Analysis

  • max time kernel
    156s
  • max time network
    171s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06/02/2022, 15:03

General

  • Target

    0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe

  • Size

    7.6MB

  • MD5

    f7baa2694e3c882123dfc6cb891c2786

  • SHA1

    25868a92ec1a4898c28c9fe79aae4be6926750d6

  • SHA256

    0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764

  • SHA512

    c79283afb478c4ddd10fcc6afd4f76451ce60b182a01964d8f683907c1080fdc19bdaffa51248464670efbe7b8762ec0f9b74413c2239127d5972549bec4f2d6

Malware Config

Extracted

Family

cryptbot

C2

nkoopw13.top

moraass08.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • CryptBot Payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe
    "C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1644
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\cscript.exe
        "cscript.exe" pub2.vbs //e:vbscript //NOLOGO
        3⤵
        • Blocklisted process makes network request
        PID:988
      • C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe
        "C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe" /s
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:1732

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1332-55-0x0000000075321000-0x0000000075323000-memory.dmp

          Filesize

          8KB

        • memory/1680-61-0x0000000000110000-0x000000000011D000-memory.dmp

          Filesize

          52KB

        • memory/1732-101-0x00000000008B0000-0x00000000008B1000-memory.dmp

          Filesize

          4KB

        • memory/1732-102-0x0000000000770000-0x0000000000771000-memory.dmp

          Filesize

          4KB

        • memory/1732-115-0x0000000000780000-0x0000000000781000-memory.dmp

          Filesize

          4KB

        • memory/1732-116-0x0000000071471000-0x0000000071473000-memory.dmp

          Filesize

          8KB

        • memory/1732-114-0x0000000002850000-0x0000000002851000-memory.dmp

          Filesize

          4KB

        • memory/1732-113-0x00000000715E1000-0x00000000715E3000-memory.dmp

          Filesize

          8KB

        • memory/1732-112-0x0000000000610000-0x0000000000711000-memory.dmp

          Filesize

          1.0MB

        • memory/1732-105-0x0000000000440000-0x0000000000441000-memory.dmp

          Filesize

          4KB

        • memory/1732-98-0x0000000000500000-0x0000000000501000-memory.dmp

          Filesize

          4KB

        • memory/1732-97-0x0000000000720000-0x0000000000721000-memory.dmp

          Filesize

          4KB

        • memory/1732-96-0x00000000008A0000-0x00000000008A1000-memory.dmp

          Filesize

          4KB

        • memory/1732-95-0x00000000007E0000-0x00000000007E1000-memory.dmp

          Filesize

          4KB

        • memory/1732-94-0x00000000005B0000-0x00000000005B2000-memory.dmp

          Filesize

          8KB

        • memory/1732-99-0x0000000000900000-0x0000000000E04000-memory.dmp

          Filesize

          5.0MB

        • memory/1732-100-0x0000000000890000-0x0000000000891000-memory.dmp

          Filesize

          4KB

        • memory/1732-106-0x0000000002530000-0x0000000002531000-memory.dmp

          Filesize

          4KB

        • memory/1732-103-0x0000000000600000-0x0000000000601000-memory.dmp

          Filesize

          4KB

        • memory/1732-107-0x0000000002540000-0x0000000002541000-memory.dmp

          Filesize

          4KB

        • memory/1732-104-0x0000000000450000-0x0000000000451000-memory.dmp

          Filesize

          4KB

        • memory/1732-111-0x0000000000550000-0x0000000000551000-memory.dmp

          Filesize

          4KB

        • memory/1732-110-0x0000000000560000-0x0000000000561000-memory.dmp

          Filesize

          4KB

        • memory/1732-109-0x00000000004E0000-0x00000000004E1000-memory.dmp

          Filesize

          4KB

        • memory/1732-108-0x00000000004F0000-0x00000000004F1000-memory.dmp

          Filesize

          4KB

        • memory/2032-73-0x000000000E670000-0x000000000E671000-memory.dmp

          Filesize

          4KB

        • memory/2032-84-0x000000000E640000-0x000000000E648000-memory.dmp

          Filesize

          32KB

        • memory/2032-74-0x000000000E671000-0x000000000E672000-memory.dmp

          Filesize

          4KB

        • memory/2032-77-0x0000000002820000-0x0000000002832000-memory.dmp

          Filesize

          72KB

        • memory/2032-79-0x000000000E674000-0x000000000E675000-memory.dmp

          Filesize

          4KB

        • memory/2032-78-0x000000000E673000-0x000000000E674000-memory.dmp

          Filesize

          4KB

        • memory/2032-80-0x000000000E675000-0x000000000E677000-memory.dmp

          Filesize

          8KB

        • memory/2032-81-0x0000000010D50000-0x0000000010E0A000-memory.dmp

          Filesize

          744KB