Analysis
-
max time kernel
157s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06/02/2022, 10:36
Static task
static1
Behavioral task
behavioral1
Sample
956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe
Resource
win7-en-20211208
General
-
Target
956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe
-
Size
9.7MB
-
MD5
c351f7589ea51b049954973c17d2f949
-
SHA1
e84d2160de723af76ea5edc3f1de9e1e42d31a68
-
SHA256
956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631
-
SHA512
975262b121a1ddb0be3f80cd539a2dc8657e2b37882ec55d62b387234782d8767aae315e169961bf2cb8dd78a31f93e7e80fbc96f2eaf893a00d898c9510a2b0
Malware Config
Extracted
cryptbot
nkoopw13.top
moraass08.top
Signatures
-
CryptBot Payload 1 IoCs
resource yara_rule behavioral1/memory/1740-99-0x00000000010B0000-0x00000000015B3000-memory.dmp family_cryptbot -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
flow pid Process 33 1560 cscript.exe 34 1560 cscript.exe 35 1560 cscript.exe 36 1560 cscript.exe -
Executes dropped EXE 3 IoCs
pid Process 1764 file.exe 1552 Setup.exe 1740 2.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Wine 2.exe -
Loads dropped DLL 16 IoCs
pid Process 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 1552 Setup.exe 1552 Setup.exe 1552 Setup.exe 1552 Setup.exe 1552 Setup.exe 1552 Setup.exe 1740 2.exe 1740 2.exe 1740 2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1740 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C file.exe Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 file.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e file.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 588 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1740 2.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1740 2.exe 1740 2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1764 file.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1764 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 27 PID 1512 wrote to memory of 1764 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 27 PID 1512 wrote to memory of 1764 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 27 PID 1512 wrote to memory of 1764 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 27 PID 1764 wrote to memory of 684 1764 file.exe 30 PID 1764 wrote to memory of 684 1764 file.exe 30 PID 1764 wrote to memory of 684 1764 file.exe 30 PID 1764 wrote to memory of 684 1764 file.exe 30 PID 684 wrote to memory of 588 684 cmd.exe 33 PID 684 wrote to memory of 588 684 cmd.exe 33 PID 684 wrote to memory of 588 684 cmd.exe 33 PID 684 wrote to memory of 588 684 cmd.exe 33 PID 1512 wrote to memory of 1552 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 32 PID 1512 wrote to memory of 1552 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 32 PID 1512 wrote to memory of 1552 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 32 PID 1512 wrote to memory of 1552 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 32 PID 1512 wrote to memory of 1552 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 32 PID 1512 wrote to memory of 1552 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 32 PID 1512 wrote to memory of 1552 1512 956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe 32 PID 1552 wrote to memory of 1560 1552 Setup.exe 34 PID 1552 wrote to memory of 1560 1552 Setup.exe 34 PID 1552 wrote to memory of 1560 1552 Setup.exe 34 PID 1552 wrote to memory of 1560 1552 Setup.exe 34 PID 1552 wrote to memory of 1740 1552 Setup.exe 36 PID 1552 wrote to memory of 1740 1552 Setup.exe 36 PID 1552 wrote to memory of 1740 1552 Setup.exe 36 PID 1552 wrote to memory of 1740 1552 Setup.exe 36 PID 1552 wrote to memory of 1740 1552 Setup.exe 36 PID 1552 wrote to memory of 1740 1552 Setup.exe 36 PID 1552 wrote to memory of 1740 1552 Setup.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe"C:\Users\Admin\AppData\Local\Temp\956c7b865794dcc8c289447883b6f3fa7e32b0338f9b3643691a04ead1b15631.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL3⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\cscript.exe"cscript.exe" pub2.vbs //e:vbscript //NOLOGO3⤵
- Blocklisted process makes network request
PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe"C:\Users\Admin\AppData\Local\Temp\sib3F04.tmp\1\2.exe" /s3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1740
-
-