Overview

overview

10

Static

static

EbookReader2019.exe

windows7_x64

10

EbookReader2019.exe

windows10_x64

10

Resubmissions

17-01-2021 17:06

210117-b4j8cr5ts6 10

16-01-2021 19:25

210116-s6gykrtqre 10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-01-2021 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EbookReader2019.exe

  • Size

    6.3MB

  • MD5

    847c79e639fb34c2058728ca2fda7bd4

  • SHA1

    7f1612cae512f41aa91fec27fab0dac73f65e4da

  • SHA256

    8e866375a8d49db2282a0ef0d38667b38ee10bcb23fd63692c65749fb3217f2d

  • SHA512

    05c5f5943a432c7e5080e8403d6ca1fa31ea1f47fb4820fed1ad14cd972caa7bb8f620500fa72fd4f66bba63820f6d1d984b6e370524e2ea71a0bf32688875bc

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EbookReader2019.exe
    "C:\Users\Admin\AppData\Local\Temp\EbookReader2019.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:644
    • C:\Program Files (x86)\Margin\Marg\1.exe
      "C:\Program Files (x86)\Margin\Marg\1.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\jpUUn1lwv & timeout 2 & del /f /q "C:\Program Files (x86)\Margin\Marg\1.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3964
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          4⤵
          • Delays execution with timeout.exe
          PID:2012
    • C:\Program Files (x86)\Margin\Marg\2.exe
      "C:\Program Files (x86)\Margin\Marg\2.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Margin\Marg\1.exe
    MD5

    987a9a9e0d4bbad66a9b823b3f939bc1

    SHA1

    b1e733fcf656d37326d12650406676903f10090a

    SHA256

    15f2a0a15572b7e7d229f7c309f3f4599aa7404b18f020b1fdb8518e584a48fe

    SHA512

    791fff5b437ab8ac856cdb70b366897e90695235ca73c06320f638957bf8c007e6aa5eba6fd34a883abcd2f0748822490b7716b301b22a388828731b2bab486d

    Download Submit
  • C:\Program Files (x86)\Margin\Marg\1.exe
    MD5

    987a9a9e0d4bbad66a9b823b3f939bc1

    SHA1

    b1e733fcf656d37326d12650406676903f10090a

    SHA256

    15f2a0a15572b7e7d229f7c309f3f4599aa7404b18f020b1fdb8518e584a48fe

    SHA512

    791fff5b437ab8ac856cdb70b366897e90695235ca73c06320f638957bf8c007e6aa5eba6fd34a883abcd2f0748822490b7716b301b22a388828731b2bab486d

    Download Submit
  • C:\Program Files (x86)\Margin\Marg\2.exe
    MD5

    c9cd7540515bf1b247b61683e37c6137

    SHA1

    7ecdf3f713d77cda0ac4c2589f5bd1d96375999f

    SHA256

    292cd3448949482950fbfbe79117db0758d0d4b45f6dea494f63aecc7a99fedd

    SHA512

    333be7de8c9eab112c8463a8522df65ac02035620d4e3aa604db7323600233c7b6e084f80ebfc0f231662863a6de8efa2a8d22c9d583f54d20159ca16cab3bf6

    Download Submit
  • C:\ProgramData\jpUUn1lwv\47283761.txt
    MD5

    550cc6486c1ac1d65c8f1b14517a8294

    SHA1

    6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

    SHA256

    176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

    SHA512

    eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

    Download Submit
  • C:\ProgramData\jpUUn1lwv\Files\_Info.txt
    MD5

    0ae4242c23dafa4ebf3bf432243ef321

    SHA1

    7dfc93a6a55041eda0ab0b5171762a7db67c27d1

    SHA256

    ed631e4aba5e6a974f12e21595541353e8084e1913f7e07031997ce0535bbf39

    SHA512

    25a0cf171fe4da56f07f23e2adb8d280413fd05b03240dc6c0c5cdd624c6e13955bafb724fef3aa17f2f1e1f38d53c7da784b37f7abbb847f252ff728f845c74

    Download Submit
  • C:\ProgramData\jpUUn1lwv\Files\_Screen.jpg
    MD5

    1fe57b3ddd609be2f18279235fc849a5

    SHA1

    9971609a141521c4da8809cc89a88e54890b995f

    SHA256

    730cb901aec059f8f8e098edd4922ae1e267ea13606140a1305ccf32e5e74427

    SHA512

    4d439eb0322a389af04431b53ac16d1d7e2276ad791c7046888b5784954ea18208eb64bd65684ad3e7072d5af522b0e7f33d5ad59142253338cbbf3c1f845e2b

    Download Submit
  • C:\ProgramData\jpUUn1lwv\JEHOPE~1.ZIP
    MD5

    586333896674aa7372dcbdb4dfbf3f80

    SHA1

    9dd916998e073f162c1f8a3fb38a0bb3ba92df07

    SHA256

    b5bfda54a0e9f67a0792a5927128b37494bdca0e6ca3f752078a0ad450aae61b

    SHA512

    d13fa4d527cf9450b193ea79bb47e83cf98e6bf6ce85ec4083e631d0032a73e67ca161e35885becdc32494aad835623f766716d51d1a33fc0cb7925476657a7c

    Download Submit
  • C:\ProgramData\jpUUn1lwv\MOZ_CO~1.DB
    MD5

    89d4b62651fa5c864b12f3ea6b1521cb

    SHA1

    570d48367b6b66ade9900a9f22d67d67a8fb2081

    SHA256

    22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

    SHA512

    e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsv8738.tmp\UAC.dll
    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    Download Submit
  • memory/1680-42-0x0000000009D90000-0x0000000009D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-43-0x0000000009F80000-0x0000000009F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-55-0x0000000009FD0000-0x0000000009FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-54-0x0000000009FF0000-0x0000000009FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-53-0x000000000A0C0000-0x000000000A0C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-52-0x0000000009FC0000-0x0000000009FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-51-0x000000000A010000-0x000000000A011000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-50-0x000000000A090000-0x000000000A091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-49-0x000000000A0A0000-0x000000000A0A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-20-0x0000000000000000-mapping.dmp
    Download
  • memory/1680-47-0x0000000009F20000-0x0000000009F21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-48-0x0000000009F10000-0x0000000009F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-46-0x0000000009EC0000-0x0000000009EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-45-0x0000000009F30000-0x0000000009F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-44-0x000000000A070000-0x000000000A071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-40-0x0000000000401000-0x000000000045D000-memory.dmp
    Filesize

    368KB

    Download
  • memory/1680-41-0x0000000009E00000-0x0000000009E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-28-0x00000000098B0000-0x00000000098B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-29-0x000000000A0B0000-0x000000000A0B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-30-0x00000000098B0000-0x00000000098B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-32-0x0000000009DE0000-0x0000000009DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-34-0x0000000009E10000-0x0000000009E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-33-0x0000000009D80000-0x0000000009D81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-35-0x0000000009DC0000-0x0000000009DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-37-0x0000000009DB0000-0x0000000009DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-36-0x0000000009DF0000-0x0000000009DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-39-0x0000000009F60000-0x0000000009F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-38-0x0000000009DD0000-0x0000000009DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2012-27-0x0000000000000000-mapping.dmp
    Download
  • memory/3144-12-0x0000000004D90000-0x0000000004D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-17-0x0000000004E00000-0x0000000004E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-11-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-7-0x00000000053B0000-0x00000000053B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-8-0x0000000077DB4000-0x0000000077DB5000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-10-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-3-0x0000000000000000-mapping.dmp
    Download
  • memory/3144-13-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-9-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-18-0x0000000004E10000-0x0000000004E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-6-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-16-0x0000000004E20000-0x0000000004E21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-15-0x0000000004E30000-0x0000000004E31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3144-14-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3964-19-0x0000000000000000-mapping.dmp
    Download