Overview

overview

10

Static

static

8

SecuriteIn...56.exe

windows7_x64

10

SecuriteIn...56.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-01-2021 19:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.ArtemisF23FB6308BD9.1056.exe

  • Size

    631KB

  • MD5

    f23fb6308bd9029af0abdc4c91833e77

  • SHA1

    33acae819415cf7bddaf885cea8a307dc2d016fa

  • SHA256

    9c8d27a664a59f47820584b9e49196cdbf34b285b567cb8b63ce0794f271e863

  • SHA512

    d78874d6ff6e5656f23a6d848291bdc231a5b9ee76eda000743ab57b832eec035e6a1a65b23179281f73a00524f7c439de3d892ddcd5075b2462e836db7f974d

Score
10/10
cryptbotdanabot3bankerdiscoveryevasionspywarestealertrojanupx

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

3

C2

23.226.132.92:443

23.106.123.249:443

108.62.141.152:443

104.144.64.163:443
Attributes
  • embedded_hash

    49574F66CD0103BBD725C08A9805C2BE

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisF23FB6308BD9.1056.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisF23FB6308BD9.1056.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\AppData\Local\Temp\File332.exe
      "C:\Users\Admin\AppData\Local\Temp\File332.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
        "C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Drops startup file
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3828
        • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
          "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          PID:1864
      • C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
        "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:644
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\gxlgxhkgfr & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4168
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:4228
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\gxlgxhkgfr & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4248
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:4292
      • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
        "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1324
        • C:\Users\Admin\AppData\Local\Temp\sllghwdaimcf.exe
          "C:\Users\Admin\AppData\Local\Temp\sllghwdaimcf.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2148
          • C:\Windows\SysWOW64\rundll32.exe
            C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SLLGHW~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SLLGHW~1.EXE
            5⤵
            • Loads dropped DLL
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4312
            • C:\Windows\SysWOW64\RUNDLL32.EXE
              C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SLLGHW~1.DLL,eBxcfI0=
              6⤵
              • Blocklisted process makes network request
              • Loads dropped DLL
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:4356
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8C48.tmp.ps1"
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4636
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA08D.tmp.ps1"
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4932
                • C:\Windows\SysWOW64\nslookup.exe
                  "C:\Windows\system32\nslookup.exe" -type=any localhost
                  8⤵
                    PID:5104
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
                  7⤵
                    PID:4152
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
                    7⤵
                      PID:4212
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\giyddnbgl.vbs"
                4⤵
                  PID:3856
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\juwilmf.vbs"
                  4⤵
                  • Blocklisted process makes network request
                  • Modifies system certificate store
                  PID:4524
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\0cGzxvVicuku & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisF23FB6308BD9.1056.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1096
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                3⤵
                • Delays execution with timeout.exe
                PID:2064

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/644-24-0x0000000004770000-0x0000000004771000-memory.dmp

            Filesize

            4KB

            Download

          • memory/644-25-0x0000000004F70000-0x0000000004F71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1324-29-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1324-28-0x00000000047A0000-0x00000000047A1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1864-34-0x0000000004D90000-0x0000000004D91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1864-33-0x0000000004590000-0x0000000004591000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2148-40-0x0000000006C40000-0x0000000006C41000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3828-27-0x0000000004E90000-0x0000000004E91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3828-26-0x0000000004690000-0x0000000004691000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3992-2-0x0000000004C90000-0x0000000004C91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4312-53-0x0000000004CF0000-0x000000000534F000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/4356-59-0x0000000004A10000-0x000000000506F000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/4636-67-0x00000000068D0000-0x00000000068D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-80-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-75-0x0000000008090000-0x0000000008091000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-68-0x0000000006F70000-0x0000000006F71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-77-0x00000000081C0000-0x00000000081C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-78-0x0000000009830000-0x0000000009831000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-79-0x0000000008DC0000-0x0000000008DC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-73-0x0000000007C50000-0x0000000007C51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-69-0x00000000075F0000-0x00000000075F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-74-0x0000000007D70000-0x0000000007D71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-66-0x0000000070E10000-0x00000000714FE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4636-70-0x0000000007870000-0x0000000007871000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-71-0x0000000007800000-0x0000000007801000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4636-72-0x00000000078E0000-0x00000000078E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4932-93-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4932-91-0x0000000007530000-0x0000000007531000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4932-84-0x00000000709B0000-0x000000007109E000-memory.dmp

            Filesize

            6.9MB

            Download