificationC:\Windows\Debug\ESE.TXT3700svchost.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp3700svchost.exe
    File createdC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp3700svchost.exe
    File opened for modificationC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp3700svchost.exe
    File createdC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp3700svchost.exe
  • raccoon family
  • Suspicious use of WriteProcessMemory
    crypted[1].bin.exeSppExtComObj.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 5036 wrote to memory of 50645036SppExtComObj.exeSLUI.exe
    PID 4964 wrote to memory of 39964964crypted[1].bin.execmd.exe
    PID 3996 wrote to memory of 39723996cmd.exePING.EXE
  • Reads Dragon user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\4964crypted[1].bin.exe
  • Reads Nichrome user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Nichrome\User Data\4964crypted[1].bin.exe
  • Reads Mustang user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\4964crypted[1].bin.exe
  • Reads Chedot user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Chedot\User Data\4964crypted[1].bin.exe
  • Suspicious use of SetWindowsHookEx
    crypted[1].bin.exe

    Reported IOCs

    pidprocess
    4964crypted[1].bin.exe
  • Reads Uran user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\4964crypted[1].bin.exe
  • Reads Epic privacy browser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\4964crypted[1].bin.exe
  • Reads Secure browser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\4964crypted[1].bin.exe
  • Reads user profile for Thunderbird email client, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\4964crypted[1].bin.exe
  • Reads Waterfox user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\4964crypted[1].bin.exe
  • Reads Centbrowser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\CentBrowser\User Data\4964crypted[1].bin.exe
  • Reads Qip surf user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\QIP Surf\User Data\4964crypted[1].bin.exe
  • Reads 7star user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\7Star\7Star\User Data\4964crypted[1].bin.exe
  • Reads Suhba user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Suhba\User Data\4964crypted[1].bin.exe
  • Reads Chrome user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4964crypted[1].bin.exe
  • Reads Chrome SxS user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\4964crypted[1].bin.exe
  • Reads Chromium user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Chromium\User Data\4964crypted[1].bin.exe
  • Reads Bromium user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Bromium\User Data\4964crypted[1].bin.exe
  • Reads Go! user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Go!\User Data\4964crypted[1].bin.exe
  • Reads Firefox user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4964crypted[1].bin.exe
  • Accesses Bither wallet, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    descriptioniocpidprocess
    File opened (read-only)C:\Users\Admin\AppData\Roaming\Bither\address.db4964crypted[1].bin.exe
  • Reads Rockmelt user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\RockMelt\User Data\4964crypted[1].bin.exe
  • Reads Kometa user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Kometa\User Data\4964crypted[1].bin.exe
  • Reads Elements browser user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Elements Browser\User Data\4964crypted[1].bin.exe
  • Reads Tor Browser user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\TorBro\Profile\4964crypted[1].bin.exe
  • Reads Torch user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Torch\User Data\4964crypted[1].bin.exe
  • Reads Orbitum user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Orbitum\User Data\4964crypted[1].bin.exe
  • Reads Sputnik user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\4964crypted[1].bin.exe
  • Reads Superbird user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Superbird\User Data\4964crypted[1].bin.exe
  • Runs ping.exe
    PING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    3972PING.EXE
  • Windows security modification
    svchost.exe

    TTPs

    Disabling Security ToolsModify Registry

    Reported IOCs

    descriptioniocpidprocess
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"4336svchost.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"4336svchost.exe
  • Checks system information in the registry (likely anti-VM)
    svchost.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocpidprocess
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer4056svchost.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName4056svchost.exe
  • crypted[1].bin.exe

    Reported IOCs

    ioc
    drive.google.com
    File opened for modificationC:\Users\Admin\AppData\Local\Temp\machineinfo.txt4964crypted[1].bin.exe
    HTTP URLhttp://34.76.145.229/gate/log.php
    HTTP URLhttp://34.76.145.229/file_handler/file.php?hash=b0813e2ec23140aca46c76857579fd82f11ff08c&js=edeed05e16b0151de24438557e57c3516e522684&callback=http://34.76.145.229/gate
  • Loads dropped DLL
    crypted[1].bin.exe

    Reported IOCs

    pidprocess
    4964crypted[1].bin.exe
  • Reads Amigo user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Amigo\User Data\4964crypted[1].bin.exe
  • Reads Vivaldi user data, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Local\Vivaldi\User Data\4964crypted[1].bin.exe
  • Reads Pale Moon browser user profile, possible credential harvesting
    crypted[1].bin.exe

    Tags

    TTPs

    Data from Local SystemCredentials in Files

    Reported IOCs

    iocpidprocess
    C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\4964crypted[1].bin.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Accesses Bither wallet, possible credential harvesting
    Checks for installed software on the system
    Loads dropped DLL
    Reads 7star user data, possible credential harvesting
    Reads Amigo user data, possible credential harvesting
    Reads Bromium user data, possible credential harvesting
    Reads Centbrowser user data, possible credential harvesting
    Reads Chedot user data, possible credential harvesting
    Reads Chrome SxS user data, possible credential harvesting
    Reads Chrome user data, possible credential harvesting
    Reads Chromium user data, possible credential harvesting
    Reads Dragon user data, possible credential harvesting
    Reads Elements browser user data, possible credential harvesting
    Reads Epic privacy browser user data, possible credential harvesting
    Reads Firefox user profile, possible credential harvesting
    Reads Go! user data, possible credential harvesting
    Reads Kometa user data, possible credential harvesting
    Reads Mustang user data, possible credential harvesting
    Reads Nichrome user data, possible credential harvesting
    Reads Orbitum user data, possible credential harvesting
    Reads Pale Moon browser user profile, possible credential harvesting
    Reads Qip surf user data, possible credential harvesting
    Reads Rockmelt user data, possible credential harvesting
    Reads Secure browser user data, possible credential harvesting
    Reads Sputnik user data, possible credential harvesting
    Reads Suhba user data, possible credential harvesting
    Reads Superbird user data, possible credential harvesting
    Reads Tor Browser user profile, possible credential harvesting
    Reads Torch user data, possible credential harvesting
    Reads Uran user data, possible credential harvesting
    Reads Vivaldi user data, possible credential harvesting
    Reads Waterfox user profile, possible credential harvesting
    Reads user profile for Thunderbird email client, possible credential harvesting
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4964
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    Suspicious use of WriteProcessMemory
    PID:5036
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    PID:5064
  • C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Suspicious use of WriteProcessMemory
    PID:3996
  • C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    Runs ping.exe
    PID:3972
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    Drops file in system dir
    PID:3700
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
    PID:3128
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
    Checks system information in the registry (likely anti-VM)
    PID:4056
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
    Windows security modification
    PID:4336
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup
    PID:2448
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • \Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll

                    Download
                  • \Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll

                    Download
                  • \Users\Admin\AppData\Local\Temp\sqlite3.dll

                    Download