Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06/02/2022, 15:03
Static task
static1
Behavioral task
behavioral1
Sample
0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe
Resource
win10v2004-en-20220113
General
-
Target
0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe
-
Size
7.6MB
-
MD5
f7baa2694e3c882123dfc6cb891c2786
-
SHA1
25868a92ec1a4898c28c9fe79aae4be6926750d6
-
SHA256
0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764
-
SHA512
c79283afb478c4ddd10fcc6afd4f76451ce60b182a01964d8f683907c1080fdc19bdaffa51248464670efbe7b8762ec0f9b74413c2239127d5972549bec4f2d6
Malware Config
Extracted
cryptbot
nkoopw13.top
moraass08.top
Signatures
-
CryptBot Payload 2 IoCs
resource yara_rule behavioral1/memory/1732-99-0x0000000000900000-0x0000000000E04000-memory.dmp family_cryptbot behavioral1/memory/1732-112-0x0000000000610000-0x0000000000711000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 4 IoCs
flow pid Process 33 988 cscript.exe 34 988 cscript.exe 35 988 cscript.exe 36 988 cscript.exe -
Executes dropped EXE 3 IoCs
pid Process 1680 file.exe 2032 Setup.exe 1732 2.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Wine 2.exe -
Loads dropped DLL 16 IoCs
pid Process 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 2032 Setup.exe 2032 Setup.exe 2032 Setup.exe 2032 Setup.exe 2032 Setup.exe 2032 Setup.exe 1732 2.exe 1732 2.exe 1732 2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1732 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C file.exe Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 file.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e file.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1644 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1732 2.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1732 2.exe 1732 2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1680 file.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1332 wrote to memory of 1680 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 27 PID 1332 wrote to memory of 1680 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 27 PID 1332 wrote to memory of 1680 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 27 PID 1332 wrote to memory of 1680 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 27 PID 1680 wrote to memory of 844 1680 file.exe 30 PID 1680 wrote to memory of 844 1680 file.exe 30 PID 1680 wrote to memory of 844 1680 file.exe 30 PID 1680 wrote to memory of 844 1680 file.exe 30 PID 844 wrote to memory of 1644 844 cmd.exe 33 PID 844 wrote to memory of 1644 844 cmd.exe 33 PID 844 wrote to memory of 1644 844 cmd.exe 33 PID 844 wrote to memory of 1644 844 cmd.exe 33 PID 1332 wrote to memory of 2032 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 32 PID 1332 wrote to memory of 2032 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 32 PID 1332 wrote to memory of 2032 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 32 PID 1332 wrote to memory of 2032 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 32 PID 1332 wrote to memory of 2032 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 32 PID 1332 wrote to memory of 2032 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 32 PID 1332 wrote to memory of 2032 1332 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe 32 PID 2032 wrote to memory of 988 2032 Setup.exe 34 PID 2032 wrote to memory of 988 2032 Setup.exe 34 PID 2032 wrote to memory of 988 2032 Setup.exe 34 PID 2032 wrote to memory of 988 2032 Setup.exe 34 PID 2032 wrote to memory of 1732 2032 Setup.exe 36 PID 2032 wrote to memory of 1732 2032 Setup.exe 36 PID 2032 wrote to memory of 1732 2032 Setup.exe 36 PID 2032 wrote to memory of 1732 2032 Setup.exe 36 PID 2032 wrote to memory of 1732 2032 Setup.exe 36 PID 2032 wrote to memory of 1732 2032 Setup.exe 36 PID 2032 wrote to memory of 1732 2032 Setup.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe"C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL3⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:1644
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cscript.exe"cscript.exe" pub2.vbs //e:vbscript //NOLOGO3⤵
- Blocklisted process makes network request
PID:988
-
-
C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe"C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe" /s3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1732
-
-