Analysis
-
max time kernel
133s -
max time network
150s -
resource
win10v191014
Task
task1
Sample
crypted[1].bin.exe
Resource
win7v191014
0 signatures
General
-
Target
crypted[1].bin
-
Sample
191129-bykghah8ge
-
SHA256
9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57
Score
N/A
Malware Config
Signatures
-
Checks for installed software on the system 1 TTPs 1 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 4964 crypted[1].bin.exe -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 3700 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3700 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3700 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3700 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3700 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5036 wrote to memory of 5064 5036 SppExtComObj.exe 74 PID 4964 wrote to memory of 3996 4964 crypted[1].bin.exe 77 PID 3996 wrote to memory of 3972 3996 cmd.exe 79 -
Reads Dragon user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ 4964 crypted[1].bin.exe -
Reads Nichrome user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Nichrome\User Data\ 4964 crypted[1].bin.exe -
Reads Mustang user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ 4964 crypted[1].bin.exe -
Reads Chedot user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Chedot\User Data\ 4964 crypted[1].bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4964 crypted[1].bin.exe -
Reads Uran user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ 4964 crypted[1].bin.exe -
Reads Epic privacy browser user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ 4964 crypted[1].bin.exe -
Reads Secure browser user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ 4964 crypted[1].bin.exe -
Reads user profile for Thunderbird email client, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ 4964 crypted[1].bin.exe -
Reads Waterfox user profile, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ 4964 crypted[1].bin.exe -
Reads Centbrowser user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\CentBrowser\User Data\ 4964 crypted[1].bin.exe -
Reads Qip surf user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\QIP Surf\User Data\ 4964 crypted[1].bin.exe -
Reads 7star user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ 4964 crypted[1].bin.exe -
Reads Suhba user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Suhba\User Data\ 4964 crypted[1].bin.exe -
Reads Chrome user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ 4964 crypted[1].bin.exe -
Reads Chrome SxS user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ 4964 crypted[1].bin.exe -
Reads Chromium user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Chromium\User Data\ 4964 crypted[1].bin.exe -
Reads Bromium user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Bromium\User Data\ 4964 crypted[1].bin.exe -
Reads Go! user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Go!\User Data\ 4964 crypted[1].bin.exe -
Reads Firefox user profile, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ 4964 crypted[1].bin.exe -
Accesses Bither wallet, possible credential harvesting 2 TTPs 1 IoCs
description ioc pid Process File opened (read-only) C:\Users\Admin\AppData\Roaming\Bither\address.db 4964 crypted[1].bin.exe -
Reads Rockmelt user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\RockMelt\User Data\ 4964 crypted[1].bin.exe -
Reads Kometa user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Kometa\User Data\ 4964 crypted[1].bin.exe -
Reads Elements browser user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Elements Browser\User Data\ 4964 crypted[1].bin.exe -
Reads Tor Browser user profile, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\TorBro\Profile\ 4964 crypted[1].bin.exe -
Reads Torch user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Torch\User Data\ 4964 crypted[1].bin.exe -
Reads Orbitum user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Orbitum\User Data\ 4964 crypted[1].bin.exe -
Reads Sputnik user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ 4964 crypted[1].bin.exe -
Reads Superbird user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Superbird\User Data\ 4964 crypted[1].bin.exe -
pid Process 3972 PING.EXE -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4336 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4336 svchost.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4056 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4056 svchost.exe -
4 IoCs
description ioc pid Process drive.google.com Process not Found File opened for modification C:\Users\Admin\AppData\Local\Temp\machineinfo.txt 4964 crypted[1].bin.exe HTTP URL http://34.76.145.229/gate/log.php Process not Found HTTP URL http://34.76.145.229/file_handler/file.php?hash=b0813e2ec23140aca46c76857579fd82f11ff08c&js=edeed05e16b0151de24438557e57c3516e522684&callback=http://34.76.145.229/gate Process not Found -
Loads dropped DLL 1 IoCs
pid Process 4964 crypted[1].bin.exe -
Reads Amigo user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Amigo\User Data\ 4964 crypted[1].bin.exe -
Reads Vivaldi user data, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Local\Vivaldi\User Data\ 4964 crypted[1].bin.exe -
Reads Pale Moon browser user profile, possible credential harvesting 2 TTPs 1 IoCs
ioc pid Process C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ 4964 crypted[1].bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"1⤵
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
- Reads Dragon user data, possible credential harvesting
- Reads Nichrome user data, possible credential harvesting
- Reads Mustang user data, possible credential harvesting
- Reads Chedot user data, possible credential harvesting
- Suspicious use of SetWindowsHookEx
- Reads Uran user data, possible credential harvesting
- Reads Epic privacy browser user data, possible credential harvesting
- Reads Secure browser user data, possible credential harvesting
- Reads user profile for Thunderbird email client, possible credential harvesting
- Reads Waterfox user profile, possible credential harvesting
- Reads Centbrowser user data, possible credential harvesting
- Reads Qip surf user data, possible credential harvesting
- Reads 7star user data, possible credential harvesting
- Reads Suhba user data, possible credential harvesting
- Reads Chrome user data, possible credential harvesting
- Reads Chrome SxS user data, possible credential harvesting
- Reads Chromium user data, possible credential harvesting
- Reads Bromium user data, possible credential harvesting
- Reads Go! user data, possible credential harvesting
- Reads Firefox user profile, possible credential harvesting
- Accesses Bither wallet, possible credential harvesting
- Reads Rockmelt user data, possible credential harvesting
- Reads Kometa user data, possible credential harvesting
- Reads Elements browser user data, possible credential harvesting
- Reads Tor Browser user profile, possible credential harvesting
- Reads Torch user data, possible credential harvesting
- Reads Orbitum user data, possible credential harvesting
- Reads Sputnik user data, possible credential harvesting
- Reads Superbird user data, possible credential harvesting
- Loads dropped DLL
- Reads Amigo user data, possible credential harvesting
- Reads Vivaldi user data, possible credential harvesting
- Reads Pale Moon browser user profile, possible credential harvesting
PID:4964
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:5036
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:5064
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3996
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30001⤵
- Runs ping.exe
PID:3972
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:3700
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:3128
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4056
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4336
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:2448
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1081
- T1089