Analysis

  • max time kernel
    157s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16/06/2022, 02:25

General

  • Target

    2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe

  • Size

    4.2MB

  • MD5

    39563dbf4a0421506d0d0236ced276b8

  • SHA1

    b3bfb1cc8e53817d88649cd347aeb84a582798cd

  • SHA256

    2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165

  • SHA512

    da369b86b2c39b26ac178d9d3c2a1a87c7b6f0143dd8e3a082445b639a932bd90a3363ac18c8b11d30050d5ac6b4025e0c3f4cde6e20fb8e94c625a6bc76ea20

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe
    "C:\Users\Admin\AppData\Local\Temp\2811f5abc16c79021f8bdceebe8fe77f2e11005c5687178af4bf5356ab18a165.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\ProgramData\Newu\City.exe
      C:\ProgramData\Newu\City.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:4844
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\ipras.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:2396
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:3504

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Newu\City.exe

    Filesize

    2.2MB

    MD5

    4e74e3957beb1fbf8f790de6d262a12f

    SHA1

    1e74a37e218b25e8218af0d68e5d2533d44255dc

    SHA256

    89120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db

    SHA512

    c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96

  • C:\ProgramData\Newu\City.exe

    Filesize

    2.2MB

    MD5

    4e74e3957beb1fbf8f790de6d262a12f

    SHA1

    1e74a37e218b25e8218af0d68e5d2533d44255dc

    SHA256

    89120c2b00c6f9299ec1afdd6255a78e475c8205a1c05ffa6e133c7f22cfc8db

    SHA512

    c437614c198648c7956301f643bfaccb57fea66e87a2b0798f17cce92476497fb3f1cd3eee16162e92e2c5a8bfd97de2458d5a5ee4c6aac6f188c81e20296e96

  • C:\ProgramData\ipras.vbs

    Filesize

    126B

    MD5

    b802ff9244875f69db2fae0f78e92b10

    SHA1

    49385a89cd575894a29fbda969b99cc1f5cf8076

    SHA256

    a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8

    SHA512

    609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

    Filesize

    717B

    MD5

    ec8ff3b1ded0246437b1472c69dd1811

    SHA1

    d813e874c2524e3a7da6c466c67854ad16800326

    SHA256

    e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

    SHA512

    e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

    Filesize

    192B

    MD5

    fcd5acbfc30059d2a4ce55c6b35da4b6

    SHA1

    7c0d1463bd692e2432d426601027c03e7ca14241

    SHA256

    769cc14dc667140513d0c18e1e2e019fbce0ad4356276305a224c39aae63f8e0

    SHA512

    f6248ea6ccc4c1d01c05a4d51b4ab31ea474bb7c9d7d747cb7eff31acb2aa5eaec28ba7c96aca70a20fe4a454efbada43dd85b488092e75fad1ba109509768df

  • memory/4652-130-0x0000000000400000-0x0000000000B3B000-memory.dmp

    Filesize

    7.2MB

  • memory/4652-135-0x0000000000400000-0x0000000000B3B000-memory.dmp

    Filesize

    7.2MB

  • memory/4652-134-0x0000000077570000-0x0000000077713000-memory.dmp

    Filesize

    1.6MB

  • memory/4652-131-0x0000000077570000-0x0000000077713000-memory.dmp

    Filesize

    1.6MB

  • memory/4652-132-0x0000000000400000-0x0000000000B3B000-memory.dmp

    Filesize

    7.2MB

  • memory/4652-133-0x0000000000400000-0x0000000000B3B000-memory.dmp

    Filesize

    7.2MB

  • memory/4844-139-0x00000000000B0000-0x0000000000607000-memory.dmp

    Filesize

    5.3MB

  • memory/4844-141-0x00000000000B0000-0x0000000000607000-memory.dmp

    Filesize

    5.3MB

  • memory/4844-144-0x00000000000B0000-0x0000000000607000-memory.dmp

    Filesize

    5.3MB

  • memory/4844-145-0x0000000077570000-0x0000000077713000-memory.dmp

    Filesize

    1.6MB

  • memory/4844-146-0x00000000000B0000-0x0000000000607000-memory.dmp

    Filesize

    5.3MB

  • memory/4844-140-0x0000000077570000-0x0000000077713000-memory.dmp

    Filesize

    1.6MB