Analysis Overview
SHA256
a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3
Threat Level: Known bad
The file a5c463db805e356cb6e73e5676b397eab265e061c6797.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot Payload
CryptBot
Downloads MZ/PE file
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-11 15:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-11 15:16
Reported
2021-05-11 15:18
Platform
win7v20210408
Max time kernel
5s
Max time network
12s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe
"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"
Network
Files
memory/1828-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
memory/1828-61-0x0000000001D50000-0x0000000001E31000-memory.dmp
memory/1828-62-0x0000000000400000-0x00000000004E5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-11 15:16
Reported
2021-05-11 15:18
Platform
win10v20210410
Max time kernel
138s
Max time network
143s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk | C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe
"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe"
C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe
"C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | remdvz22.top | udp |
| N/A | 34.86.24.123:80 | remdvz22.top | tcp |
| N/A | 8.8.8.8:53 | morjgs02.top | udp |
| N/A | 35.233.146.63:80 | morjgs02.top | tcp |
| N/A | 8.8.8.8:53 | sulsxq03.top | udp |
| N/A | 35.245.17.142:80 | sulsxq03.top | tcp |
| N/A | 35.245.17.142:80 | sulsxq03.top | tcp |
| N/A | 23.194.19.179:443 | tcp |
Files
memory/1892-114-0x00000000021D0000-0x00000000022B1000-memory.dmp
memory/1892-115-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/4080-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe
| MD5 | 2d87ccdf423785e376f9245eef125adc |
| SHA1 | 322a8f02c4619760004cdf26fefb4ad4ba0ec23b |
| SHA256 | ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579 |
| SHA512 | 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5 |
memory/780-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XXHRNrl.exe
| MD5 | 2d87ccdf423785e376f9245eef125adc |
| SHA1 | 322a8f02c4619760004cdf26fefb4ad4ba0ec23b |
| SHA256 | ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579 |
| SHA512 | 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5 |
memory/3928-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\_Files\_SCREE~1.JPE
| MD5 | 5b1332919b3513bc965b56fc5bc5bc68 |
| SHA1 | 7f6f85de1eab9f16900e03b1064c160df3c7c459 |
| SHA256 | ffd8670128cf5740678596cb00fd4ef1faff3f40ccafa2e6fde84daedeba42f2 |
| SHA512 | 1743679e359d8961f4639141f3851788d9678af338e927d81efb6cc03601acb309c2d50982a6e4347b637059b4392f54d4e97e75276636a77a34fd6f3f6aba07 |
C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\_Files\_INFOR~1.TXT
| MD5 | 60114294d0f5b6749b99bcfcfafd6825 |
| SHA1 | 01c39e4cfe727413c26667fbf7f6fe460088bbca |
| SHA256 | af263635692125ede35f3924b26028f1cd22ab163d01fcb9effb3394fd54ebea |
| SHA512 | 19476baaa64525fcbf31b03374b12e69645d53f0b0cc8a77224b5f149d6828507fd0f7994e1cc5d40d30f3a6fedb619edf18576106f079b7384519b181416d4f |
memory/64-129-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\files_\files\GRANTS~1.TXT
| MD5 | f0c9e4bf6410178da7e5256f34c5d5c2 |
| SHA1 | c783a23ece6351b20832613f60374fa30720280a |
| SHA256 | f96cf3618024b1eefe7a59ff33cd9a505258edf2ecd62106750f99287ef360e1 |
| SHA512 | 9895e176d5034203a1f8442769fd79e4784061a7420bd5e2c73ac71ef64a66656ce872609a3c6e48871e31499d8c576671f189985d735120d61d200281c95f1d |
C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\_Files\_Files\GRANTS~1.TXT
| MD5 | f0c9e4bf6410178da7e5256f34c5d5c2 |
| SHA1 | c783a23ece6351b20832613f60374fa30720280a |
| SHA256 | f96cf3618024b1eefe7a59ff33cd9a505258edf2ecd62106750f99287ef360e1 |
| SHA512 | 9895e176d5034203a1f8442769fd79e4784061a7420bd5e2c73ac71ef64a66656ce872609a3c6e48871e31499d8c576671f189985d735120d61d200281c95f1d |
C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\PTQBUG~1.ZIP
| MD5 | 0da8983dc8cb171d59e627e1723a5109 |
| SHA1 | 07017effb1b8f738d29112872da759b1bd71955b |
| SHA256 | 1bec34dc9d96210ceb08fbbacd55115e15bf373285640c3b06f7fec0c59f994e |
| SHA512 | e0211ee4cf5b1a90a78a1dc47b35ee7d69e33402a36dfe5583211bbeef7526e9c9de37d3d968bf8e86b54192cc462c00af9359c0f1a4674ab48de4e4340c1b6a |
C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\FNHLBU~1.ZIP
| MD5 | 7db476f64854d34812a009dbcfbcb1a6 |
| SHA1 | 4b4e59bd31799f9ca02f4d9cdabfa6388e9d01f3 |
| SHA256 | e9553129b0616569ba1300082aee5bb6880fcb224f02e5959c6f247990cd33b2 |
| SHA512 | b1e24efc5929ae4ba39e146e26754b82dd5ddfbed9345b095b9220e89a855a531165e02992ebe8187be3e6752ece37473b3c4896b8b0d9777199b5ae3e3a0484 |
C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\files_\SYSTEM~1.TXT
| MD5 | 4605f57d1247ebfc4a939f57670cb416 |
| SHA1 | 673c5bfc1535cc06de15f377811f7502528258fb |
| SHA256 | 7cf4a059d2fc538c143b7692a719ef41e19eec732fd0b165f9feb590f62119c9 |
| SHA512 | 740dadc69fe771fa17e19dcd2d17abed1d923ad6d69d8b1c851182d8c7a528fdaf75260fdea1e40cd99be54e195dd4026674f67a57f0a6520fcc7e785a216220 |
C:\Users\Admin\AppData\Local\Temp\nwHaAkJsKo\files_\SCREEN~1.JPG
| MD5 | 5b1332919b3513bc965b56fc5bc5bc68 |
| SHA1 | 7f6f85de1eab9f16900e03b1064c160df3c7c459 |
| SHA256 | ffd8670128cf5740678596cb00fd4ef1faff3f40ccafa2e6fde84daedeba42f2 |
| SHA512 | 1743679e359d8961f4639141f3851788d9678af338e927d81efb6cc03601acb309c2d50982a6e4347b637059b4392f54d4e97e75276636a77a34fd6f3f6aba07 |
memory/780-130-0x0000000000470000-0x00000000005BA000-memory.dmp
memory/780-131-0x0000000000400000-0x000000000046E000-memory.dmp
memory/1532-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 2d87ccdf423785e376f9245eef125adc |
| SHA1 | 322a8f02c4619760004cdf26fefb4ad4ba0ec23b |
| SHA256 | ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579 |
| SHA512 | 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5 |
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 2d87ccdf423785e376f9245eef125adc |
| SHA1 | 322a8f02c4619760004cdf26fefb4ad4ba0ec23b |
| SHA256 | ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579 |
| SHA512 | 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5 |
memory/1532-135-0x0000000000470000-0x000000000051E000-memory.dmp
memory/1532-136-0x0000000000400000-0x000000000046E000-memory.dmp