Overview

overview

10

Static

static

SecuriteIn...39.exe

windows7_x64

10

SecuriteIn...39.exe

windows10_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-03-2021 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.11539.exe

  • Size

    644KB

  • MD5

    b68f0ee033a8cd19ce47f6ae4f0eaee4

  • SHA1

    129e9dd019f62810a669b29bf44e3eca485c9c5a

  • SHA256

    2ce81e2dd2330f10eb414e56222cd1ba4c26591381f07e199b08f623b8c4b8f9

  • SHA512

    bf152424f47b407ce990ade08d784d33bae18c0747622eb4df97455d901b54b7e5053cb0823e31f8b79905f2da86ac29440a035493299b19d54ed1b6de9e1fdb

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bafoe62.top

morurt06.top
Attributes
  • payload_url

    http://akpgi08.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot Payload 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.11539.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.11539.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\Lunyt.exe
      "C:\Users\Admin\AppData\Local\Temp\Lunyt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\SysWOW64\at.exe
        "C:\Windows\System32\at.exe"
        3⤵
          PID:4048
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Sia.mid
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3900
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\SysWOW64\findstr.exe
              findstr /V /R "^sqZPiXvLzDYkNszeALrJmTZIWbPkHfMPSMhcBWstuiZlwoihFdkUquJbqdSKilttRpzqtYBExYCsTPHOfBGdrRPLrPx$" Mese.mid
              5⤵
                PID:2764
              • C:\Users\Admin\AppData\Roaming\DLRHDHLXFrBlrn\Sul.exe.com
                Sul.exe.com S
                5⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3108
                • C:\Users\Admin\AppData\Roaming\DLRHDHLXFrBlrn\Sul.exe.com
                  C:\Users\Admin\AppData\Roaming\DLRHDHLXFrBlrn\Sul.exe.com S
                  6⤵
                  • Executes dropped EXE
                  • Checks processor information in registry
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:936
                  • C:\Users\Admin\AppData\Local\Temp\txactnwmqrq.exe
                    "C:\Users\Admin\AppData\Local\Temp\txactnwmqrq.exe"
                    7⤵
                    • Executes dropped EXE
                    PID:2232
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\oqjwusjilv.vbs"
                    7⤵
                      PID:1880
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efntreug.vbs"
                      7⤵
                      • Blocklisted process makes network request
                      • Modifies system certificate store
                      PID:416
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 30
                  5⤵
                  • Runs ping.exe
                  PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\jZbyEcYYc & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PWS.Siggen2.63733.4520.11539.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1364
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              3⤵
              • Delays execution with timeout.exe
              PID:2060

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/936-30-0x0000000003120000-0x0000000003121000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-2-0x00000000027E0000-0x00000000027E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-3-0x00000000025F0000-0x00000000026CF000-memory.dmp

          Filesize

          892KB

          Download

        • memory/1212-4-0x0000000000400000-0x00000000004E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/2232-37-0x00000000032A0000-0x00000000032A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2232-38-0x00000000032A0000-0x0000000003997000-memory.dmp

          Filesize

          7.0MB

          Download

        • memory/2232-39-0x0000000000400000-0x0000000000B02000-memory.dmp

          Filesize

          7.0MB

          Download

        • memory/2232-40-0x0000000000F50000-0x0000000000F51000-memory.dmp

          Filesize

          4KB

          Download