Analysis Overview
SHA256
305df52e17cf7e129ece5188cd9bf51102fda9ac812d597c3e29314b06e8b3b8
Threat Level: Known bad
The file 305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot Payload
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-14 17:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-14 17:02
Reported
2021-05-14 17:06
Platform
win7v20210410
Max time kernel
123s
Max time network
124s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe
"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"
Network
Files
memory/1088-60-0x00000000753B1000-0x00000000753B3000-memory.dmp
memory/1088-61-0x00000000002F0000-0x00000000003D1000-memory.dmp
memory/1088-62-0x0000000000400000-0x00000000004E5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-14 17:02
Reported
2021-05-14 17:06
Platform
win10v20210408
Max time kernel
36s
Max time network
123s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 708 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 708 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 708 wrote to memory of 2176 | N/A | C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2176 wrote to memory of 1312 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 2176 wrote to memory of 1312 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 2176 wrote to memory of 1312 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe
"C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\305df52e17cf7e129ece5188cd9bf51102fda9ac812d5.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | remeze52.top | udp |
| N/A | 8.8.8.8:53 | morhza05.top | udp |
Files
memory/708-114-0x0000000002180000-0x0000000002261000-memory.dmp
memory/708-115-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/2176-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\BRSPPO~1.ZIP
| MD5 | 7ed113173c77580f1ec6d49a0850d6d6 |
| SHA1 | 7533ba6a5b8e2ffdb8aa965bcdb24751f4913542 |
| SHA256 | 1bb8ff2e58b052933f85c3e6de7982eadcb80feeeb23c3505f6f297af2cf6234 |
| SHA512 | a4dfc90a877a658a32302d065bf41c06356a708692ede6899c7c1d71ad2426ebebfe6f4a678870ee75ba20bed012bc7c58b069bf1f26a4d31b4bd64fa8711948 |
C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\files_\files\CLOSEU~1.TXT
| MD5 | 86dc1bdd11b9ca73ec301305b167f9b8 |
| SHA1 | 26afe227fd790a0ab3918bdda27e7de13bcac224 |
| SHA256 | 9c7d31edcaf4de852f28fba72e0fb36557cef765fdf04ae4548726bd9ef94c10 |
| SHA512 | b897e3c5ed396071f476a6e725e338c74a459e9945380753bee5bca823143db0af8bfcd400e08e1a5b6d054d001e78c1b104c5e7c3edc288b6580bbaa46a76f9 |
C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\files_\SCREEN~1.JPG
| MD5 | 211040af06f9a64c3fc58699d8a9a4e0 |
| SHA1 | 3e7999bc405e12d99b9e9783167ca52825a00e9e |
| SHA256 | 539988bd11e12417d2bea29c95d62fdb9fbdca4817bfc5383e2ced9ec28a4637 |
| SHA512 | d60db8566e9d46ce6964cda89d0bf3f421913d6f906d44a351ae3fb25ec7d2191f13e1d45420e2d4de0777c500bff2a96667db670eeeaa477ea2da3846053708 |
C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\_Files\_Files\CLOSEU~1.TXT
| MD5 | 86dc1bdd11b9ca73ec301305b167f9b8 |
| SHA1 | 26afe227fd790a0ab3918bdda27e7de13bcac224 |
| SHA256 | 9c7d31edcaf4de852f28fba72e0fb36557cef765fdf04ae4548726bd9ef94c10 |
| SHA512 | b897e3c5ed396071f476a6e725e338c74a459e9945380753bee5bca823143db0af8bfcd400e08e1a5b6d054d001e78c1b104c5e7c3edc288b6580bbaa46a76f9 |
C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\UWBMRU~1.ZIP
| MD5 | fd1f2eb523b84ba65492e439d9e46c1e |
| SHA1 | d45118e4fc20cf63b165036f4eba1db7d4986349 |
| SHA256 | 4cabe5b428ab638e7f7696f6517335f68ea57e7220a687c1083b0a57696cad59 |
| SHA512 | 24998637f3b2bd716948867c75adac548d2e42bf5b261a0d73e590a51aa1bb7042028a62117247215a1c67c9b73ff1d948d06dbcfba36712d87dac2d66f16a0c |
C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\files_\SYSTEM~1.TXT
| MD5 | c8eae4e0809a6e60face7b5ea849f2a9 |
| SHA1 | 17274a7497d879bdb2519b58793c0368538984d8 |
| SHA256 | 7f09e7c7bcde738ed86ced285793782348887078d072de0b26be76423c0968f5 |
| SHA512 | 6425bd07c541a12a48737887c4cf1506d282e55e5f7965f1a86a6fd83b94d93d0f3da44eb0b287b4674bf68054615e4bd7cc13ab4d53d1009ccd695453294eb5 |
C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\_Files\_INFOR~1.TXT
| MD5 | aeb358df5eb08bc27d188ab8d8d2fde1 |
| SHA1 | bb5ebbf99f2551762647f450468d49d20df1306e |
| SHA256 | 38f9ff0b078f4a7ae291b2a78f1941982e815fc0f49362955085bddcc164634e |
| SHA512 | 4ba302c40fa6ea404ff4be3c80ced4417055773f43ef232e48202ab18fcf0e38b39b4e7beed6d9deae7cf1ff8ada5e48d36ee4bfe0232401f56173f06eaf5c9f |
C:\Users\Admin\AppData\Local\Temp\MThYVealsoGBj\_Files\_SCREE~1.JPE
| MD5 | 211040af06f9a64c3fc58699d8a9a4e0 |
| SHA1 | 3e7999bc405e12d99b9e9783167ca52825a00e9e |
| SHA256 | 539988bd11e12417d2bea29c95d62fdb9fbdca4817bfc5383e2ced9ec28a4637 |
| SHA512 | d60db8566e9d46ce6964cda89d0bf3f421913d6f906d44a351ae3fb25ec7d2191f13e1d45420e2d4de0777c500bff2a96667db670eeeaa477ea2da3846053708 |
memory/1312-125-0x0000000000000000-mapping.dmp