Analysis Overview
SHA256
a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3
Threat Level: Known bad
The file a5c463db805e356cb6e73e5676b397eab265e061c6797.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot Payload
Executes dropped EXE
Downloads MZ/PE file
Drops startup file
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-11 16:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-11 16:02
Reported
2021-05-11 16:04
Platform
win7v20210410
Max time kernel
5s
Max time network
13s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe
"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"
Network
Files
memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmp
memory/308-61-0x00000000004F0000-0x00000000005D1000-memory.dmp
memory/308-62-0x0000000000400000-0x00000000004E5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-11 16:02
Reported
2021-05-11 16:04
Platform
win10v20210408
Max time kernel
120s
Max time network
123s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk | C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe
"C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe"
C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe
"C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a5c463db805e356cb6e73e5676b397eab265e061c6797.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | remdvz22.top | udp |
| N/A | 34.86.24.123:80 | remdvz22.top | tcp |
| N/A | 8.8.8.8:53 | morjgs02.top | udp |
| N/A | 35.233.146.63:80 | morjgs02.top | tcp |
| N/A | 8.8.8.8:53 | sulsxq03.top | udp |
| N/A | 35.245.17.142:80 | sulsxq03.top | tcp |
| N/A | 35.245.17.142:80 | sulsxq03.top | tcp |
Files
memory/800-114-0x0000000002370000-0x0000000002451000-memory.dmp
memory/800-115-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/3852-116-0x0000000000000000-mapping.dmp
memory/1352-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe
| MD5 | 2d87ccdf423785e376f9245eef125adc |
| SHA1 | 322a8f02c4619760004cdf26fefb4ad4ba0ec23b |
| SHA256 | ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579 |
| SHA512 | 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5 |
C:\Users\Admin\AppData\Local\Temp\XsFuvN.exe
| MD5 | 2d87ccdf423785e376f9245eef125adc |
| SHA1 | 322a8f02c4619760004cdf26fefb4ad4ba0ec23b |
| SHA256 | ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579 |
| SHA512 | 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5 |
memory/2104-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\BQCNYR~1.ZIP
| MD5 | b1fad4ac80a03bc3904ef3850e837922 |
| SHA1 | 69d29ae2c15f28b5d29feffefc255acb2fce42eb |
| SHA256 | e4fb968c71aecb381168e1dd278c33abf9bacfe931dc69ff743f26aa062998ae |
| SHA512 | 2ecf244760f5235093a9d61d0087db917c571efb13faead27df63c8db9531feb544d87a664e638720b66a0390725ac1df3bbad3f640fba45a89c7b86fba03b45 |
C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\files_\SYSTEM~1.TXT
| MD5 | 25cc80a9de89811cd4862587c885e8a6 |
| SHA1 | d39e7d5b25b70410d09ccaa8d4d47d33af29ab2b |
| SHA256 | bdfefa9700a708865464b4d9deb7ec40393ce22a51be207d2dd8b2c6fb5e76de |
| SHA512 | 0545995bc01ef303ea9d9fa040f31386d9343125d504b9a66111244dbbdf5746feca21b7bd5022b8f219c8fab01dda67e529bdbb5422aa591a5a945cda63c7f3 |
C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\files_\SCREEN~1.JPG
| MD5 | 4f3ca61efa9018c52fac864a0e0fbb6a |
| SHA1 | ffa0ddd1757a613141a56a67425f336d8ce07f0c |
| SHA256 | 0240617843cb958b8efec7e7144258b474106951b4f7cfabc6bd6cab8344264f |
| SHA512 | e8d3659d791501c44be1aaac4425a7795ae9cabdd6143650ba84c315c0f46b418d206d5d95469face45b28f79e9c2676f2fd4aed80cb6b2319459bb68bcfc3bb |
C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\cDamPLNm.zip
| MD5 | 7b251e85eac31ad60316f5ab8d2e4a56 |
| SHA1 | 6378008383c0f6b03051665eb98a0b46f5ec9b96 |
| SHA256 | aa8db87a356e0e8bc753199c1930bb7555c070834d23adf373d5f2e170a6b8b5 |
| SHA512 | 523f7e68ee2dc35fbac753fa7cfd78b4647513bfd4866226ecc78b0355fb0a9b399b0bd093e795c44e6feaf1043a2992873ce000a465c47e313b88d8f1878812 |
C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\_Files\_SCREE~1.JPE
| MD5 | 4f3ca61efa9018c52fac864a0e0fbb6a |
| SHA1 | ffa0ddd1757a613141a56a67425f336d8ce07f0c |
| SHA256 | 0240617843cb958b8efec7e7144258b474106951b4f7cfabc6bd6cab8344264f |
| SHA512 | e8d3659d791501c44be1aaac4425a7795ae9cabdd6143650ba84c315c0f46b418d206d5d95469face45b28f79e9c2676f2fd4aed80cb6b2319459bb68bcfc3bb |
C:\Users\Admin\AppData\Local\Temp\PTabHtqkBXmsC\_Files\_INFOR~1.TXT
| MD5 | 7fba04fa4f54150a98f09168a82d208b |
| SHA1 | 48704599a112c7c9432fb73ff6ed9c4ada56f51e |
| SHA256 | 9d411087615dd6df6be56b25aea9648e14e021096bdcd3f7ad4ba18adbe4895e |
| SHA512 | 2e1a4f870eec1d78c807095404dd033e181a2d9ea49ef287ea2330d9b1adf1615760506d43ad175233329bcbeb05ed673ac83f5d9371691ab5f076e83f2a8449 |
memory/908-127-0x0000000000000000-mapping.dmp
memory/1352-128-0x0000000001F60000-0x0000000001F86000-memory.dmp
memory/1352-129-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4088-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 2d87ccdf423785e376f9245eef125adc |
| SHA1 | 322a8f02c4619760004cdf26fefb4ad4ba0ec23b |
| SHA256 | ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579 |
| SHA512 | 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5 |
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 2d87ccdf423785e376f9245eef125adc |
| SHA1 | 322a8f02c4619760004cdf26fefb4ad4ba0ec23b |
| SHA256 | ae92d8df47eb0ae69bf9643f4a7057dc41a1f2593d26e4edc4cf91c2fd464579 |
| SHA512 | 9222f207565a7744f1aed0a5b07dd97ace8ee9db92e3736ebd0aa8330a44afd373924b17c3cb0e168dd1144ae764cf15c30d6eaa94fa58a7ad15123ce73c49b5 |
memory/4088-134-0x0000000000400000-0x000000000046E000-memory.dmp