Overview

overview

10

Static

static

7

installer.exe

windows7_x64

10

installer.exe

windows7_x64

10

installer.exe

windows7_x64

10

installer.exe

windows11_x64

10

installer.exe

windows10_x64

10

installer.exe

windows10_x64

10

installer.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10-de-20210920
  • submitted
    21-10-2021 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    installer.exe

  • Size

    2.7MB

  • MD5

    a9a3893285e274d60a9bb5b85f4dfcc4

  • SHA1

    960237e74a28393b0f906a46acffdb4d6160b763

  • SHA256

    51e9ccfd1c8ae13270052947f8dc6e3386c585bf733228a8dc0e028e1c31223f

  • SHA512

    b22237255cdcca7c9cdd1dd0664368a967b09ad672f57beb96891ab6abfd6bf4c2d7161f1f9e9bc468539811494c8fc1c6d6417c0b339c22fc90769addfa3bc0

Score
10/10
cryptbotdiscoveryevasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Registers COM server for autorun 1 TTPs
    persistence
  • evasion 4 IoCs

    evasion.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\installer.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\installer.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:3980
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"
    1⤵
    • Modifies registry class
    PID:2896
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\EDWNNH~1.ZIP
    MD5

    47c12168c473b5ce2d50faa699fa0507

    SHA1

    d4208d06f5de5bff8f395a2d60e13741512d5214

    SHA256

    36071c7ba80d478cc6ae482bbabecccaf515c3f36f6c077fac838b4b055f0c8c

    SHA512

    f1ea3ce32bda1834a6be353d1b0e683a893ddae5856f3898d7305413b03cf10b9584e24fbd050ab2cd00a283460b76cae18e8be6c81a534e8b28375b2d9b3581

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\PLMNHG~1.ZIP
    MD5

    eefa057bcbd207192af2e8609d9414ba

    SHA1

    cde1ef544b583c13bb3c0272e8cc988fccde2840

    SHA256

    508ebdb2da616fec44058931bc69ffa8f208ef0d30e431cd8727887fbfa34771

    SHA512

    5cd1ceb4e8a152e779808704fb4b82425c1fe7d7c6e31a9072ae9c0cafa50ab6017387ebb0d7106a2b6ac90b06fa706fe27026413bb95d195c714fb274bd366a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\_Files\_Chrome\DEFAUL~1.BIN
    MD5

    dc2f254b5562f0d42df820a0c3d577f9

    SHA1

    16109f6ddd0ce94200daed7323617f43b604f42a

    SHA256

    19afe2b33cc988fb44548cc87f1b467d37a20e74f53b4d71c7c4050c2527f178

    SHA512

    ac0ab6311eefc114412ccfbb4895e19aae0a129171ae7ffeb85a37c5a99a6b89ce795b58681162fc48931306f67c0b1004049665d0171a2c1e6a0ceaca1023d2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\_Files\_Chrome\DEFAUL~1.DB
    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\_Files\_Chrome\DEFAUL~2.DB
    MD5

    055c8c5c47424f3c2e7a6fc2ee904032

    SHA1

    5952781d22cff35d94861fac25d89a39af6d0a87

    SHA256

    531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

    SHA512

    c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\_Files\_Chrome\DEFAUL~3.DB
    MD5

    8ee018331e95a610680a789192a9d362

    SHA1

    e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

    SHA256

    94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

    SHA512

    4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\_Files\_Files\MEASUR~1.TXT
    MD5

    9c7a33ddd07433b0e1f6e647824955dd

    SHA1

    2e395ef2f8dc0439eb86cf591ba3e3dccb6f6f9e

    SHA256

    e38647b02056550cd4e6f98b2776d181698d2650d56d993e3e04283963b7d3da

    SHA512

    2d05cc053a6ae7f50941c555efbf00d8760742091b1958838058d1fa2669579143ffc81dac170166fec0fb7ebfb915c4f17a5cdc53037c7d5c2480867972248a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\_Files\_INFOR~1.TXT
    MD5

    ff01229264bfe9e45feed601fae5c1cc

    SHA1

    088b76758688b51c3b1f12a7c600a16e470a0322

    SHA256

    9883818be264291b7ca1ca2aed7fe89032897c99da7082711fc1c33349f37581

    SHA512

    702ffd5929bb5a0c39dae6f7d97121594c25f433be5b0ad4545aa32edddc9dd501f08b66f5fad8544e4c47221488c3e0ee370bf0344346242d89cda950414164

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\_Files\_SCREE~1.JPE
    MD5

    26c87644b56b005e5c86c22221ba8eca

    SHA1

    c25632406726a65de1afee9fdc88925163ed9274

    SHA256

    012c01f083dcb470a785558887995077660d1086e21047ebc0583918c31a66ce

    SHA512

    ab75a4c70425ce9ec588d0f6ccde76d00d8843cd619419fb4cab6e6d2ebafa74013101eb279ff094507030e31e1b4eda307b6be56dd6c073cd4784500b457d1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\files_\SCREEN~1.JPG
    MD5

    26c87644b56b005e5c86c22221ba8eca

    SHA1

    c25632406726a65de1afee9fdc88925163ed9274

    SHA256

    012c01f083dcb470a785558887995077660d1086e21047ebc0583918c31a66ce

    SHA512

    ab75a4c70425ce9ec588d0f6ccde76d00d8843cd619419fb4cab6e6d2ebafa74013101eb279ff094507030e31e1b4eda307b6be56dd6c073cd4784500b457d1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\files_\SYSTEM~1.TXT
    MD5

    ff01229264bfe9e45feed601fae5c1cc

    SHA1

    088b76758688b51c3b1f12a7c600a16e470a0322

    SHA256

    9883818be264291b7ca1ca2aed7fe89032897c99da7082711fc1c33349f37581

    SHA512

    702ffd5929bb5a0c39dae6f7d97121594c25f433be5b0ad4545aa32edddc9dd501f08b66f5fad8544e4c47221488c3e0ee370bf0344346242d89cda950414164

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\files_\_Chrome\DEFAUL~1.BIN
    MD5

    dc2f254b5562f0d42df820a0c3d577f9

    SHA1

    16109f6ddd0ce94200daed7323617f43b604f42a

    SHA256

    19afe2b33cc988fb44548cc87f1b467d37a20e74f53b4d71c7c4050c2527f178

    SHA512

    ac0ab6311eefc114412ccfbb4895e19aae0a129171ae7ffeb85a37c5a99a6b89ce795b58681162fc48931306f67c0b1004049665d0171a2c1e6a0ceaca1023d2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\files_\_Chrome\DEFAUL~1.DB
    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\files_\_Chrome\DEFAUL~2.DB
    MD5

    055c8c5c47424f3c2e7a6fc2ee904032

    SHA1

    5952781d22cff35d94861fac25d89a39af6d0a87

    SHA256

    531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

    SHA512

    c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\files_\_Chrome\DEFAUL~3.DB
    MD5

    8ee018331e95a610680a789192a9d362

    SHA1

    e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

    SHA256

    94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

    SHA512

    4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uRZqZEqDly\files_\files\MEASUR~1.TXT
    MD5

    9c7a33ddd07433b0e1f6e647824955dd

    SHA1

    2e395ef2f8dc0439eb86cf591ba3e3dccb6f6f9e

    SHA256

    e38647b02056550cd4e6f98b2776d181698d2650d56d993e3e04283963b7d3da

    SHA512

    2d05cc053a6ae7f50941c555efbf00d8760742091b1958838058d1fa2669579143ffc81dac170166fec0fb7ebfb915c4f17a5cdc53037c7d5c2480867972248a

    Download Submit
  • memory/1356-115-0x0000000000F70000-0x000000000165E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1356-119-0x00000000773E0000-0x000000007756E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1356-118-0x0000000000F70000-0x000000000165E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1356-117-0x0000000000F70000-0x000000000165E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1356-116-0x0000000000F70000-0x000000000165E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3732-120-0x0000000000000000-mapping.dmp
    Download
  • memory/3980-137-0x0000000000000000-mapping.dmp
    Download