Analysis
-
max time kernel
578s -
max time network
564s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
30-06-2021 07:26
General
-
Target
b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe
-
Size
1.8MB
-
MD5
7678217358637f0e5f06128dfdc7b3e4
-
SHA1
0867c058cdcf861deacde7ea2fcd2b589729a3b6
-
SHA256
b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093
-
SHA512
9880f2635237f22ee1da10bd766ebc9df28e73a5ff63191c5c5cd48f6f4ce13be96de0ce03cfdfe0307746258e739102a7aaf1a40d3719099832c5b5fdb770e6
Score
10/10
Malware Config
Signatures
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Blocklisted process makes network request 8 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 30 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe"C:\Users\Admin\AppData\Local\Temp\b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Ero.avi2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^nwOhgkZOkTAuHApAkWLoGKlGITnVtOaFGtNDNpuScYUkDxTFlwfAaAQOQoFxMrJvBUmDMFNePTNIPZehqSKrmRhuhZNFEMysfbKJUdSFgjLnMoY$" Bellissima.avi4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.comNeghi.exe.com f4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com f5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe"C:\Users\Admin\AppData\Local\Temp\OdrQmN.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Ella.mid9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ApgPFnDaQzNGcomssNqFbYhsjOZmoYlXyIDQobjHZzDEBDsixaEBxNGBWXCQntlRoQANFIoUAzFrcIPIbStQx$" Accade.mid11⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.comRitroverai.exe.com p11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Ritroverai.exe.com p12⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yicfumdxu.exe"C:\Users\Admin\AppData\Local\Temp\yicfumdxu.exe"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\YICFUM~1.TMP,S C:\Users\Admin\AppData\Local\Temp\YICFUM~1.EXE14⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\PROGRA~3\BKLNGF~1\KGJOCB~1.TMP,UzkadVBpRw== C:\Users\Admin\AppData\Local\Temp\YICFUM~1.TMP15⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 3180116⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1515.tmp.ps1"16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp27B5.tmp.ps1"16⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost17⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask16⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask16⤵
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dxvwqpkqve.vbs"13⤵
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jwqyklelhu.vbs"13⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 3011⤵
- Runs ping.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"8⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\osWauaoIuc & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Neghi.exe.com"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
-
Filesize
364KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
364KB
-
Filesize
940KB
-
Filesize
64.6MB
-
Filesize
856KB
-
Filesize
696KB
-
Filesize
1.2MB
-
Filesize
1.6MB
-
Filesize
1.7MB