Analysis
-
max time kernel
133s -
max time network
150s -
resource
win10v191014
Task
task1
Sample
crypted[1].bin.exe
Resource
win7v191014
General
-
Target
crypted[1].bin
-
Sample
191129-bykghah8ge
-
SHA256
9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57
Malware Config
Signatures
-
Checks for installed software on the system 1 TTPs 1 IoCs
TTPs:
Processes:
crypted[1].bin.exedescription ioc pid process Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName 4964 crypted[1].bin.exe -
Drops file in system dir 5 IoCs
Processes:
svchost.exedescription ioc pid process File opened for modification C:\Windows\Debug\ESE.TXT 3700 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3700 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3700 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3700 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3700 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.execrypted[1].bin.execmd.exedescription pid process target process PID 5036 wrote to memory of 5064 5036 SppExtComObj.exe SLUI.exe PID 4964 wrote to memory of 3996 4964 crypted[1].bin.exe cmd.exe PID 3996 wrote to memory of 3972 3996 cmd.exe PING.EXE -
Reads Dragon user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ 4964 crypted[1].bin.exe -
Reads Nichrome user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Nichrome\User Data\ 4964 crypted[1].bin.exe -
Reads Mustang user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ 4964 crypted[1].bin.exe -
Reads Chedot user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Chedot\User Data\ 4964 crypted[1].bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
crypted[1].bin.exepid process 4964 crypted[1].bin.exe -
Reads Uran user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ 4964 crypted[1].bin.exe -
Reads Epic privacy browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ 4964 crypted[1].bin.exe -
Reads Secure browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ 4964 crypted[1].bin.exe -
Reads user profile for Thunderbird email client, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ 4964 crypted[1].bin.exe -
Reads Waterfox user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ 4964 crypted[1].bin.exe -
Reads Centbrowser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\CentBrowser\User Data\ 4964 crypted[1].bin.exe -
Reads Qip surf user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\QIP Surf\User Data\ 4964 crypted[1].bin.exe -
Reads 7star user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ 4964 crypted[1].bin.exe -
Reads Suhba user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Suhba\User Data\ 4964 crypted[1].bin.exe -
Reads Chrome user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ 4964 crypted[1].bin.exe -
Reads Chrome SxS user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ 4964 crypted[1].bin.exe -
Reads Chromium user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Chromium\User Data\ 4964 crypted[1].bin.exe -
Reads Bromium user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Bromium\User Data\ 4964 crypted[1].bin.exe -
Reads Go! user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Go!\User Data\ 4964 crypted[1].bin.exe -
Reads Firefox user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ 4964 crypted[1].bin.exe -
Accesses Bither wallet, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exedescription ioc pid process File opened (read-only) C:\Users\Admin\AppData\Roaming\Bither\address.db 4964 crypted[1].bin.exe -
Reads Rockmelt user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\RockMelt\User Data\ 4964 crypted[1].bin.exe -
Reads Kometa user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Kometa\User Data\ 4964 crypted[1].bin.exe -
Reads Elements browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Elements Browser\User Data\ 4964 crypted[1].bin.exe -
Reads Tor Browser user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\TorBro\Profile\ 4964 crypted[1].bin.exe -
Reads Torch user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Torch\User Data\ 4964 crypted[1].bin.exe -
Reads Orbitum user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Orbitum\User Data\ 4964 crypted[1].bin.exe -
Reads Sputnik user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ 4964 crypted[1].bin.exe -
Reads Superbird user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Superbird\User Data\ 4964 crypted[1].bin.exe -
Processes:
svchost.exedescription ioc pid process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4336 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4336 svchost.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc pid process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4056 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4056 svchost.exe -
4 IoCs
Processes:
crypted[1].bin.exeioc drive.google.com File opened for modification C:\Users\Admin\AppData\Local\Temp\machineinfo.txt 4964 crypted[1].bin.exe HTTP URL http://34.76.145.229/gate/log.php HTTP URL http://34.76.145.229/file_handler/file.php?hash=b0813e2ec23140aca46c76857579fd82f11ff08c&js=edeed05e16b0151de24438557e57c3516e522684&callback=http://34.76.145.229/gate -
Loads dropped DLL 1 IoCs
Processes:
crypted[1].bin.exepid process 4964 crypted[1].bin.exe -
Reads Amigo user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Amigo\User Data\ 4964 crypted[1].bin.exe -
Reads Vivaldi user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Local\Vivaldi\User Data\ 4964 crypted[1].bin.exe -
Reads Pale Moon browser user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
crypted[1].bin.exeioc pid process C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ 4964 crypted[1].bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"Checks for installed software on the systemSuspicious use of WriteProcessMemoryReads Dragon user data, possible credential harvestingReads Nichrome user data, possible credential harvestingReads Mustang user data, possible credential harvestingReads Chedot user data, possible credential harvestingSuspicious use of SetWindowsHookExReads Uran user data, possible credential harvestingReads Epic privacy browser user data, possible credential harvestingReads Secure browser user data, possible credential harvestingReads user profile for Thunderbird email client, possible credential harvestingReads Waterfox user profile, possible credential harvestingReads Centbrowser user data, possible credential harvestingReads Qip surf user data, possible credential harvestingReads 7star user data, possible credential harvestingReads Suhba user data, possible credential harvestingReads Chrome user data, possible credential harvestingReads Chrome SxS user data, possible credential harvestingReads Chromium user data, possible credential harvestingReads Bromium user data, possible credential harvestingReads Go! user data, possible credential harvestingReads Firefox user profile, possible credential harvestingAccesses Bither wallet, possible credential harvestingReads Rockmelt user data, possible credential harvestingReads Kometa user data, possible credential harvestingReads Elements browser user data, possible credential harvestingReads Tor Browser user profile, possible credential harvestingReads Torch user data, possible credential harvestingReads Orbitum user data, possible credential harvestingReads Sputnik user data, possible credential harvestingReads Superbird user data, possible credential harvestingLoads dropped DLLReads Amigo user data, possible credential harvestingReads Vivaldi user data, possible credential harvestingReads Pale Moon browser user profile, possible credential harvesting
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -EmbeddingSuspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 3000Runs ping.exe
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITSDrops file in system dir
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvcChecks system information in the registry (likely anti-VM)
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvcWindows security modification
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup
Network
MITRE ATT&CK Matrix
Collection
Data from Local System
31Command and Control
Credential Access
Credentials in Files
31Discovery
Query Registry
2Remote System Discovery
1System Information Discovery
1Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation