Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25/06/2022, 01:38

General

  • Target

    a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe

  • Size

    4.0MB

  • MD5

    87baf758e41c9e99d91975085d024aad

  • SHA1

    7816e63608f056dbb1aaf25fbf4041a959073f81

  • SHA256

    a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d

  • SHA512

    770b669b7821c4c893d222a023b12d41b01cc6afd4ca6a81c738a583411e7c6f61576a1e1d6aec943e5257c9233038d0827d67e8d9743a4d1e3440f3ae3541a3

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe
    "C:\Users\Admin\AppData\Local\Temp\a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Program Files (x86)\Cyper\Setup.exe
      "C:\Program Files (x86)\Cyper\Setup.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:5108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Cyper\Setup.exe

    Filesize

    2.2MB

    MD5

    184073024e93d570c71c2e49afc5b26b

    SHA1

    dbb7cdcb73b04092e9465969f1075227617e88bb

    SHA256

    cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de

    SHA512

    00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

  • C:\Program Files (x86)\Cyper\Setup.exe

    Filesize

    2.2MB

    MD5

    184073024e93d570c71c2e49afc5b26b

    SHA1

    dbb7cdcb73b04092e9465969f1075227617e88bb

    SHA256

    cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de

    SHA512

    00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

  • C:\Users\Admin\AppData\Local\Temp\nsk94E3.tmp\UAC.dll

    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • memory/5108-134-0x0000000000D00000-0x0000000001252000-memory.dmp

    Filesize

    5.3MB

  • memory/5108-135-0x0000000077580000-0x0000000077723000-memory.dmp

    Filesize

    1.6MB

  • memory/5108-136-0x0000000000D00000-0x0000000001252000-memory.dmp

    Filesize

    5.3MB

  • memory/5108-137-0x0000000000D00000-0x0000000001252000-memory.dmp

    Filesize

    5.3MB

  • memory/5108-138-0x0000000077580000-0x0000000077723000-memory.dmp

    Filesize

    1.6MB

  • memory/5108-139-0x0000000000D00000-0x0000000001252000-memory.dmp

    Filesize

    5.3MB