Analysis
-
max time kernel
122s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/05/2021, 11:01
Static task
static1
Behavioral task
behavioral1
Sample
ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe
Resource
win7v20210410
General
-
Target
ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe
-
Size
708KB
-
MD5
7de2d80e181ee60311d729f2b1fafc57
-
SHA1
6579dab44c6619b6af86b57fcd160f9a1ffe7b54
-
SHA256
ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759fd20c9cf44693abf786
-
SHA512
48776b1226081f6892da57fae1437deaed37bc758f677693a258416a27bdf7690deaa3033cc66697fa88941d02673695751de97b23c63b04eee3f9c139f4e366
Malware Config
Extracted
cryptbot
remmzp62.top
mortlk06.top
-
payload_url
http://sullok09.top/download.php?file=lv.exe
Extracted
danabot
1827
3
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
CryptBot Payload 2 IoCs
resource yara_rule behavioral2/memory/3952-114-0x0000000002330000-0x0000000002411000-memory.dmp family_cryptbot behavioral2/memory/3952-115-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot -
Blocklisted process makes network request 5 IoCs
flow pid Process 43 2088 RUNDLL32.EXE 45 1820 WScript.exe 47 1820 WScript.exe 49 1820 WScript.exe 51 1820 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 2820 qQnFXaF.exe 3368 vpn.exe 3644 4.exe 2324 Volgendosi.exe.com 1912 Volgendosi.exe.com 3940 SmartClock.exe 1828 qqyfqxcvmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Loads dropped DLL 5 IoCs
pid Process 2820 qQnFXaF.exe 2172 rundll32.exe 2172 rundll32.exe 2088 RUNDLL32.EXE 2088 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\foler\olader\adprovider.dll qQnFXaF.exe File created C:\Program Files (x86)\foler\olader\acledit.dll qQnFXaF.exe File created C:\Program Files (x86)\foler\olader\acppage.dll qQnFXaF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Volgendosi.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Volgendosi.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE -
Delays execution with timeout.exe 1 IoCs
pid Process 1812 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Volgendosi.exe.com -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4052 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3940 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3548 powershell.exe 3548 powershell.exe 3548 powershell.exe 2088 RUNDLL32.EXE 2088 RUNDLL32.EXE 2940 powershell.exe 2940 powershell.exe 2940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2172 rundll32.exe Token: SeDebugPrivilege 2088 RUNDLL32.EXE Token: SeDebugPrivilege 3548 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3952 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe 3952 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe 2088 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3952 wrote to memory of 2212 3952 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe 78 PID 3952 wrote to memory of 2212 3952 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe 78 PID 3952 wrote to memory of 2212 3952 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe 78 PID 2212 wrote to memory of 2820 2212 cmd.exe 80 PID 2212 wrote to memory of 2820 2212 cmd.exe 80 PID 2212 wrote to memory of 2820 2212 cmd.exe 80 PID 2820 wrote to memory of 3368 2820 qQnFXaF.exe 81 PID 2820 wrote to memory of 3368 2820 qQnFXaF.exe 81 PID 2820 wrote to memory of 3368 2820 qQnFXaF.exe 81 PID 2820 wrote to memory of 3644 2820 qQnFXaF.exe 82 PID 2820 wrote to memory of 3644 2820 qQnFXaF.exe 82 PID 2820 wrote to memory of 3644 2820 qQnFXaF.exe 82 PID 3368 wrote to memory of 808 3368 vpn.exe 83 PID 3368 wrote to memory of 808 3368 vpn.exe 83 PID 3368 wrote to memory of 808 3368 vpn.exe 83 PID 808 wrote to memory of 1168 808 cmd.exe 85 PID 808 wrote to memory of 1168 808 cmd.exe 85 PID 808 wrote to memory of 1168 808 cmd.exe 85 PID 1168 wrote to memory of 3164 1168 cmd.exe 86 PID 1168 wrote to memory of 3164 1168 cmd.exe 86 PID 1168 wrote to memory of 3164 1168 cmd.exe 86 PID 1168 wrote to memory of 2324 1168 cmd.exe 87 PID 1168 wrote to memory of 2324 1168 cmd.exe 87 PID 1168 wrote to memory of 2324 1168 cmd.exe 87 PID 3952 wrote to memory of 2784 3952 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe 88 PID 3952 wrote to memory of 2784 3952 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe 88 PID 3952 wrote to memory of 2784 3952 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe 88 PID 2324 wrote to memory of 1912 2324 Volgendosi.exe.com 90 PID 2324 wrote to memory of 1912 2324 Volgendosi.exe.com 90 PID 2324 wrote to memory of 1912 2324 Volgendosi.exe.com 90 PID 1168 wrote to memory of 4052 1168 cmd.exe 91 PID 1168 wrote to memory of 4052 1168 cmd.exe 91 PID 1168 wrote to memory of 4052 1168 cmd.exe 91 PID 2784 wrote to memory of 1812 2784 cmd.exe 92 PID 2784 wrote to memory of 1812 2784 cmd.exe 92 PID 2784 wrote to memory of 1812 2784 cmd.exe 92 PID 3644 wrote to memory of 3940 3644 4.exe 93 PID 3644 wrote to memory of 3940 3644 4.exe 93 PID 3644 wrote to memory of 3940 3644 4.exe 93 PID 1912 wrote to memory of 1828 1912 Volgendosi.exe.com 96 PID 1912 wrote to memory of 1828 1912 Volgendosi.exe.com 96 PID 1912 wrote to memory of 1828 1912 Volgendosi.exe.com 96 PID 1912 wrote to memory of 2136 1912 Volgendosi.exe.com 97 PID 1912 wrote to memory of 2136 1912 Volgendosi.exe.com 97 PID 1912 wrote to memory of 2136 1912 Volgendosi.exe.com 97 PID 1828 wrote to memory of 2172 1828 qqyfqxcvmd.exe 98 PID 1828 wrote to memory of 2172 1828 qqyfqxcvmd.exe 98 PID 1828 wrote to memory of 2172 1828 qqyfqxcvmd.exe 98 PID 2172 wrote to memory of 2088 2172 rundll32.exe 99 PID 2172 wrote to memory of 2088 2172 rundll32.exe 99 PID 2172 wrote to memory of 2088 2172 rundll32.exe 99 PID 2088 wrote to memory of 3548 2088 RUNDLL32.EXE 100 PID 2088 wrote to memory of 3548 2088 RUNDLL32.EXE 100 PID 2088 wrote to memory of 3548 2088 RUNDLL32.EXE 100 PID 1912 wrote to memory of 1820 1912 Volgendosi.exe.com 102 PID 1912 wrote to memory of 1820 1912 Volgendosi.exe.com 102 PID 1912 wrote to memory of 1820 1912 Volgendosi.exe.com 102 PID 2088 wrote to memory of 2940 2088 RUNDLL32.EXE 104 PID 2088 wrote to memory of 2940 2088 RUNDLL32.EXE 104 PID 2088 wrote to memory of 2940 2088 RUNDLL32.EXE 104 PID 2940 wrote to memory of 2824 2940 powershell.exe 106 PID 2940 wrote to memory of 2824 2940 powershell.exe 106 PID 2940 wrote to memory of 2824 2940 powershell.exe 106 PID 2088 wrote to memory of 3172 2088 RUNDLL32.EXE 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe"C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Fra.potx5⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd6⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^xYCLcQIeccmBAtQnxVUeRSreWyTMvLWXTwOpHrhwlUygNwRbGwNkoTUBVAOfXVFJmCHnfGQsISSXNOgVgvuxYKOqujgigXtggvPkzaiZlvDfwXOukTwBPlLPNHsraIeLOEJd$" Ritroverai.potx7⤵PID:3164
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.comVolgendosi.exe.com n7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com n8⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe"C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.EXE10⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL,iy9cfI0=11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3038.tmp.ps1"12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4827.tmp.ps1"12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost13⤵PID:2824
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask12⤵PID:3172
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask12⤵PID:3816
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\apbtwts.vbs"9⤵PID:2136
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nnghiomc.vbs"9⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1820
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 307⤵
- Runs ping.exe
PID:4052
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3940
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1812
-
-