Analysis Overview
SHA256
2051799f92fd036d6e1c8a9c06a4aea85a9509214cd0623c0df2fe62bd99986b
Threat Level: Known bad
The file 2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot Payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-13 19:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-13 19:01
Reported
2021-05-13 19:04
Platform
win7v20210408
Max time kernel
121s
Max time network
154s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe
"C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"
Network
Files
memory/1820-59-0x0000000076641000-0x0000000076643000-memory.dmp
memory/1820-60-0x0000000001E10000-0x0000000001EF1000-memory.dmp
memory/1820-61-0x0000000000400000-0x00000000004E5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-13 19:01
Reported
2021-05-13 19:04
Platform
win10v20210408
Max time kernel
36s
Max time network
126s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 800 wrote to memory of 1472 | N/A | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 800 wrote to memory of 1472 | N/A | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 800 wrote to memory of 1472 | N/A | C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1472 wrote to memory of 2076 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 1472 wrote to memory of 2076 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 1472 wrote to memory of 2076 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe
"C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2051799f92fd036d6e1c8a9c06a4aea85a9509214cd06.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | remdny42.top | udp |
| N/A | 8.8.8.8:53 | morpgr04.top | udp |
Files
memory/800-114-0x0000000002260000-0x0000000002341000-memory.dmp
memory/800-115-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/1472-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\files_\SCREEN~1.JPG
| MD5 | b957b48143d28f9bdf39a08d5c5ff3e9 |
| SHA1 | b9b5817f3c4c31546b252eabdeef1dc64b3f7ff1 |
| SHA256 | 0b74b355768521f52d3d1ab32e4af0a6bfc6ccdcfa34ff6648eaaf05c79fabd8 |
| SHA512 | b82e5e7e8f4d429055b5a1157e01af6c4c99d3b7b39af7d692326d1640ab8b0eb22ff3739e811f50f02ba7cf9005a44a3bab4c5a19ead841d40f086e0eee7f40 |
C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\files_\SYSTEM~1.TXT
| MD5 | 3ad9bfa82c14c0304f2ee4bea0593e36 |
| SHA1 | 6a9d0bdd02d09fb072ade7e6bda4db3082917b94 |
| SHA256 | 55b65d05cf8112cb50dd9c803a5a201e8b0038e496a547036ec973c59837dcbb |
| SHA512 | aacce1b695b89c187d5b1d01d44058ba32be8fcfe303213bbb132dfc3ee3e7cd6b785ed74c8d8b307ad328339baad474d7709e6ef5800d59f55273ef77d7150e |
C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\PHCFME~1.ZIP
| MD5 | 1764749f7f6a9d2c4dc1e47469903e35 |
| SHA1 | 90aefe64a4d21ba3346146a417e543b1afcc43ca |
| SHA256 | 1cfe33f1501fbd97f27adb11aeb6556fa91ac2515c4f23ce5afbb3971989520d |
| SHA512 | eff44987c1824bcb235c4bc55232d0bcfd6bf5e6afd5f17b17aadd54ac7fb42aeec9ba54274e635c087d417771e759044561cc2a1c330381af9fd2afb226dcd2 |
C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\YSIEQK~1.ZIP
| MD5 | 5d1b85daa2595ef6536e9988ee395286 |
| SHA1 | 2a49f010ce2cdee7a173ad21a8fd89deecf1b475 |
| SHA256 | a33f9504d2a60d571d43e94b59d8edac01fe7d2d054ba2b82029a85fd25f8d50 |
| SHA512 | 6b54f4c796dd98f7ce535da54819e3fe34cebd1e74130f513cba02c45123a34f28aa3dc8dbd99528cc020f9b9b7e0ede4d96b8cf825c30f81e14fcc4531eef32 |
C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\_Files\_INFOR~1.TXT
| MD5 | 7960f60efd415b2dde98b75e2633bddd |
| SHA1 | ebadd99b2427dc6a2db80a89ec1ca769b8227dcb |
| SHA256 | 5a26d99f6ca5c2ab65f5ec259002a5a15492d2578f7c4ee4b391344d3aa39c02 |
| SHA512 | 57c30d182266c1d17c1c9ffd69f7698bc28d6b4a199a77532bf1b31b8f45140f576ef5bb6b085662672c5a7f40c90eec1214b5580e37720b7ac67fdca12c3678 |
C:\Users\Admin\AppData\Local\Temp\rPQsVWrlNvv\_Files\_SCREE~1.JPE
| MD5 | b957b48143d28f9bdf39a08d5c5ff3e9 |
| SHA1 | b9b5817f3c4c31546b252eabdeef1dc64b3f7ff1 |
| SHA256 | 0b74b355768521f52d3d1ab32e4af0a6bfc6ccdcfa34ff6648eaaf05c79fabd8 |
| SHA512 | b82e5e7e8f4d429055b5a1157e01af6c4c99d3b7b39af7d692326d1640ab8b0eb22ff3739e811f50f02ba7cf9005a44a3bab4c5a19ead841d40f086e0eee7f40 |
memory/2076-123-0x0000000000000000-mapping.dmp