Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    19/01/2022, 21:55

General

  • Target

    979d1d97ef97c7ae5737a88e87757ec4.exe

  • Size

    750KB

  • MD5

    979d1d97ef97c7ae5737a88e87757ec4

  • SHA1

    90d243cb67821975da1b13582476779eff5be9a5

  • SHA256

    d6255b4b18e6f07c4708cf6344163dfe3197cf403957bf3085a6a737bb37b038

  • SHA512

    05c60e3714d906ea985a923ebda9e2efca17dfe29bfe9169f8e14f7053dd2871d9fa6bafb1d56919c07041be8841cfba82811ac1868398e2587ca25433727b4f

Malware Config

Extracted

Family

cryptbot

C2

smarew72.top

moriwi07.top

Attributes
  • payload_url

    http://guruzo10.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Sets service image path in registry 2 TTPs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\979d1d97ef97c7ae5737a88e87757ec4.exe
    "C:\Users\Admin\AppData\Local\Temp\979d1d97ef97c7ae5737a88e87757ec4.exe"
    1⤵
    • Checks processor information in registry
    PID:3824
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 500
      2⤵
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3884
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 5951738b1bb9fd3bc22d0ff51d165a36 u9eDz27FjEKMakcCKY+AmQ.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:3340
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3824 -ip 3824
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3016
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1296
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4012
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k wusvcs -p
    1⤵
      PID:388

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/3824-130-0x0000000000710000-0x00000000007A6000-memory.dmp

            Filesize

            600KB

          • memory/3824-131-0x00000000022B0000-0x0000000002391000-memory.dmp

            Filesize

            900KB

          • memory/3824-132-0x0000000000400000-0x00000000004E5000-memory.dmp

            Filesize

            916KB