crypted[1].bin
General
Target
Filesize
Completed
crypted[1].bin
N/A
29-11-2019 16:22
Score
10
/10
SHA256
9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57
Malware Config
Signatures 41
Filter: none
Collection
Credential Access
Defense Evasion
Discovery
-
Checks for installed software on the systemcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
description ioc pid process Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 4964 crypted[1].bin.exe -
Drops file in system dirsvchost.exe
Reported IOCs
description ioc pid process File opened for modification C:\Windows\Debug\ESE.TXT 3700 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3700 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3700 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3700 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3700 svchost.exe -
raccoon family
Tags
-
Suspicious use of WriteProcessMemorycrypted[1].bin.exeSppExtComObj.execmd.exe
Reported IOCs
description pid process target process PID 5036 wrote to memory of 5064 5036 SppExtComObj.exe SLUI.exe PID 4964 wrote to memory of 3996 4964 crypted[1].bin.exe cmd.exe PID 3996 wrote to memory of 3972 3996 cmd.exe PING.EXE -
Reads Dragon user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ 4964 crypted[1].bin.exe -
Reads Nichrome user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Nichrome\User Data\ 4964 crypted[1].bin.exe -
Reads Mustang user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ 4964 crypted[1].bin.exe -
Reads Chedot user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Chedot\User Data\ 4964 crypted[1].bin.exe -
Suspicious use of SetWindowsHookExcrypted[1].bin.exe
Reported IOCs
pid process 4964 crypted[1].bin.exe -
Reads Uran user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ 4964 crypted[1].bin.exe -
Reads Epic privacy browser user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ 4964 crypted[1].bin.exe -
Reads Secure browser user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ 4964 crypted[1].bin.exe -
Reads user profile for Thunderbird email client, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ 4964 crypted[1].bin.exe -
Reads Waterfox user profile, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ 4964 crypted[1].bin.exe -
Reads Centbrowser user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\CentBrowser\User Data\ 4964 crypted[1].bin.exe -
Reads Qip surf user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\QIP Surf\User Data\ 4964 crypted[1].bin.exe -
Reads 7star user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ 4964 crypted[1].bin.exe -
Reads Suhba user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Suhba\User Data\ 4964 crypted[1].bin.exe -
Reads Chrome user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ 4964 crypted[1].bin.exe -
Reads Chrome SxS user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ 4964 crypted[1].bin.exe -
Reads Chromium user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Chromium\User Data\ 4964 crypted[1].bin.exe -
Reads Bromium user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Bromium\User Data\ 4964 crypted[1].bin.exe -
Reads Go! user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Go!\User Data\ 4964 crypted[1].bin.exe -
Reads Firefox user profile, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ 4964 crypted[1].bin.exe -
Accesses Bither wallet, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
description ioc pid process File opened (read-only) C:\Users\Admin\AppData\Roaming\Bither\address.db 4964 crypted[1].bin.exe -
Reads Rockmelt user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\RockMelt\User Data\ 4964 crypted[1].bin.exe -
Reads Kometa user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Kometa\User Data\ 4964 crypted[1].bin.exe -
Reads Elements browser user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Elements Browser\User Data\ 4964 crypted[1].bin.exe -
Reads Tor Browser user profile, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\TorBro\Profile\ 4964 crypted[1].bin.exe -
Reads Torch user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Torch\User Data\ 4964 crypted[1].bin.exe -
Reads Orbitum user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Orbitum\User Data\ 4964 crypted[1].bin.exe -
Reads Sputnik user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ 4964 crypted[1].bin.exe -
Reads Superbird user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Superbird\User Data\ 4964 crypted[1].bin.exe -
Runs ping.exePING.EXE
Tags
TTPs
Reported IOCs
pid process 3972 PING.EXE -
Windows security modificationsvchost.exe
Tags
TTPs
Reported IOCs
description ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4336 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4336 svchost.exe -
Checks system information in the registry (likely anti-VM)svchost.exe
TTPs
Reported IOCs
description ioc pid process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4056 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4056 svchost.exe -
crypted[1].bin.exe
Reported IOCs
ioc drive.google.com File opened for modification C:\Users\Admin\AppData\Local\Temp\machineinfo.txt 4964 crypted[1].bin.exe HTTP URL http://34.76.145.229/gate/log.php HTTP URL http://34.76.145.229/file_handler/file.php?hash=b0813e2ec23140aca46c76857579fd82f11ff08c&js=edeed05e16b0151de24438557e57c3516e522684&callback=http://34.76.145.229/gate -
Loads dropped DLLcrypted[1].bin.exe
Reported IOCs
pid process 4964 crypted[1].bin.exe -
Reads Amigo user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Amigo\User Data\ 4964 crypted[1].bin.exe -
Reads Vivaldi user data, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Local\Vivaldi\User Data\ 4964 crypted[1].bin.exe -
Reads Pale Moon browser user profile, possible credential harvestingcrypted[1].bin.exe
Tags
TTPs
Reported IOCs
ioc pid process C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ 4964 crypted[1].bin.exe
Processes 10
-
C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"Accesses Bither wallet, possible credential harvestingChecks for installed software on the systemLoads dropped DLLReads 7star user data, possible credential harvestingReads Amigo user data, possible credential harvestingReads Bromium user data, possible credential harvestingReads Centbrowser user data, possible credential harvestingReads Chedot user data, possible credential harvestingReads Chrome SxS user data, possible credential harvestingReads Chrome user data, possible credential harvestingReads Chromium user data, possible credential harvestingReads Dragon user data, possible credential harvestingReads Elements browser user data, possible credential harvestingReads Epic privacy browser user data, possible credential harvestingReads Firefox user profile, possible credential harvestingReads Go! user data, possible credential harvestingReads Kometa user data, possible credential harvestingReads Mustang user data, possible credential harvestingReads Nichrome user data, possible credential harvestingReads Orbitum user data, possible credential harvestingReads Pale Moon browser user profile, possible credential harvestingReads Qip surf user data, possible credential harvestingReads Rockmelt user data, possible credential harvestingReads Secure browser user data, possible credential harvestingReads Sputnik user data, possible credential harvestingReads Suhba user data, possible credential harvestingReads Superbird user data, possible credential harvestingReads Tor Browser user profile, possible credential harvestingReads Torch user data, possible credential harvestingReads Uran user data, possible credential harvestingReads Vivaldi user data, possible credential harvestingReads Waterfox user profile, possible credential harvestingReads user profile for Thunderbird email client, possible credential harvestingSuspicious use of SetWindowsHookExSuspicious use of WriteProcessMemory
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -EmbeddingSuspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 3000Runs ping.exe
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITSDrops file in system dir
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvcChecks system information in the registry (likely anti-VM)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvcWindows security modification
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00