Analysis Overview
SHA256
16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001
Threat Level: Known bad
The file 16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001 was found to be: Known bad.
Malicious Activity Summary
CryptBot Payload
CryptBot
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-08 18:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-08 18:57
Reported
2022-02-08 23:01
Platform
win7-en-20211208
Max time kernel
162s
Max time network
169s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe
"C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | leribis04.top | udp |
Files
memory/800-54-0x0000000075F21000-0x0000000075F23000-memory.dmp
memory/800-55-0x0000000000C20000-0x0000000000C87000-memory.dmp
memory/800-56-0x0000000000C90000-0x0000000000D30000-memory.dmp
memory/800-57-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/800-58-0x0000000002AF0000-0x0000000002AF1000-memory.dmp
memory/800-59-0x0000000074431000-0x0000000074433000-memory.dmp
memory/800-60-0x0000000074181000-0x0000000074183000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-08 18:57
Reported
2022-02-08 23:03
Platform
win10v2004-en-20220113
Max time kernel
184s
Max time network
192s
Command Line
Signatures
CryptBot
CryptBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe
"C:\Users\Admin\AppData\Local\Temp\16fb0404e48b8177e15c872b7da4fbef3253012a744de73bc7d8c54a843c5001.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl3.digicert.com | udp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 20.189.173.6:443 | tcp | |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | leribis04.top | udp |
| US | 8.8.8.8:53 | leribis04.top | udp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | leribis04.top | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
Files
memory/1760-130-0x0000000002950000-0x00000000029B7000-memory.dmp
memory/1760-131-0x0000000000D80000-0x0000000000E20000-memory.dmp
memory/1760-132-0x0000000000400000-0x00000000004A4000-memory.dmp
memory/700-133-0x000001EA00760000-0x000001EA00770000-memory.dmp
memory/700-134-0x000001EA00D20000-0x000001EA00D30000-memory.dmp
memory/700-135-0x000001EA033D0000-0x000001EA033D4000-memory.dmp