Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25/06/2022, 03:24

General

  • Target

    fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe

  • Size

    2.2MB

  • MD5

    afa7b150f54cbc139f9586b16594bec4

  • SHA1

    08109ddd53482cdcd6138d888626a5b860bc0925

  • SHA256

    fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8

  • SHA512

    75f39564c813419c5f275dd50113be54801e7afbd365e489c7c365d9e4e14c5ec15474f4bf451a9ffa7555e2e711f869da572149d0654c34fd92664cdfec6431

Malware Config

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe
    "C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\XcfphEnUK & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3688
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        3⤵
        • Delays execution with timeout.exe
        PID:2348

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\XcfphEnUK\47283761.txt

    Filesize

    161B

    MD5

    b26465add1927d3a0d318f8a83fb603e

    SHA1

    72b1d6895160c6a58483583856bfb57d580abc9f

    SHA256

    79407f411759c49be519022a762862f09dd8439362785f37902bac62d93a047e

    SHA512

    914ab20fd6b55dbe9478fc3169e94ef14d76ffbfaab132280ae248ed516697624ac34bdc9219bc242dcedd29544e526c5c1cb58721f61d76b524e95c44d60a95

  • C:\ProgramData\XcfphEnUK\Files\Browsers\_FILEC~1.TXT

    Filesize

    2B

    MD5

    81051bcc2cf1bedf378224b0a93e2877

    SHA1

    ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    SHA256

    7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    SHA512

    1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

  • C:\ProgramData\XcfphEnUK\Files\Files\Desktop\GRANTR~1.TXT

    Filesize

    418KB

    MD5

    7c0784119d2ccd2784e07956f7ddacb8

    SHA1

    13c00637b870dc8bac6f5026647e02bd27a86f2d

    SHA256

    9b81d98c3d97d0c5a0f349778e7cbbac7ac7806b24f016bd40b38c5f55eff775

    SHA512

    5cf1849db135762f18c3350af5bb3aa68c2057beaf70d568ac7a4bbe6e22d97e0db041bee8b4457ebd30092652d0c5260fcce0a67f78c7a4bc3d437a8df5c253

  • C:\ProgramData\XcfphEnUK\Files\_Info.txt

    Filesize

    6KB

    MD5

    1e60a7a795eec078737ab72b62fdbcbd

    SHA1

    bfcccd9608176a9fbd83346cd00b5496e4b5c2d1

    SHA256

    cef0efd8dcbe2fa073c72d66f7837b2cd3f59087dcb05bbbbb9ddfddf0f42a06

    SHA512

    8cd2c575e330aa9d5a8cc8f0235e2271e81a7c72f5817eab18dfab7f670baab67f1584d7818a7b70ab70be4fcee4c7722f45e0faf29d13833ba9351a88410f58

  • C:\ProgramData\XcfphEnUK\Files\_Screen.jpg

    Filesize

    50KB

    MD5

    34eec874419f303664c334c229235a4a

    SHA1

    bdfd50c36a8a0e83260349dd3dd4c10c4f132b64

    SHA256

    fa7f25d1d7ae3b6da665143c380b06ffeba4b4635b37bffc3c328c68f5e4e58e

    SHA512

    c519cec9c9ece0bf65168d706352c10ae1d22ee568fc7feb867a83608c9f5869e5fb6b75618092c2f7b19477c9840ee6c5416fc011b5298b63497ca851b1cab1

  • C:\ProgramData\XcfphEnUK\MOZ_CO~1.DB

    Filesize

    96KB

    MD5

    89d4b62651fa5c864b12f3ea6b1521cb

    SHA1

    570d48367b6b66ade9900a9f22d67d67a8fb2081

    SHA256

    22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

    SHA512

    e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

  • C:\ProgramData\XcfphEnUK\OGIFOJ~1.ZIP

    Filesize

    464KB

    MD5

    33d87dc210f3bb4c2c39af2eefd8f139

    SHA1

    940f485029051b8900db7e091182311d2f88b70c

    SHA256

    bb2a03f08f913e0da257d3e8675062eb135cbef29b9655a15ccac7fdf81f8e1f

    SHA512

    cdf6f4ecd8fdbb6a9b09511227c3af13e1b85f32a600d47123eba9194aab3c78a60c78bb8ade2df885ad463cf43c9bfa43b45544e13db9f842e9e7e4439401f1

  • memory/3232-130-0x0000000000910000-0x0000000000E64000-memory.dmp

    Filesize

    5.3MB

  • memory/3232-137-0x0000000000910000-0x0000000000E64000-memory.dmp

    Filesize

    5.3MB

  • memory/3232-135-0x0000000000910000-0x0000000000E64000-memory.dmp

    Filesize

    5.3MB

  • memory/3232-134-0x00000000774D0000-0x0000000077673000-memory.dmp

    Filesize

    1.6MB

  • memory/3232-133-0x0000000000910000-0x0000000000E64000-memory.dmp

    Filesize

    5.3MB

  • memory/3232-132-0x0000000000910000-0x0000000000E64000-memory.dmp

    Filesize

    5.3MB

  • memory/3232-131-0x00000000774D0000-0x0000000077673000-memory.dmp

    Filesize

    1.6MB

  • memory/3232-146-0x00000000774D0000-0x0000000077673000-memory.dmp

    Filesize

    1.6MB