Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15/05/2021, 15:04

General

  • Target

    2.exe

  • Size

    1.9MB

  • MD5

    5fd5ef8825f390a3c7dac57659ee7079

  • SHA1

    364c83ce8542086e50f4e62050a715613fcc361c

  • SHA256

    9561ae1eae830aed3ade4c339faac7240320f6a01e203b5c0521a9ed09e686fd

  • SHA512

    fc1a6e185b4abb0ee9e9c0eafd89cce54744a4b42bfbbf14bac37ce1cc85eb75358fb0d99e83c776694862854355d64d5743e7be0966fc97dec08500840a2454

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Osi.wks
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^LiUOCkNiYaUJhgUGDJZrloHmYxLqOcYNmCEuaoPGLxSLfVHkLUkImvvDmxPiAMzDxupLKNhcTaaPdWleNmgTpdgeuwGYzIyYqgdoLWBXGQOutGjDpMzqnmzrSiE$" Ero.wks
          4⤵
            PID:4172
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
            Presto.exe.com s
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4168
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com s
              5⤵
              • Executes dropped EXE
              • Checks processor information in registry
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:512
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1988
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 3
                  7⤵
                  • Delays execution with timeout.exe
                  PID:2500
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 30
            4⤵
            • Runs ping.exe
            PID:4352

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/512-128-0x0000000000C20000-0x0000000000C21000-memory.dmp

            Filesize

            4KB