Analysis

  • max time kernel
    122s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15/05/2021, 11:01

General

  • Target

    ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe

  • Size

    708KB

  • MD5

    7de2d80e181ee60311d729f2b1fafc57

  • SHA1

    6579dab44c6619b6af86b57fcd160f9a1ffe7b54

  • SHA256

    ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759fd20c9cf44693abf786

  • SHA512

    48776b1226081f6892da57fae1437deaed37bc758f677693a258416a27bdf7690deaa3033cc66697fa88941d02673695751de97b23c63b04eee3f9c139f4e366

Malware Config

Extracted

Family

cryptbot

C2

remmzp62.top

mortlk06.top

Attributes
  • payload_url

    http://sullok09.top/download.php?file=lv.exe

Extracted

Family

danabot

Version

1827

Botnet

3

C2

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot Payload 2 IoCs
  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe
    "C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe
        "C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
          "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3368
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Fra.potx
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:808
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1168
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V /R "^xYCLcQIeccmBAtQnxVUeRSreWyTMvLWXTwOpHrhwlUygNwRbGwNkoTUBVAOfXVFJmCHnfGQsISSXNOgVgvuxYKOqujgigXtggvPkzaiZlvDfwXOukTwBPlLPNHsraIeLOEJd$" Ritroverai.potx
                7⤵
                  PID:3164
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com
                  Volgendosi.exe.com n
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2324
                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com
                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com n
                    8⤵
                    • Executes dropped EXE
                    • Checks processor information in registry
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1912
                    • C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe
                      "C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe"
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:1828
                      • C:\Windows\SysWOW64\rundll32.exe
                        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.EXE
                        10⤵
                        • Loads dropped DLL
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2172
                        • C:\Windows\SysWOW64\RUNDLL32.EXE
                          C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL,iy9cfI0=
                          11⤵
                          • Blocklisted process makes network request
                          • Loads dropped DLL
                          • Checks processor information in registry
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of WriteProcessMemory
                          PID:2088
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3038.tmp.ps1"
                            12⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3548
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4827.tmp.ps1"
                            12⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2940
                            • C:\Windows\SysWOW64\nslookup.exe
                              "C:\Windows\system32\nslookup.exe" -type=any localhost
                              13⤵
                                PID:2824
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
                              12⤵
                                PID:3172
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
                                12⤵
                                  PID:3816
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\apbtwts.vbs"
                            9⤵
                              PID:2136
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nnghiomc.vbs"
                              9⤵
                              • Blocklisted process makes network request
                              • Modifies system certificate store
                              PID:1820
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 127.0.0.1 -n 30
                          7⤵
                          • Runs ping.exe
                          PID:4052
                  • C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
                    "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
                    4⤵
                    • Executes dropped EXE
                    • Drops startup file
                    • Suspicious use of WriteProcessMemory
                    PID:3644
                    • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                      "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: AddClipboardFormatListener
                      PID:3940
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2784
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 3
                  3⤵
                  • Delays execution with timeout.exe
                  PID:1812

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1828-171-0x0000000000E90000-0x0000000000E91000-memory.dmp

                    Filesize

                    4KB

                  • memory/1828-170-0x0000000000400000-0x0000000000B14000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/1828-169-0x0000000002EA0000-0x00000000035A7000-memory.dmp

                    Filesize

                    7.0MB

                  • memory/1912-157-0x00000000014C0000-0x00000000014C1000-memory.dmp

                    Filesize

                    4KB

                  • memory/2088-179-0x0000000005520000-0x0000000005521000-memory.dmp

                    Filesize

                    4KB

                  • memory/2088-220-0x0000000000B00000-0x0000000000B01000-memory.dmp

                    Filesize

                    4KB

                  • memory/2172-173-0x0000000005520000-0x0000000005521000-memory.dmp

                    Filesize

                    4KB

                  • memory/2172-172-0x0000000004EB1000-0x0000000005510000-memory.dmp

                    Filesize

                    6.4MB

                  • memory/2172-168-0x00000000045A0000-0x0000000004B65000-memory.dmp

                    Filesize

                    5.8MB

                  • memory/2172-175-0x0000000000B10000-0x0000000000B11000-memory.dmp

                    Filesize

                    4KB

                  • memory/2940-218-0x0000000008330000-0x0000000008331000-memory.dmp

                    Filesize

                    4KB

                  • memory/2940-237-0x0000000007303000-0x0000000007304000-memory.dmp

                    Filesize

                    4KB

                  • memory/2940-224-0x0000000008D60000-0x0000000008D61000-memory.dmp

                    Filesize

                    4KB

                  • memory/2940-222-0x0000000007302000-0x0000000007303000-memory.dmp

                    Filesize

                    4KB

                  • memory/2940-221-0x0000000007300000-0x0000000007301000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-204-0x0000000009200000-0x0000000009201000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-187-0x0000000006E72000-0x0000000006E73000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-185-0x00000000074B0000-0x00000000074B1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-196-0x0000000008500000-0x0000000008501000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-186-0x0000000006E70000-0x0000000006E71000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-198-0x0000000008610000-0x0000000008611000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-203-0x0000000009C80000-0x0000000009C81000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-184-0x00000000049B0000-0x00000000049B1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-205-0x0000000007020000-0x0000000007021000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-192-0x00000000081C0000-0x00000000081C1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-208-0x0000000006E73000-0x0000000006E74000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-191-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-193-0x0000000008200000-0x0000000008201000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-188-0x0000000007410000-0x0000000007411000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-190-0x0000000007D30000-0x0000000007D31000-memory.dmp

                    Filesize

                    4KB

                  • memory/3548-189-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

                    Filesize

                    4KB

                  • memory/3644-153-0x00000000004B0000-0x00000000004D6000-memory.dmp

                    Filesize

                    152KB

                  • memory/3644-154-0x0000000000400000-0x000000000045B000-memory.dmp

                    Filesize

                    364KB

                  • memory/3940-156-0x0000000000400000-0x000000000045B000-memory.dmp

                    Filesize

                    364KB

                  • memory/3952-114-0x0000000002330000-0x0000000002411000-memory.dmp

                    Filesize

                    900KB

                  • memory/3952-115-0x0000000000400000-0x00000000004E5000-memory.dmp

                    Filesize

                    916KB