Analysis

  • max time kernel
    157s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06/02/2022, 10:36

General

  • Target

    956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe

  • Size

    9.7MB

  • MD5

    c351f7589ea51b049954973c17d2f949

  • SHA1

    e84d2160de723af76ea5edc3f1de9e1e42d31a68

  • SHA256

    956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631

  • SHA512

    975262b121a1ddb0be3f80cd539a2dc8657e2b37882ec55d62b387234782d8767aae315e169961bf2cb8dd78a31f93e7e80fbc96f2eaf893a00d898c9510a2b0

Malware Config

Extracted

Family

cryptbot

C2

nkoopw13.top

moraass08.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot Payload 1 IoCs
  • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe
    "C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:684
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:588
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\SysWOW64\cscript.exe
        "cscript.exe" pub2.vbs //e:vbscript //NOLOGO
        3⤵
        • Blocklisted process makes network request
        PID:1560
      • C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe
        "C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe" /s
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:1740

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1512-54-0x0000000076001000-0x0000000076003000-memory.dmp

          Filesize

          8KB

        • memory/1552-81-0x00000000109F0000-0x0000000010AAA000-memory.dmp

          Filesize

          744KB

        • memory/1552-80-0x0000000010AB5000-0x0000000010AB7000-memory.dmp

          Filesize

          8KB

        • memory/1552-76-0x0000000010AB0000-0x0000000010AB1000-memory.dmp

          Filesize

          4KB

        • memory/1552-84-0x000000001C9F0000-0x000000001C9F8000-memory.dmp

          Filesize

          32KB

        • memory/1552-78-0x0000000010AB3000-0x0000000010AB4000-memory.dmp

          Filesize

          4KB

        • memory/1552-75-0x00000000109B0000-0x00000000109C2000-memory.dmp

          Filesize

          72KB

        • memory/1552-79-0x0000000010AB4000-0x0000000010AB5000-memory.dmp

          Filesize

          4KB

        • memory/1552-77-0x0000000010AB1000-0x0000000010AB2000-memory.dmp

          Filesize

          4KB

        • memory/1740-97-0x0000000002B30000-0x0000000002B31000-memory.dmp

          Filesize

          4KB

        • memory/1740-104-0x0000000000A00000-0x0000000000F03000-memory.dmp

          Filesize

          5.0MB

        • memory/1740-114-0x0000000002C90000-0x0000000002C91000-memory.dmp

          Filesize

          4KB

        • memory/1740-96-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

          Filesize

          4KB

        • memory/1740-95-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

          Filesize

          4KB

        • memory/1740-94-0x0000000002A00000-0x0000000002A02000-memory.dmp

          Filesize

          8KB

        • memory/1740-99-0x00000000010B0000-0x00000000015B3000-memory.dmp

          Filesize

          5.0MB

        • memory/1740-103-0x0000000002A10000-0x0000000002A11000-memory.dmp

          Filesize

          4KB

        • memory/1740-102-0x0000000002C80000-0x0000000002C81000-memory.dmp

          Filesize

          4KB

        • memory/1740-101-0x00000000030F0000-0x00000000030F1000-memory.dmp

          Filesize

          4KB

        • memory/1740-100-0x0000000002E90000-0x0000000002E91000-memory.dmp

          Filesize

          4KB

        • memory/1740-98-0x00000000029D0000-0x00000000029D1000-memory.dmp

          Filesize

          4KB

        • memory/1740-105-0x0000000003100000-0x0000000003101000-memory.dmp

          Filesize

          4KB

        • memory/1740-106-0x0000000003210000-0x0000000003211000-memory.dmp

          Filesize

          4KB

        • memory/1740-109-0x00000000029E0000-0x00000000029E1000-memory.dmp

          Filesize

          4KB

        • memory/1740-108-0x00000000029F0000-0x00000000029F1000-memory.dmp

          Filesize

          4KB

        • memory/1740-107-0x00000000029C0000-0x00000000029C1000-memory.dmp

          Filesize

          4KB

        • memory/1740-110-0x0000000002B20000-0x0000000002B21000-memory.dmp

          Filesize

          4KB

        • memory/1740-111-0x0000000003230000-0x0000000003231000-memory.dmp

          Filesize

          4KB

        • memory/1740-112-0x0000000071B71000-0x0000000071B73000-memory.dmp

          Filesize

          8KB

        • memory/1740-113-0x0000000071A01000-0x0000000071A03000-memory.dmp

          Filesize

          8KB

        • memory/1764-61-0x0000000000190000-0x000000000019D000-memory.dmp

          Filesize

          52KB