Analysis Overview
SHA256
ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759fd20c9cf44693abf786
Threat Level: Known bad
The file ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot Payload
CryptBot
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Delays execution with timeout.exe
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 10:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 10:32
Reported
2021-05-15 10:34
Platform
win7v20210408
Max time kernel
8s
Max time network
13s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe
"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"
Network
Files
memory/1028-60-0x0000000075801000-0x0000000075803000-memory.dmp
memory/1028-61-0x00000000004F0000-0x00000000005D1000-memory.dmp
memory/1028-62-0x0000000000400000-0x00000000004E5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 10:32
Reported
2021-05-15 10:34
Platform
win10v20210408
Max time kernel
35s
Max time network
46s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 908 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 908 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 908 wrote to memory of 1996 | N/A | C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1996 wrote to memory of 1340 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 1996 wrote to memory of 1340 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
| PID 1996 wrote to memory of 1340 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\timeout.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe
"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\KDBZehTde & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | remmzp62.top | udp |
| N/A | 8.8.8.8:53 | mortlk06.top | udp |
Files
memory/908-114-0x0000000002260000-0x0000000002341000-memory.dmp
memory/908-115-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/1996-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\KDBZehTde\files_\SYSTEM~1.TXT
| MD5 | 6ec31edd99f354d5488c1040f2fe31bf |
| SHA1 | 785fcb53f2eecbde42c493e952eee78fff6403a7 |
| SHA256 | 4f9c62a20bc01eb204167ca3783da248fc589a9772ac6825462da4f466ae197c |
| SHA512 | fcae88df9a4222842c84e7291688b51f8bd47357e37176e4a42af8604baf2cb9d61601756d95ab2af0e35f71a5192810cdaa670017bbdad7b1c233b4250ec2e8 |
C:\Users\Admin\AppData\Local\Temp\KDBZehTde\files_\SCREEN~1.JPG
| MD5 | 117b7d0a427c292f405e0a6faa136984 |
| SHA1 | cb6a272e4828e82fd43c6c2d399c1a0025e81455 |
| SHA256 | 9300b488ca66e5f30000c56e896bfea404b16e85a0f28e83d30353011747dee2 |
| SHA512 | 0821ce596004bf29bf871a5c7dcca1cb98b1879e8455d6d48b76ad40e5efcb8c6d32e2e9ff7b75437fa84acd24f58a5d15415de13b029a22a008aa5ea032a44f |
C:\Users\Admin\AppData\Local\Temp\KDBZehTde\CKUQPZ~1.ZIP
| MD5 | a952c3a2abc4475556e8e34ade8d2dcf |
| SHA1 | 4f739dcbaf72a5a945150d8315988617c898a8dd |
| SHA256 | 5efd50d243b7b0fd92a32ab6fece5788a9bcba840455630669df1c228d827b41 |
| SHA512 | d2e59f9b1ad58367cdde9d3855a259111c44150768dc79fb98cc3950c25f694df17ad53e4dbb06b0c2407cd7631154efa828145f5364132fb2a600acdd4d6ddd |
C:\Users\Admin\AppData\Local\Temp\KDBZehTde\BCDNNC~1.ZIP
| MD5 | 7310e0044ae269547f88caa632f98925 |
| SHA1 | 7a29adbbef81ede0ade8eaa908c3ee9c8c19f76a |
| SHA256 | 305d7e723593236d851aeb902112ec6ae48859b7d10b2589c86f823b57fc388f |
| SHA512 | c5b3155db95bb17d770071d2f74d989464d05dea7526729bf8d0c721186b38bcf55c1058be95a7a8b43e610b34ec5e1e14f482160420d25f35449bdcd3eb1576 |
C:\Users\Admin\AppData\Local\Temp\KDBZehTde\_Files\_INFOR~1.TXT
| MD5 | 1c5eddc8ddd50d9928c3b6c4cc8538aa |
| SHA1 | 2b763b8b109eddd0845c981383641eae8ab7aeb0 |
| SHA256 | 058c649471bacaf689a89772b19830f64c3360da24b5690de6bf979592ecdce1 |
| SHA512 | 1f57dcde95067590e9337ec620547739b37045be40ef8708277e044fc3525086651872c02ece5d152756a90e54a7056783cb5674324f16900744e5c64d3a9cf8 |
C:\Users\Admin\AppData\Local\Temp\KDBZehTde\_Files\_SCREE~1.JPE
| MD5 | 117b7d0a427c292f405e0a6faa136984 |
| SHA1 | cb6a272e4828e82fd43c6c2d399c1a0025e81455 |
| SHA256 | 9300b488ca66e5f30000c56e896bfea404b16e85a0f28e83d30353011747dee2 |
| SHA512 | 0821ce596004bf29bf871a5c7dcca1cb98b1879e8455d6d48b76ad40e5efcb8c6d32e2e9ff7b75437fa84acd24f58a5d15415de13b029a22a008aa5ea032a44f |
memory/1340-123-0x0000000000000000-mapping.dmp