Analysis Overview
SHA256
9561ae1eae830aed3ade4c339faac7240320f6a01e203b5c0521a9ed09e686fd
Threat Level: Known bad
The file 2.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Delays execution with timeout.exe
Runs ping.exe
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-15 15:04
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-15 15:04
Reported
2021-05-15 15:09
Platform
win10v20210408
Max time kernel
120s
Max time network
124s
Command Line
Signatures
CryptBot
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Osi.wks
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^LiUOCkNiYaUJhgUGDJZrloHmYxLqOcYNmCEuaoPGLxSLfVHkLUkImvvDmxPiAMzDxupLKNhcTaaPdWleNmgTpdgeuwGYzIyYqgdoLWBXGQOutGjDpMzqnmzrSiE$" Ero.wks
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
Presto.exe.com s
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com s
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com"
C:\Windows\SysWOW64\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | iXmOrOGftABUhdEsRQdO.iXmOrOGftABUhdEsRQdO | udp |
| N/A | 8.8.8.8:53 | remurm61.top | udp |
| N/A | 8.8.8.8:53 | mortlk06.top | udp |
Files
memory/3300-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Osi.wks
| MD5 | 4f58047c137b55372dd36769e29d09ad |
| SHA1 | 09b3435804b53d1d5d3eea3dfef94f969bdba4ea |
| SHA256 | 8c54825da63a824fdca6123eae3d2e29e774b1462687d438ade3a94d7ee5efde |
| SHA512 | 380bca42ab0a3961d5652db99429d09ee33741d9b9e9cf15935ed9478a108626c8a2db216abcca111d640f5934af705701ebe544b9ad3bb0f4d972d8a9dd7a24 |
memory/3440-116-0x0000000000000000-mapping.dmp
memory/4172-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ero.wks
| MD5 | bdc5536fd111fd826418bbfda7f7a5f0 |
| SHA1 | 589468c25a2c5189adbb90dab5d821c4d9cb2b44 |
| SHA256 | f0bce88c41bd9de77ec6a64aceeca0db607a877b46671ae7ae50b28f6c2b1b33 |
| SHA512 | 0579c282b170e6ea3b40c9472ce9012dd4ef7c56819709b62f7a908dd369606fd897080fc5d41788430fa4a9e15c49e2dbe6ab9eb63d9e28ebd23fe89e4d1637 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nemica.wks
| MD5 | 07d322bd401581c8d362b67d1725ae63 |
| SHA1 | 6cda33809121fd533ad5abde9e94a49b69848f53 |
| SHA256 | 814e77103cd8b2500fc885218147a710cea433846db9948414c8f533a7c907cb |
| SHA512 | ebbdfb5fe0377f1f896024fc8bc43b72cd55c540b2517a655457fa87b5f63339157fb583728caee8b14fe331b6bf0d162a13e063e5ab33c7e383779049996aed |
memory/4168-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/4352-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\s
| MD5 | 07d322bd401581c8d362b67d1725ae63 |
| SHA1 | 6cda33809121fd533ad5abde9e94a49b69848f53 |
| SHA256 | 814e77103cd8b2500fc885218147a710cea433846db9948414c8f533a7c907cb |
| SHA512 | ebbdfb5fe0377f1f896024fc8bc43b72cd55c540b2517a655457fa87b5f63339157fb583728caee8b14fe331b6bf0d162a13e063e5ab33c7e383779049996aed |
memory/512-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sembrava.wks
| MD5 | e4416d16f0381dca6e7cdf03e6e67bc7 |
| SHA1 | 95de10de5660b7e946f6ee183ec40040add6fa81 |
| SHA256 | 3663beb312dcda8bb5c00ff98750625abee45569376e3664facb939d1710dd6a |
| SHA512 | 09e893681c4b3450dc339c060dcbbc6e9ffa7b72a880ed1ceadcf6038130315c02002817279ddeb0547583e5390fe03ba4a074acf2ea2ddbad83fd99de787b11 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/512-128-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/1988-129-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\files_\SYSTEM~1.TXT
| MD5 | a601a9a8c7cf97f7f07835fb4fad943f |
| SHA1 | 5e78b27f13961a86fc279d94e9663b750771ff2b |
| SHA256 | 4eb71b40a71569fba2319fbb3c19d127ad870afdcab62058e6173fe89b6cbe54 |
| SHA512 | d8c2a038013aa8d1db4e81e42b4aa823d2c3c6558047c46aa9a24752fa6811ea94369892fe09841bbd9be86148d9e8003781c4b48817ac658bd8b6d6406c8bd2 |
C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\files_\SCREEN~1.JPG
| MD5 | cf1bffad5c30fc1e8525d3dd43579da3 |
| SHA1 | 00845ce654e333890cb2e6cb927e81c959e6fa6a |
| SHA256 | 7720ce853e3f03495cf4f7dfb2aa8b8eeffe89bc4d9bbc52e27f194c484037a6 |
| SHA512 | b4e0d6fb1bb612bd84c01d0944289a4d99cd74e426ce6f592cc19505c3b56a520a47358ff0bdfdd3ac324a8cea410776aa93fd79380b4a73d8f4c6770d5efba3 |
C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\CMRVUW~1.ZIP
| MD5 | 8240dda1362d0d3aa3f4e23198a51c7e |
| SHA1 | db9c4d66c3f924e98eba9cbded31ab8c9502bd3b |
| SHA256 | 5606612f4cb6baf59ee134f7187086602544daa332fd6a29a567f0ddb71889be |
| SHA512 | ab6a02070485fbda993823b12997a4ee7fafed0d5dc4a1431a8650c57119b7358246830b36be6c569c7ca9755acb25f9d646ee33957e50f27c2874e294ee23e5 |
C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\_Files\_SCREE~1.JPE
| MD5 | cf1bffad5c30fc1e8525d3dd43579da3 |
| SHA1 | 00845ce654e333890cb2e6cb927e81c959e6fa6a |
| SHA256 | 7720ce853e3f03495cf4f7dfb2aa8b8eeffe89bc4d9bbc52e27f194c484037a6 |
| SHA512 | b4e0d6fb1bb612bd84c01d0944289a4d99cd74e426ce6f592cc19505c3b56a520a47358ff0bdfdd3ac324a8cea410776aa93fd79380b4a73d8f4c6770d5efba3 |
C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\_Files\_INFOR~1.TXT
| MD5 | b8a56824eebf76bf97eba1b5f969dae2 |
| SHA1 | 23139a9d47ef8599478c205adf4e53e011945c88 |
| SHA256 | 52266f77d54b1a93dd59dbd1ea91fce1e3e79a8ecb0939a930acbae8f973a581 |
| SHA512 | 15f1fd29902a0550da65efadabc5aaea28c3b46a859b04d11822c21630082916ae38b7463bc92a2410a8a5a4e29a4b9d91caf1af089d850d860b06a9aa784581 |
C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\RMIKFZ~1.ZIP
| MD5 | 383691385f52cac4edc79bb5d5cf1206 |
| SHA1 | d089c66732b75ee532fcb57d74a481afd466e20e |
| SHA256 | 02aa46508ffb86a01baf53cf54e8d8a0ac2ffbb4c84d9b3680bb3889ebf7fa65 |
| SHA512 | ce3ad142cb2d5d6a80b3ccdfcc18f4f1826066e29ffbe50673691d46695ada167b66eede2a93dbaf6ed0c8cacfe76081de7e74f7cdc8972daa0b9e052bdcb81a |
memory/2500-136-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-15 15:04
Reported
2021-05-15 15:09
Platform
win7v20210410
Max time kernel
34s
Max time network
11s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Osi.wks
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^LiUOCkNiYaUJhgUGDJZrloHmYxLqOcYNmCEuaoPGLxSLfVHkLUkImvvDmxPiAMzDxupLKNhcTaaPdWleNmgTpdgeuwGYzIyYqgdoLWBXGQOutGjDpMzqnmzrSiE$" Ero.wks
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
Presto.exe.com s
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
Network
Files
memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp
memory/1980-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Osi.wks
| MD5 | 4f58047c137b55372dd36769e29d09ad |
| SHA1 | 09b3435804b53d1d5d3eea3dfef94f969bdba4ea |
| SHA256 | 8c54825da63a824fdca6123eae3d2e29e774b1462687d438ade3a94d7ee5efde |
| SHA512 | 380bca42ab0a3961d5652db99429d09ee33741d9b9e9cf15935ed9478a108626c8a2db216abcca111d640f5934af705701ebe544b9ad3bb0f4d972d8a9dd7a24 |
memory/1728-63-0x0000000000000000-mapping.dmp
memory/1752-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ero.wks
| MD5 | bdc5536fd111fd826418bbfda7f7a5f0 |
| SHA1 | 589468c25a2c5189adbb90dab5d821c4d9cb2b44 |
| SHA256 | f0bce88c41bd9de77ec6a64aceeca0db607a877b46671ae7ae50b28f6c2b1b33 |
| SHA512 | 0579c282b170e6ea3b40c9472ce9012dd4ef7c56819709b62f7a908dd369606fd897080fc5d41788430fa4a9e15c49e2dbe6ab9eb63d9e28ebd23fe89e4d1637 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nemica.wks
| MD5 | 07d322bd401581c8d362b67d1725ae63 |
| SHA1 | 6cda33809121fd533ad5abde9e94a49b69848f53 |
| SHA256 | 814e77103cd8b2500fc885218147a710cea433846db9948414c8f533a7c907cb |
| SHA512 | ebbdfb5fe0377f1f896024fc8bc43b72cd55c540b2517a655457fa87b5f63339157fb583728caee8b14fe331b6bf0d162a13e063e5ab33c7e383779049996aed |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/1856-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
memory/1720-70-0x0000000000000000-mapping.dmp