Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
0x0003000000013132-6.dat.exe
Resource
win7v20201028
General
-
Target
0x0003000000013132-6.dat.exe
-
Size
2.8MB
-
MD5
3667e43d85130fb90d07e4a725fe7b4a
-
SHA1
711dd470697df3e34ebcbf481ccc9852ac659bbe
-
SHA256
0beaf24e3a5b13f73b8ef67db0a52815b4948cbceea9a0e5159cfedd7ebb7462
-
SHA512
2ac9bed721e20b8a352ad41766b1b0eb79413b91d555bf942aaa6b66b47ef04f08a6594bbce649af95c09d7e1352a73db5120b8509a553b006544cdd7fb683db
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0x0003000000013132-6.dat.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0x0003000000013132-6.dat.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0x0003000000013132-6.dat.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 388 timeout.exe -
Processes:
0x0003000000013132-6.dat.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 0x0003000000013132-6.dat.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 0x0003000000013132-6.dat.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0x0003000000013132-6.dat.exepid process 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
0x0003000000013132-6.dat.exepid process 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe 1180 0x0003000000013132-6.dat.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0x0003000000013132-6.dat.execmd.execmd.exedescription pid process target process PID 1180 wrote to memory of 684 1180 0x0003000000013132-6.dat.exe cmd.exe PID 1180 wrote to memory of 684 1180 0x0003000000013132-6.dat.exe cmd.exe PID 1180 wrote to memory of 2144 1180 0x0003000000013132-6.dat.exe cmd.exe PID 1180 wrote to memory of 2144 1180 0x0003000000013132-6.dat.exe cmd.exe PID 684 wrote to memory of 3940 684 cmd.exe reg.exe PID 684 wrote to memory of 3940 684 cmd.exe reg.exe PID 2144 wrote to memory of 388 2144 cmd.exe timeout.exe PID 2144 wrote to memory of 388 2144 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0003000000013132-6.dat.exe"C:\Users\Admin\AppData\Local\Temp\0x0003000000013132-6.dat.exe"1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Cryptbot Software\Cryptbot" /v margin /d C:\ProgramData\Cryptbot\margin.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Cryptbot Software\Cryptbot" /v margin /d C:\ProgramData\Cryptbot\margin.exe /F3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\uzcpCdRzJpYe & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0x0003000000013132-6.dat.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\uzcpCdRzJpYe\2AT3B7~1.ZIPMD5
48f5696e4ae873fe9e5836c6d200d76b
SHA166ca544f6861569b004b042695916bb8cb451ae6
SHA2565ee14a9e89609525c36f8f45aa78685dc2671dd8a6007461cd9fe6fccaeb6e1f
SHA512fa80536384b4bdb798be3210385ded7b706ec4c2662148e6c310f0ccf15b36d145ef45ea72293c204cae60f0ab788ed3e762833a0c53bb273231e52c9c11c2eb
-
C:\ProgramData\uzcpCdRzJpYe\47283761.txtMD5
6e7d7a4a79c6ff8b5057828c0bcb979e
SHA11e31de4af335770d8ddad2b3648f419585a19cb2
SHA25625dff148fe12aeb60d643ad674c33e28dcdf1b50eb63d19eea9d448b2e937ea5
SHA5127d5e47d8fb4761a3cbc9c6e6c44323611917502ce7de647d05e7854412e15ea90ecc54fd7f5075978af4ec14da36e644cb2a1a57464feabf3f904f27ed5690d0
-
C:\ProgramData\uzcpCdRzJpYe\Files\Files\Desktop\CLOSES~1.TXTMD5
a584c6a96d60229ba4ebae426d9043d7
SHA1b7eefa862368945951ec32fe074f01b7627c8ab0
SHA2566fb1e4944140a6a5eeaaf7ab64069d2be395ea8dfdbdf6d184315e8f59d180b3
SHA512a37a028c2e07f3a516b11620b5ac2a173bd673f1f134caae8a165bef8627a955ce923d9c798374d8936432f0e50d0f0a5739d22f8181a0ae43a8739b3bd6e73e
-
C:\ProgramData\uzcpCdRzJpYe\Files\Files\Desktop\LIMITA~1.TXTMD5
13a8839ca04576f0e7e7feba7adeaa42
SHA1c27f0256321ef2e0cdc16cfc1e40b8c44b5942d8
SHA2569bd01670324896f7e7ac61b2e5671291b451b4ad04fa9eb5cf6cc8d551f4e2c7
SHA5129dba6f2cce64c7a692146b2d77ca940f41c23e3afd86aa97034392ffce51485e77ce376381d0de7f258ebb0a655648a947f34e4a8434f9bd6c7d1d18d6d966b1
-
C:\ProgramData\uzcpCdRzJpYe\Files\Files\Desktop\RENAME~1.TXTMD5
8ad3e310eb49059e13598e2b8833adb5
SHA1f10bf8da21342383b443eb1133c36a4d6679f6d0
SHA2561ca473b2ed75b143e181f526fe396d1c9569a1031c6556a97997f9d9ce5c484a
SHA512423fedcb740019fb7bc2bdacb1ee51541d03da6166841f1d3d20ab4eae0d17260fa021d781a19b8ac4a5bec7a6a78168559921350d31173cc7c83f1aca7abce6
-
C:\ProgramData\uzcpCdRzJpYe\Files\_Info.txtMD5
6b80563ba60f2e480cfd7caef7f56d38
SHA1a490d22edee2985d538862f7af0dbe0afe143a3e
SHA25664d6788faebd51199fa63fb1e9cfe02166d346723d2853eabd295f0c6f549a0a
SHA512abd5f2c97d80e21e20212e6f6dd2d0b345e5e1885582c0fbdfb5e56843a9619dd1c8265b926a889480f88c696ac5de08a4e42a0f7100e14581151a11100e9950
-
C:\ProgramData\uzcpCdRzJpYe\Files\_Screen.jpgMD5
a2c6c706da14751c96614a717402c4fb
SHA11961f4b0c9a8cf1e8a8722490aef763b55e01955
SHA256e3e99553d9d17269e982d4b9179cea5345ede879aee597f48112717e85131994
SHA5128763184b71a82266fd86a53240c0c691bee7ed91614fbef8f194e82461f96106c861a27b50bd712439029a9c64d7af565bc320e4bc527f0999a24adba17f28f2
-
C:\ProgramData\uzcpCdRzJpYe\MOZ_CO~1.DBMD5
89d4b62651fa5c864b12f3ea6b1521cb
SHA1570d48367b6b66ade9900a9f22d67d67a8fb2081
SHA25622f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70
SHA512e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff
-
memory/388-13-0x0000000000000000-mapping.dmp
-
memory/684-2-0x0000000000000000-mapping.dmp
-
memory/2144-3-0x0000000000000000-mapping.dmp
-
memory/3940-7-0x0000000000000000-mapping.dmp