Analysis Overview
SHA256
3fbbe701191020522bf1488b4015d325f38c46acd07456de0cd8f4035f1ed170
Threat Level: Known bad
The file 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot Payload
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-14 07:02
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-14 07:02
Reported
2021-05-14 07:05
Platform
win10v20210408
Max time kernel
39s
Max time network
42s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 856 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 856 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 856 wrote to memory of 652 | N/A | C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 652 wrote to memory of 1268 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 652 wrote to memory of 1268 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 652 wrote to memory of 1268 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe
"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | remkoy32.top | udp |
| N/A | 8.8.8.8:53 | morkqz03.top | udp |
Files
memory/856-114-0x0000000002650000-0x0000000002731000-memory.dmp
memory/856-115-0x0000000000400000-0x00000000008B9000-memory.dmp
memory/652-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\files_\SCREEN~1.JPG
| MD5 | e59f7b8fbe078b2323ad1684f82b0fc9 |
| SHA1 | 1472a1949ce70bf1e96149e07c0c31d2e4520dd8 |
| SHA256 | 9ae7582e6a72dd04b0d3924634b85cac62bd092ffb8d6b28a62323baeffcf381 |
| SHA512 | 890d578c5cb760c28b3fb8d248491cb85792661bfd433dd09937b068fe5ee308c3a7ad5c0df58d7593572653acdb4bc4f8e5f17485127495362fc0266d982944 |
C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\files_\SYSTEM~1.TXT
| MD5 | 11602742bc212ae1d9012f0f6f85b8d2 |
| SHA1 | cf35b9b1f646eef9a0be56ff2eacb8c6f61e2960 |
| SHA256 | 9fbbb3ebff6564e2d164f5dc1db43660831f5a99f490c7309e8793e3745f6de4 |
| SHA512 | 8071be3ab1f120f2bf3d98d98ab9c61c175dcb5569b916f12b1f20f55809d17171ccd6bdf4ff209492b3702375bb0eaa12076c45925a8c77fbba95821d69eced |
C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\NARBWU~1.ZIP
| MD5 | 1de8596c304b64b786dcbd4fed1eee05 |
| SHA1 | 830c419ccceba00d3076c2dab5acd2db4f46464f |
| SHA256 | 067cde49c08a71fb75ac700d4e97bbaf93f44606eec9093e21436545fd2261db |
| SHA512 | f8c678bc1d07ddd38a01426a6f6f3ea6fc7603671e07a980a85e4e78566bff4050728b6cc9abf95c8ac1bd829c932b8b34d3452f67a31a3fda1b5e24a35e80ab |
C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\UFGEUW~1.ZIP
| MD5 | 7b83e04d63f292a28fe802c01e219309 |
| SHA1 | 1a749d0cf97b2e1595cb9e53511fae90d4e5c4e1 |
| SHA256 | cc7c454189ff6d8a726a99da3ea51d1d30de4e41b70495642cfe1d9c0aeacd05 |
| SHA512 | a80247e94ba4189083325a804d149549cbbd2af722dbb9215fd358e0ff3322fd1e4150d0ecb094e7af9ea22142009c6560a06cb1713e5063be29ebd1abb406d6 |
C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\_Files\_INFOR~1.TXT
| MD5 | 34d5fdc06d14bf07540a1fb582893fe1 |
| SHA1 | 77476075b62d656a483ee5e5af2b9c47b94185d3 |
| SHA256 | b3980b4afb3fbcc08a28918a2f69f439359b5b8fdcfca720425f4afd9c98736a |
| SHA512 | 1074476dba360091f38c03877c26da0507035fc54ab02955e903ef2430b6ab0960d2395444b47c6b98a15fb869b13271dc889cc39b23c8e27a256df5cbadeba3 |
C:\Users\Admin\AppData\Local\Temp\HkMdXqQiCgEXj\_Files\_SCREE~1.JPE
| MD5 | e59f7b8fbe078b2323ad1684f82b0fc9 |
| SHA1 | 1472a1949ce70bf1e96149e07c0c31d2e4520dd8 |
| SHA256 | 9ae7582e6a72dd04b0d3924634b85cac62bd092ffb8d6b28a62323baeffcf381 |
| SHA512 | 890d578c5cb760c28b3fb8d248491cb85792661bfd433dd09937b068fe5ee308c3a7ad5c0df58d7593572653acdb4bc4f8e5f17485127495362fc0266d982944 |
memory/1268-123-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-14 07:02
Reported
2021-05-14 07:05
Platform
win7v20210408
Max time kernel
7s
Max time network
39s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe
"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"
Network
Files
memory/652-59-0x0000000075C31000-0x0000000075C33000-memory.dmp
memory/652-60-0x00000000021C0000-0x00000000022A1000-memory.dmp
memory/652-61-0x0000000000400000-0x00000000008B9000-memory.dmp