Analysis Overview
SHA256
581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485
Threat Level: Known bad
The file 581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485 was found to be: Known bad.
Malicious Activity Summary
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of web browsers
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-25 03:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 03:03
Reported
2022-06-25 03:22
Platform
win7-20220414-en
Max time kernel
144s
Max time network
150s
Command Line
Signatures
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Suspicious use of FindShellTrayWindow
Processes
C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe
"C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | bube01.info | udp |
Files
memory/1236-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp
memory/1236-55-0x0000000000DE0000-0x0000000001315000-memory.dmp
memory/1236-56-0x0000000076FD0000-0x0000000077150000-memory.dmp
memory/1236-57-0x0000000000DE0000-0x0000000001315000-memory.dmp
memory/1236-58-0x0000000074091000-0x0000000074093000-memory.dmp
memory/1236-59-0x0000000073D91000-0x0000000073D93000-memory.dmp
memory/1236-64-0x0000000073C21000-0x0000000073C23000-memory.dmp
memory/1236-68-0x0000000073C01000-0x0000000073C03000-memory.dmp
memory/1236-69-0x0000000000DE0000-0x0000000001315000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 03:03
Reported
2022-06-25 03:23
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
158s
Command Line
Signatures
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe | N/A |
Suspicious use of FindShellTrayWindow
Processes
C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe
"C:\Users\Admin\AppData\Local\Temp\581753565ad2d4426742ee961f3b4445c4bff72058e403688016cde173c98485.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| GB | 173.222.211.107:80 | tcp | |
| GB | 173.222.211.107:80 | tcp | |
| US | 8.8.8.8:53 | bube01.info | udp |
| IE | 13.69.239.72:443 | tcp | |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| NL | 104.123.41.162:80 | tcp | |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
| US | 8.8.8.8:53 | bube01.info | udp |
Files
memory/4468-130-0x0000000000D20000-0x0000000001255000-memory.dmp
memory/4468-131-0x0000000077310000-0x00000000774B3000-memory.dmp
memory/4468-132-0x0000000000D20000-0x0000000001255000-memory.dmp
memory/4468-133-0x0000000000D20000-0x0000000001255000-memory.dmp
memory/4468-134-0x0000000077310000-0x00000000774B3000-memory.dmp
memory/4468-135-0x0000000000D20000-0x0000000001255000-memory.dmp