Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-01-2021 12:01
Static task
static1
Behavioral task
behavioral1
Sample
5543.exe
Resource
win7v20201028
General
-
Target
5543.exe
-
Size
2.8MB
-
MD5
3667e43d85130fb90d07e4a725fe7b4a
-
SHA1
711dd470697df3e34ebcbf481ccc9852ac659bbe
-
SHA256
0beaf24e3a5b13f73b8ef67db0a52815b4948cbceea9a0e5159cfedd7ebb7462
-
SHA512
2ac9bed721e20b8a352ad41766b1b0eb79413b91d555bf942aaa6b66b47ef04f08a6594bbce649af95c09d7e1352a73db5120b8509a553b006544cdd7fb683db
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5543.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5543.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5543.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3204 timeout.exe -
Processes:
5543.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 5543.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 5543.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5543.exepid process 616 5543.exe 616 5543.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
5543.exepid process 616 5543.exe 616 5543.exe 616 5543.exe 616 5543.exe 616 5543.exe 616 5543.exe 616 5543.exe 616 5543.exe 616 5543.exe 616 5543.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5543.execmd.execmd.exedescription pid process target process PID 616 wrote to memory of 504 616 5543.exe cmd.exe PID 616 wrote to memory of 504 616 5543.exe cmd.exe PID 616 wrote to memory of 3488 616 5543.exe cmd.exe PID 616 wrote to memory of 3488 616 5543.exe cmd.exe PID 504 wrote to memory of 3956 504 cmd.exe reg.exe PID 504 wrote to memory of 3956 504 cmd.exe reg.exe PID 3488 wrote to memory of 3204 3488 cmd.exe timeout.exe PID 3488 wrote to memory of 3204 3488 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5543.exe"C:\Users\Admin\AppData\Local\Temp\5543.exe"1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Cryptbot Software\Cryptbot" /v margin /d C:\ProgramData\Cryptbot\margin.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Cryptbot Software\Cryptbot" /v margin /d C:\ProgramData\Cryptbot\margin.exe /F3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\b14Qmx0oQF & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5543.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\b14Qmx0oQF\47283761.txtMD5
1d33d504c150f0d87ac21ed56c00d22e
SHA15e2656d8ab56ca2c9b2bba8d3aaac0df89f0b7d5
SHA25618e6873b0e044b2ca56a332fea56966197ef8c94ebc4d378b7a8668640dea048
SHA512cf0504c6c77aa3c7eda031c5ebd73e96787a5f8ce20657a3acd231c7898622388b426998a3ab87f4d681da7b9620e4c87d07130f536551b6f88711e1a6d72c1f
-
C:\ProgramData\b14Qmx0oQF\ECFPVK~1.ZIPMD5
8cbed5e588f5ab4834647c9b18f7099e
SHA195f87fbc18569ab3db624ae6bc89cb53f573c4bf
SHA2566be18a9fc64e28d7be2a29138bce1d50b20f8637cf9281c9fcc2df19b380f736
SHA512af1be629ec5689a94bfd9a25a7b72e65549861134b9b63f7135a608eded3f180f4ca7ba8548a3b384844030a18bd6871876b5772bccde3986ff1696d064a2b5c
-
C:\ProgramData\b14Qmx0oQF\Files\_Info.txtMD5
4b82d397dcc57a177f76c95727e6e020
SHA16c1d9471895e3a793954d84250f56ca88cb3e0ee
SHA256f9f9d9bc2a7d7b4422b98c3177f1ecb6e65f293d1974b7b30727013b6f63b98e
SHA5128e3a5dbf8dbd804981f6810a4fb11059fc9e25c173900403d96763bf28fbd2edea115295ef880f728613237587ad45b28d93e63ab8e46fec6cc2da6cf13c2d20
-
C:\ProgramData\b14Qmx0oQF\Files\_Screen.jpgMD5
cc9ddf0ffd683f30d43cf13e3f09d21f
SHA1e600c561b84c92acdd29fb3cf45369d29bf3659e
SHA256338dd0d4cd8934a58786e4076487228d388c90650048f08f69ffaf5e1f56a139
SHA512cb2beed4d0a923be755b32e82f533b06135a1e70b1cc57c65f8500164fa411c152f5a988fae52297ba3f8d7ff0ae7a72259eddc10f9b2c166a5f72143966ee54
-
C:\ProgramData\b14Qmx0oQF\MOZ_CO~1.DBMD5
89d4b62651fa5c864b12f3ea6b1521cb
SHA1570d48367b6b66ade9900a9f22d67d67a8fb2081
SHA25622f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70
SHA512e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff
-
memory/504-2-0x0000000000000000-mapping.dmp
-
memory/3204-12-0x0000000000000000-mapping.dmp
-
memory/3488-3-0x0000000000000000-mapping.dmp
-
memory/3956-8-0x0000000000000000-mapping.dmp