Overview

overview

10

Static

static

7

99b6ee52d0...fe.exe

windows7_x64

10

99b6ee52d0...fe.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    29-12-2021 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99b6ee52d0dc5a07bff09373a8dda2fe.exe

  • Size

    2.7MB

  • MD5

    99b6ee52d0dc5a07bff09373a8dda2fe

  • SHA1

    616c52af96614c86623829b604b0eda3cf29af28

  • SHA256

    7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067

  • SHA512

    338babef8e40c74ab6957b226e90457d9a0db9f4007235a2df699d4ba6797f571c957b743c1324acad579fd50fd128af47550e5680f92fa7ce276f5cc9d3c12e

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

hevahu32.top

morypd03.top
Attributes
  • payload_url

    http://kyrpbr04.top/download.php?file=orrery.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 16 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99b6ee52d0dc5a07bff09373a8dda2fe.exe
    "C:\Users\Admin\AppData\Local\Temp\99b6ee52d0dc5a07bff09373a8dda2fe.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
        "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        PID:1316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\LRXMyrde & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\99b6ee52d0dc5a07bff09373a8dda2fe.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:1812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\File.exe
    MD5

    6f4c94326104917216f67d8511b58e76

    SHA1

    2cece96508040c197e778832ff4df1768b87479f

    SHA256

    5d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf

    SHA512

    c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\File.exe
    MD5

    6f4c94326104917216f67d8511b58e76

    SHA1

    2cece96508040c197e778832ff4df1768b87479f

    SHA256

    5d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf

    SHA512

    c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\DQMPKX~1.ZIP
    MD5

    5cb86da6bdb2c83ddc2799945722a848

    SHA1

    a8a019bb2ba113aeb6c3d918e7e1caf9fc562da5

    SHA256

    5ecce62c22a5108deb090efca86c119537f2d640338f9ff6fde4bce004df5197

    SHA512

    4449d6cb4e4aa64e869406c617d91bc50f8de639378f2344ae4417a308952a74d0bf99728ba5417683e7692b4ce0e375dc03ec41b2a1190ef8e0c1c5e501ddb3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\SUQKNF~1.ZIP
    MD5

    2d4c3740b49c88425e6712a8311f725f

    SHA1

    af8ef42b6f12120c78d8a2ca9bbaf0e501f5484a

    SHA256

    c9a878eec47ee291d7ad3969bac4415ce8d9b71620b8ebe33aa7b16300bcaf4b

    SHA512

    296005da1d7f152bcd4299fefa62b0148a2ee8ad26032d18209c6449ffa3da4548dbb4d32443cabe0cab99da087bb8fe13440d69af1535143c80a2d73a4ecab4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\_Files\_Chrome\DEFAUL~1.BIN
    MD5

    f4b8e6e7ca32ed5ab1653cc327475cc0

    SHA1

    e7c30740b8cc28534d398ff4036e0cc6649619ce

    SHA256

    34abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2

    SHA512

    edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\_Files\_Chrome\DEFAUL~1.DB
    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\_Files\_Chrome\DEFAUL~2.DB
    MD5

    055c8c5c47424f3c2e7a6fc2ee904032

    SHA1

    5952781d22cff35d94861fac25d89a39af6d0a87

    SHA256

    531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

    SHA512

    c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\_Files\_Chrome\DEFAUL~3.DB
    MD5

    8ee018331e95a610680a789192a9d362

    SHA1

    e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

    SHA256

    94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

    SHA512

    4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\_Files\_INFOR~1.TXT
    MD5

    9c897df339c34ec45cb749b496a82e14

    SHA1

    285b4d4c4ed5785af9e2001814b4e74de8076993

    SHA256

    653354ab0702633b3696d8756d19e86be30acb0d7f65bb4de5ea55be1cca2635

    SHA512

    05737b31f9c9f699f8a02750d06c5f766c2506262361ecd1bf819aeefa76cffbcb6eb5d4b8db8b2dd24d773adc54b46c6aa00ce8cccd41e46debeda8d22d6085

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\_Files\_SCREE~1.JPE
    MD5

    9ae8ccd464ce303bacd637dd65c20f4b

    SHA1

    a47986d8fa70793d9cc44b343036856d5a8a75f3

    SHA256

    13deb5ab11dcc09affa1d4b987d9166243b2c87700909ca0019844eacc6574e7

    SHA512

    6f0a7afd5f2672bdb841960f1ae2391751b9f591ac7c23ffa9d3058223520a06d92f2975a7ba26fe25aedfd4c61b0bc176cc0795a4e2e68eb421480db69bf4d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\files_\SCREEN~1.JPG
    MD5

    9ae8ccd464ce303bacd637dd65c20f4b

    SHA1

    a47986d8fa70793d9cc44b343036856d5a8a75f3

    SHA256

    13deb5ab11dcc09affa1d4b987d9166243b2c87700909ca0019844eacc6574e7

    SHA512

    6f0a7afd5f2672bdb841960f1ae2391751b9f591ac7c23ffa9d3058223520a06d92f2975a7ba26fe25aedfd4c61b0bc176cc0795a4e2e68eb421480db69bf4d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\files_\SYSTEM~1.TXT
    MD5

    9c897df339c34ec45cb749b496a82e14

    SHA1

    285b4d4c4ed5785af9e2001814b4e74de8076993

    SHA256

    653354ab0702633b3696d8756d19e86be30acb0d7f65bb4de5ea55be1cca2635

    SHA512

    05737b31f9c9f699f8a02750d06c5f766c2506262361ecd1bf819aeefa76cffbcb6eb5d4b8db8b2dd24d773adc54b46c6aa00ce8cccd41e46debeda8d22d6085

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\files_\_Chrome\DEFAUL~1.BIN
    MD5

    f4b8e6e7ca32ed5ab1653cc327475cc0

    SHA1

    e7c30740b8cc28534d398ff4036e0cc6649619ce

    SHA256

    34abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2

    SHA512

    edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\files_\_Chrome\DEFAUL~1.DB
    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\files_\_Chrome\DEFAUL~2.DB
    MD5

    055c8c5c47424f3c2e7a6fc2ee904032

    SHA1

    5952781d22cff35d94861fac25d89a39af6d0a87

    SHA256

    531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

    SHA512

    c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LRXMyrde\files_\_Chrome\DEFAUL~3.DB
    MD5

    8ee018331e95a610680a789192a9d362

    SHA1

    e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

    SHA256

    94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

    SHA512

    4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    MD5

    6f4c94326104917216f67d8511b58e76

    SHA1

    2cece96508040c197e778832ff4df1768b87479f

    SHA256

    5d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf

    SHA512

    c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    MD5

    6f4c94326104917216f67d8511b58e76

    SHA1

    2cece96508040c197e778832ff4df1768b87479f

    SHA256

    5d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf

    SHA512

    c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969

    Download Submit

  • memory/1004-125-0x0000000000A20000-0x0000000001110000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1004-134-0x0000000000A20000-0x0000000001110000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1004-126-0x0000000000A20000-0x0000000001110000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1004-124-0x0000000077300000-0x000000007748E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1004-143-0x0000000000A20000-0x0000000001110000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1004-120-0x0000000000000000-mapping.dmp

    Download

  • memory/1316-151-0x0000000077300000-0x000000007748E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1316-150-0x0000000000970000-0x0000000001060000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1316-149-0x0000000000970000-0x0000000001060000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1316-148-0x0000000000970000-0x0000000001060000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1316-147-0x0000000000970000-0x0000000001060000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1316-144-0x0000000000000000-mapping.dmp

    Download

  • memory/1476-123-0x0000000000000000-mapping.dmp

    Download

  • memory/1812-142-0x0000000000000000-mapping.dmp

    Download

  • memory/2440-115-0x0000000000BC0000-0x00000000012AF000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2440-116-0x0000000000BC0000-0x00000000012AF000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2440-117-0x0000000000BC0000-0x00000000012AF000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2440-118-0x0000000000BC0000-0x00000000012AF000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2440-119-0x0000000077300000-0x000000007748E000-memory.dmp

    Filesize

    1.6MB

    Download