Analysis Overview
SHA256
305df52e17cf7e129ece5188cd9bf51102fda9ac812d597c3e29314b06e8b3b8
Threat Level: Known bad
The file 305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot Payload
CryptBot
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-14 16:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-14 16:26
Reported
2021-05-14 16:29
Platform
win7v20210408
Max time kernel
8s
Max time network
38s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe
"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"
Network
Files
memory/1812-59-0x0000000075801000-0x0000000075803000-memory.dmp
memory/1812-60-0x0000000001DB0000-0x0000000001E91000-memory.dmp
memory/1812-61-0x0000000000400000-0x00000000004E5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-14 16:26
Reported
2021-05-14 16:28
Platform
win10v20210408
Max time kernel
33s
Max time network
39s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 740 wrote to memory of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 740 wrote to memory of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 740 wrote to memory of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 744 wrote to memory of 2812 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 744 wrote to memory of 2812 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 744 wrote to memory of 2812 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe
"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | remeze52.top | udp |
| N/A | 8.8.8.8:53 | morhza05.top | udp |
Files
memory/740-114-0x0000000002280000-0x0000000002361000-memory.dmp
memory/740-115-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/744-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\files_\files\SELECT~1.TXT
| MD5 | d69cf9a1c59f964c570bcd1094191127 |
| SHA1 | d6ec3b0f1a748667321d5d48d8f794192265bf3b |
| SHA256 | a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a |
| SHA512 | 65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e |
C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\files_\SCREEN~1.JPG
| MD5 | 2c042c0567f9c6ed2035dd760fa668a1 |
| SHA1 | 85c83fb3296f5d4206e233f3bb29d9103af9c7b3 |
| SHA256 | dff28b58a90784614c7be6667184927357221df1c4c75b252c91aeea1b5b4c6e |
| SHA512 | 925ac94eb716d549a079e9cae063e580d26fa017eacc14b5c5fb0b6d545701b80f7aec1e39350e252dce40971d67a63deda762658b706b2a3c128fd45cd4464a |
C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\files_\SYSTEM~1.TXT
| MD5 | be1a855e9d6e7d79ed985516326c89c5 |
| SHA1 | b42c5979938e76e6622a99cb11821fe5951d784d |
| SHA256 | b2cc20df0797646347d683369a2360527007a16201f32bee6e7f62b5e82aa1e9 |
| SHA512 | 5cfc6f4b03142f1732a78a950fde19ff72293ca186b0710f44e637f4506b697fdd8fae5c707cc6c2cff0931c71346b80c8a0884f703683e9504978ab7e7e0c65 |
C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\LHRFWM~1.ZIP
| MD5 | 6bd7f6a9da3054a7b61313a145842950 |
| SHA1 | 8da32ea4a7770dc18b5655806fed08e665ff0f3d |
| SHA256 | 688e2d0dfd24db504afcd30ac7ea92123487d9d30d746673dca9169efac6ff30 |
| SHA512 | 1044a1d500e24bedbb4ea2c8171ed6b29b1bbb128f3c91e34110ba46bd3d5e4909c510e5bacba2bcdb6e48e0d7cb7504245a1f432f53775c506f660e52d284bd |
C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\NOEWTH~1.ZIP
| MD5 | 3cfb460b059e5e503686d8864723b210 |
| SHA1 | 2df1ea51eaa47359fb116081e21b931d0b03b52d |
| SHA256 | cf93148c395ddfb4f52933b0b18e147d0bead3f83582b6cec4ac71e0a2f21411 |
| SHA512 | 122b10d62a648642bb4398e6595d177556dda52cb1416aea659eaffebc92010c795a56be1d3cb6f7c5d5d09d8eaae17c5d0f539b2d2466eb10fc53fadc264711 |
C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\_Files\_Files\SELECT~1.TXT
| MD5 | d69cf9a1c59f964c570bcd1094191127 |
| SHA1 | d6ec3b0f1a748667321d5d48d8f794192265bf3b |
| SHA256 | a4ead87004082485fe1574f68dec612a7a432e2fffaffaf668b80ba1b7f47e6a |
| SHA512 | 65560a1b9c07dda77c90c49967b4a5e2d239bdb5c85c00d5c2094de0edb8a514ead0710f7955778c640269dc5c029d5a92ed90a9aae185f523ec39b50e581d9e |
C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\_Files\_INFOR~1.TXT
| MD5 | 63a1190e5fae95637f0e2a68a769df7e |
| SHA1 | 6fa29947a36d1854aec53708089b4727cc37f690 |
| SHA256 | 85ee6db014a07a8a156198f551cce3903a165660e76c3e450485e0f051cc300a |
| SHA512 | 78482cad7d7c395f0919f86fad30ae702f9669afb2b8e3168f0081994cd9408f9267f8c183404ca83142f8611b49ece2dc874cf61d7dcad99527c9a6c02f715b |
C:\Users\Admin\AppData\Local\Temp\wCCQNDkqYw\_Files\_SCREE~1.JPE
| MD5 | 2c042c0567f9c6ed2035dd760fa668a1 |
| SHA1 | 85c83fb3296f5d4206e233f3bb29d9103af9c7b3 |
| SHA256 | dff28b58a90784614c7be6667184927357221df1c4c75b252c91aeea1b5b4c6e |
| SHA512 | 925ac94eb716d549a079e9cae063e580d26fa017eacc14b5c5fb0b6d545701b80f7aec1e39350e252dce40971d67a63deda762658b706b2a3c128fd45cd4464a |
memory/2812-125-0x0000000000000000-mapping.dmp