Overview

overview

10

Static

static

open__with...34.exe

windows7_x64

10

open__with...34.exe

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    07-01-2022 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    open__with_Pass__1234.exe

  • Size

    1018KB

  • MD5

    e0e78d14f28a5d23cab7b4dcb86a18a3

  • SHA1

    6a502c655b11c224ae0c75bbfb7c90f5a3281ced

  • SHA256

    af0b1d54f4b625461c6bad67daa6566d1ab2047fee5cf2b81c35b191f044ce9d

  • SHA512

    5c1dd166b003182c93c286a0c87cf72b434075badd8c99ad5f8ca07e6fa36c3aeb1e8027816ebede87ad45b2a885eff8d3d6852dea03d0fb04aeb16580a0e3ef

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

zyoouw55.top

morlse05.top
Attributes
  • payload_url

    http://yapome07.top/download.php?file=combir.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe
    "C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"
    1⤵
    • Drops file in Windows directory
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
        "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        PID:1304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:3284

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\File.exe
    MD5

    31e4fa459d9d58e6685cf2b7e04c6cee

    SHA1

    8de71a33f2e8e4e54afdb4a7c0865dcf2ac0165c

    SHA256

    832eb9dbb4e95afbd2684775acc9b7dc8014e997708262e2dc5176291cf91d6d

    SHA512

    080079617a353f995976ff24f8d409606b9511b517b291b016701726765201b5b0020c13429a595318bb5b042eec04f3f2e0100c298771a9ac9f08368ff5887c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\File.exe
    MD5

    31e4fa459d9d58e6685cf2b7e04c6cee

    SHA1

    8de71a33f2e8e4e54afdb4a7c0865dcf2ac0165c

    SHA256

    832eb9dbb4e95afbd2684775acc9b7dc8014e997708262e2dc5176291cf91d6d

    SHA512

    080079617a353f995976ff24f8d409606b9511b517b291b016701726765201b5b0020c13429a595318bb5b042eec04f3f2e0100c298771a9ac9f08368ff5887c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\PMEMMW~1.ZIP
    MD5

    f7a2596ea472afa5a8fc838e17900727

    SHA1

    35544137abf03062665cb2e209b89fe190bda03e

    SHA256

    647ce8f27fd4887c19a831255a1b627ea6ffd39cee766da6b129969eae679f22

    SHA512

    be53602630a3978fd8d426c07492502b3c672dae1bb8bbef22f77dcee7673dcf53461ed38e47eccbfcf6c90d88809c0971e4fb4feb63e56da29fd61e32b7093a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\VRTUFB~1.ZIP
    MD5

    d2bfde4a9d3abef228974e0907349339

    SHA1

    0d576a6d9b378566a40b3b7c8aa2b6feaa1fe661

    SHA256

    00380a7dea1fcbdcd9da1ce75bc377ee8678b8d68a22d82c98f4590681c43497

    SHA512

    b5a1211b08af681b141357038093e599bc909d206fe6a0a384e5a88d3379dffb82d3f14d1a07366c9128e95165292ec91510dde8561da3806d4637b1f0ba2995

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\_Files\_Chrome\DEFAUL~1.BIN
    MD5

    f4b8e6e7ca32ed5ab1653cc327475cc0

    SHA1

    e7c30740b8cc28534d398ff4036e0cc6649619ce

    SHA256

    34abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2

    SHA512

    edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\_Files\_Chrome\DEFAUL~1.DB
    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\_Files\_Chrome\DEFAUL~2.DB
    MD5

    055c8c5c47424f3c2e7a6fc2ee904032

    SHA1

    5952781d22cff35d94861fac25d89a39af6d0a87

    SHA256

    531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

    SHA512

    c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\_Files\_Chrome\DEFAUL~3.DB
    MD5

    8ee018331e95a610680a789192a9d362

    SHA1

    e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

    SHA256

    94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

    SHA512

    4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\_Files\_Files\PushSkip.txt
    MD5

    477bfe325aaa3f930f27c0fc9d17ce60

    SHA1

    f2a2b9449320fa9ce3704d0704769e74f3174f1a

    SHA256

    952dee0fa431960103197bb940acdaba5d15e51a1fad9a291a6d8ac30f7f5649

    SHA512

    fa0e818becfd84c411e5037a476e79a613916e2a9aed7abe21dcbd276eab863057ff82364013e42ada4e8048e86c793f43a688a002b1c82413637768b7b5afcf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\_Files\_INFOR~1.TXT
    MD5

    7e525b39846476b9ae4ed6c2a62cd4e0

    SHA1

    f2b23bb23541e7cd7be2f0445925742b115d6606

    SHA256

    0435d0202f1bf66207b250c9c103e86ec299eea91962372617459dbc2d607a3d

    SHA512

    6cda9a5ba03479f1c7d44a112780022e5f87c7cd7987ad3751143b56151b812171d3338a16cd65e7bb7cafb037af330f3c0d84d703597a5a034ac583348f4bb2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\_Files\_SCREE~1.JPE
    MD5

    291c064e1e43de0c598d57e40cb10235

    SHA1

    05ebc5c5b667ec79359612b19af55bc2f7f4a3e8

    SHA256

    8f9c5e195f49f687d18fbe801472df41c091a3a79de6d453829829cbf06c7c81

    SHA512

    28eddaafa59f5a78d2d18da6d993cf7dc05e08e997660e25daa167eaedb1f87d567b1d9edf4affae2581ea6c70fcef331f4942b29cff81705daff1e710038138

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\files_\SCREEN~1.JPG
    MD5

    291c064e1e43de0c598d57e40cb10235

    SHA1

    05ebc5c5b667ec79359612b19af55bc2f7f4a3e8

    SHA256

    8f9c5e195f49f687d18fbe801472df41c091a3a79de6d453829829cbf06c7c81

    SHA512

    28eddaafa59f5a78d2d18da6d993cf7dc05e08e997660e25daa167eaedb1f87d567b1d9edf4affae2581ea6c70fcef331f4942b29cff81705daff1e710038138

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\files_\SYSTEM~1.TXT
    MD5

    7e525b39846476b9ae4ed6c2a62cd4e0

    SHA1

    f2b23bb23541e7cd7be2f0445925742b115d6606

    SHA256

    0435d0202f1bf66207b250c9c103e86ec299eea91962372617459dbc2d607a3d

    SHA512

    6cda9a5ba03479f1c7d44a112780022e5f87c7cd7987ad3751143b56151b812171d3338a16cd65e7bb7cafb037af330f3c0d84d703597a5a034ac583348f4bb2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\files_\_Chrome\DEFAUL~1.BIN
    MD5

    f4b8e6e7ca32ed5ab1653cc327475cc0

    SHA1

    e7c30740b8cc28534d398ff4036e0cc6649619ce

    SHA256

    34abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2

    SHA512

    edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\files_\_Chrome\DEFAUL~1.DB
    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\files_\_Chrome\DEFAUL~2.DB
    MD5

    055c8c5c47424f3c2e7a6fc2ee904032

    SHA1

    5952781d22cff35d94861fac25d89a39af6d0a87

    SHA256

    531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

    SHA512

    c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\files_\_Chrome\DEFAUL~3.DB
    MD5

    8ee018331e95a610680a789192a9d362

    SHA1

    e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

    SHA256

    94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

    SHA512

    4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mRDYTjeDdvll\files_\files\PushSkip.txt
    MD5

    477bfe325aaa3f930f27c0fc9d17ce60

    SHA1

    f2a2b9449320fa9ce3704d0704769e74f3174f1a

    SHA256

    952dee0fa431960103197bb940acdaba5d15e51a1fad9a291a6d8ac30f7f5649

    SHA512

    fa0e818becfd84c411e5037a476e79a613916e2a9aed7abe21dcbd276eab863057ff82364013e42ada4e8048e86c793f43a688a002b1c82413637768b7b5afcf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    MD5

    31e4fa459d9d58e6685cf2b7e04c6cee

    SHA1

    8de71a33f2e8e4e54afdb4a7c0865dcf2ac0165c

    SHA256

    832eb9dbb4e95afbd2684775acc9b7dc8014e997708262e2dc5176291cf91d6d

    SHA512

    080079617a353f995976ff24f8d409606b9511b517b291b016701726765201b5b0020c13429a595318bb5b042eec04f3f2e0100c298771a9ac9f08368ff5887c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    MD5

    31e4fa459d9d58e6685cf2b7e04c6cee

    SHA1

    8de71a33f2e8e4e54afdb4a7c0865dcf2ac0165c

    SHA256

    832eb9dbb4e95afbd2684775acc9b7dc8014e997708262e2dc5176291cf91d6d

    SHA512

    080079617a353f995976ff24f8d409606b9511b517b291b016701726765201b5b0020c13429a595318bb5b042eec04f3f2e0100c298771a9ac9f08368ff5887c

    Download Submit

  • memory/944-140-0x0000000000D40000-0x000000000142F000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/944-142-0x00000000777D0000-0x000000007795E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/944-138-0x0000000000D40000-0x000000000142F000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/944-117-0x0000000000000000-mapping.dmp

    Download

  • memory/944-139-0x0000000000D40000-0x000000000142F000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/944-141-0x0000000000D40000-0x000000000142F000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1304-143-0x0000000000000000-mapping.dmp

    Download

  • memory/1304-146-0x0000000001120000-0x000000000180F000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1304-147-0x0000000001120000-0x000000000180F000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1304-148-0x0000000001120000-0x000000000180F000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1304-149-0x0000000001120000-0x000000000180F000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1304-150-0x00000000777D0000-0x000000007795E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1980-120-0x0000000000000000-mapping.dmp

    Download

  • memory/2936-116-0x0000000000A50000-0x0000000000A98000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2936-115-0x00000000005A0000-0x00000000005A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3284-137-0x0000000000000000-mapping.dmp

    Download