Analysis Overview
SHA256
a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c
Threat Level: Known bad
The file a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c was found to be: Known bad.
Malicious Activity Summary
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Reads user/profile data of web browsers
Deletes itself
Checks BIOS information in registry
Themida packer
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-11 10:11
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-11 10:11
Reported
2021-05-11 12:21
Platform
win7v20210410
Max time kernel
82s
Max time network
82s
Command Line
Signatures
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe
"C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\aRuqKYUHjcVND & timeout 1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | sdaurr02.top | udp |
| N/A | 58.64.137.69:80 | sdaurr02.top | tcp |
Files
memory/1052-59-0x0000000075721000-0x0000000075723000-memory.dmp
memory/1052-60-0x0000000000400000-0x0000000000AFE000-memory.dmp
memory/1052-61-0x0000000002D40000-0x000000000398A000-memory.dmp
memory/592-62-0x0000000000000000-mapping.dmp
C:\ProgramData\aRuqKYUHjcVND\172773~1.TXT
| MD5 | ae5044b0d999aebf4ebe23cf70e2b915 |
| SHA1 | 0e5246e7eafbb8011ba75c344a95204a72d505cb |
| SHA256 | 3dc9a0d906a8b59bb6cb2bc6caabb1a6fd61e96343a770aac9c97e0981fc140d |
| SHA512 | 53b390a2c03fe1d8a2c806035b34ab4efc9ae38790392e00a89c251abc8f56c8ca7f82f088ed8f5c09e8c0dd2df816a46e4ae5c8a09729a41c3c16c7755196d4 |
C:\ProgramData\aRuqKYUHjcVND\Files\Browsers\Cookies\MOZILL~1.TXT
| MD5 | ecaa88f7fa0bf610a5a26cf545dcd3aa |
| SHA1 | 57218c316b6921e2cd61027a2387edc31a2d9471 |
| SHA256 | f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5 |
| SHA512 | 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5 |
C:\ProgramData\aRuqKYUHjcVND\Files\Browsers\_FILEF~1.TXT
| MD5 | ecaa88f7fa0bf610a5a26cf545dcd3aa |
| SHA1 | 57218c316b6921e2cd61027a2387edc31a2d9471 |
| SHA256 | f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5 |
| SHA512 | 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5 |
C:\ProgramData\aRuqKYUHjcVND\Files\Browsers\_FILEC~1.TXT
| MD5 | ecaa88f7fa0bf610a5a26cf545dcd3aa |
| SHA1 | 57218c316b6921e2cd61027a2387edc31a2d9471 |
| SHA256 | f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5 |
| SHA512 | 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5 |
C:\ProgramData\aRuqKYUHjcVND\Files\Browsers\_FILEP~1.TXT
| MD5 | ecaa88f7fa0bf610a5a26cf545dcd3aa |
| SHA1 | 57218c316b6921e2cd61027a2387edc31a2d9471 |
| SHA256 | f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5 |
| SHA512 | 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5 |
C:\ProgramData\aRuqKYUHjcVND\Files\_FILEP~1.TXT
| MD5 | ecaa88f7fa0bf610a5a26cf545dcd3aa |
| SHA1 | 57218c316b6921e2cd61027a2387edc31a2d9471 |
| SHA256 | f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5 |
| SHA512 | 37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5 |
C:\ProgramData\aRuqKYUHjcVND\Files\_Screen.jpg
| MD5 | 433d8658da6106a66128419e74ff1c32 |
| SHA1 | eac9e7b8a64d1a32e1da09a1dca9dad494fba2a4 |
| SHA256 | 76bd4d866ee60d7d88462fa964ecb0a2bd32e44b8bf61c620fab12e3deb2b943 |
| SHA512 | dda5b1f11873b8a7c2c049ad7477303ff6216b8cee254709065716097bf921a9b9cab25ac2feb419991c3166d9d4162efacaabc98fe048685809f2323e67662c |
C:\ProgramData\aRuqKYUHjcVND\JTGAXU~1.ZIP
| MD5 | b8f34b1fc13ccabffaf6c122679497d0 |
| SHA1 | 8224e7626cd738e9d496567536d6f5db6fa9339e |
| SHA256 | afb30b8f022900f04d145eb10b3986220171b2d7a3ea1e8dd14ca52364166632 |
| SHA512 | 7eb7d30957728bbbf5424d89e55348505c5bb4bac510b2e126f53b31a29acb0a93bd6e4d5d2c1117d5f10c022007be19daf50b2fc341457764c2dde46de53f0a |
C:\ProgramData\aRuqKYUHjcVND\mocc.db
| MD5 | 89d4b62651fa5c864b12f3ea6b1521cb |
| SHA1 | 570d48367b6b66ade9900a9f22d67d67a8fb2081 |
| SHA256 | 22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70 |
| SHA512 | e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff |
C:\ProgramData\aRuqKYUHjcVND\Files\_Info.txt
| MD5 | 05c84151bf9b6e02634a59a6ab7a33d8 |
| SHA1 | 3a4cb3e0a10d522d96d7670c96e2b7afa2a325ab |
| SHA256 | 20f96bbdba79257e31d625d1d8a6f1d95611874f3819f0beec866f4004ac57f0 |
| SHA512 | 813f6db2f79f9071f3adc7f5e7d73a819d5bbba3da15f5b34c2cbebc61e8554dafe994a83c9b63f06254c78ff1a72492e18fc7f360d69d76ecd91f3e707c00ed |
memory/828-73-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-11 10:11
Reported
2021-05-11 12:21
Platform
win10v20210410
Max time kernel
109s
Max time network
113s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe
"C:\Users\Admin\AppData\Local\Temp\a26ad0702fa8eb51a2e8337372bf1718383060c24979242e505dcf915b01fb1c.exe"
Network
Files
memory/3700-114-0x0000000000400000-0x0000000000AFE000-memory.dmp
memory/3700-115-0x0000000077320000-0x00000000774AE000-memory.dmp