Analysis
-
max time kernel
148s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 09:47
General
-
Target
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe
-
Size
8.6MB
-
MD5
1d0f0178e9fe7c70684b48699b6b327a
-
SHA1
538b422631bf46c9647aac19d542cad8e910bc37
-
SHA256
62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30
-
SHA512
8f0c41459589c14a8a010e1a2eadecd17c89189ef492b9828c76cd350a7af103c2e4f38dc47d38fc127a0a963a74972b8fbea7006acfbf335145372f2b0dfdb2
Malware Config
Signatures
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 35 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious use of FindShellTrayWindow 13 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe"C:\Users\Admin\AppData\Local\Temp\62648d0b64bbd4f5e4be007c752b174203384145604833b15eb967b0efa9ec30.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Taras\org\com\018.exe"C:\Program Files (x86)\Taras\org\com\018.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Taras\org\com\boind.exe"C:\Program Files (x86)\Taras\org\com\boind.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Taras\org\com\18.exe"C:\Program Files (x86)\Taras\org\com\18.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Taras\org\com\018.exeFilesize
2.7MB
MD549ccf5e3a5e296f82d3ed24413d5e01b
SHA1aa10cd180a20b46a6e7e2c641aa4c3c345e5ec7a
SHA2565b988b60fb68a3fb9ac847bc18b112ffebd8178faff36966f6a219a58c5f080a
SHA5128aaaa0768baa7d3c00818a5955b5b630ecb1f6fed9057bbf07df2862a981c0d16fa943de6da1703138f1777e2ea9e2939150bd86eddb654772d6505beab147f2
-
C:\Program Files (x86)\Taras\org\com\018.exeFilesize
2.7MB
MD549ccf5e3a5e296f82d3ed24413d5e01b
SHA1aa10cd180a20b46a6e7e2c641aa4c3c345e5ec7a
SHA2565b988b60fb68a3fb9ac847bc18b112ffebd8178faff36966f6a219a58c5f080a
SHA5128aaaa0768baa7d3c00818a5955b5b630ecb1f6fed9057bbf07df2862a981c0d16fa943de6da1703138f1777e2ea9e2939150bd86eddb654772d6505beab147f2
-
C:\Program Files (x86)\Taras\org\com\18.exeFilesize
2.9MB
MD5fe46cf63820ec9a916ba9913f5c93a67
SHA1a7ba5fd9cc6780b27a6721d94184fc6231c04151
SHA256a842ec6b502a19617bc6e677eee04dc87bc27d93acf824bd82266c625919d0c5
SHA5126e4b2b36c7339e22ff917e636d80f995c5605aab5495dac266b92e875a8e97554e4e0522efa255b83d762acbefebd8731ae967ce6bb697862a530077b4f8269c
-
C:\Program Files (x86)\Taras\org\com\18.exeFilesize
2.9MB
MD5fe46cf63820ec9a916ba9913f5c93a67
SHA1a7ba5fd9cc6780b27a6721d94184fc6231c04151
SHA256a842ec6b502a19617bc6e677eee04dc87bc27d93acf824bd82266c625919d0c5
SHA5126e4b2b36c7339e22ff917e636d80f995c5605aab5495dac266b92e875a8e97554e4e0522efa255b83d762acbefebd8731ae967ce6bb697862a530077b4f8269c
-
C:\Program Files (x86)\Taras\org\com\boind.exeFilesize
3.3MB
MD5b85c87cc45326ffc33a4488ea54a209b
SHA11ad857c5638e2e948389c20e0c26673a9d8cd401
SHA256f866b825857a23d1fa605c551fcc81333a50ff2ad27d3aff290f5ee434b0b706
SHA512c980f521021bca2955f953af27cc86ebfae116a250eddc5f6d102af92c0e138e06dfa82902f0eb85ae21a2ca5fea8e0de2d14a28cb48e09771b88145bb4b9002
-
C:\Program Files (x86)\Taras\org\com\boind.exeFilesize
3.3MB
MD5b85c87cc45326ffc33a4488ea54a209b
SHA11ad857c5638e2e948389c20e0c26673a9d8cd401
SHA256f866b825857a23d1fa605c551fcc81333a50ff2ad27d3aff290f5ee434b0b706
SHA512c980f521021bca2955f953af27cc86ebfae116a250eddc5f6d102af92c0e138e06dfa82902f0eb85ae21a2ca5fea8e0de2d14a28cb48e09771b88145bb4b9002
-
\Program Files (x86)\Taras\org\com\018.exeFilesize
2.7MB
MD549ccf5e3a5e296f82d3ed24413d5e01b
SHA1aa10cd180a20b46a6e7e2c641aa4c3c345e5ec7a
SHA2565b988b60fb68a3fb9ac847bc18b112ffebd8178faff36966f6a219a58c5f080a
SHA5128aaaa0768baa7d3c00818a5955b5b630ecb1f6fed9057bbf07df2862a981c0d16fa943de6da1703138f1777e2ea9e2939150bd86eddb654772d6505beab147f2
-
\Program Files (x86)\Taras\org\com\018.exeFilesize
2.7MB
MD549ccf5e3a5e296f82d3ed24413d5e01b
SHA1aa10cd180a20b46a6e7e2c641aa4c3c345e5ec7a
SHA2565b988b60fb68a3fb9ac847bc18b112ffebd8178faff36966f6a219a58c5f080a
SHA5128aaaa0768baa7d3c00818a5955b5b630ecb1f6fed9057bbf07df2862a981c0d16fa943de6da1703138f1777e2ea9e2939150bd86eddb654772d6505beab147f2
-
\Program Files (x86)\Taras\org\com\018.exeFilesize
2.7MB
MD549ccf5e3a5e296f82d3ed24413d5e01b
SHA1aa10cd180a20b46a6e7e2c641aa4c3c345e5ec7a
SHA2565b988b60fb68a3fb9ac847bc18b112ffebd8178faff36966f6a219a58c5f080a
SHA5128aaaa0768baa7d3c00818a5955b5b630ecb1f6fed9057bbf07df2862a981c0d16fa943de6da1703138f1777e2ea9e2939150bd86eddb654772d6505beab147f2
-
\Program Files (x86)\Taras\org\com\18.exeFilesize
2.9MB
MD5fe46cf63820ec9a916ba9913f5c93a67
SHA1a7ba5fd9cc6780b27a6721d94184fc6231c04151
SHA256a842ec6b502a19617bc6e677eee04dc87bc27d93acf824bd82266c625919d0c5
SHA5126e4b2b36c7339e22ff917e636d80f995c5605aab5495dac266b92e875a8e97554e4e0522efa255b83d762acbefebd8731ae967ce6bb697862a530077b4f8269c
-
\Program Files (x86)\Taras\org\com\18.exeFilesize
2.9MB
MD5fe46cf63820ec9a916ba9913f5c93a67
SHA1a7ba5fd9cc6780b27a6721d94184fc6231c04151
SHA256a842ec6b502a19617bc6e677eee04dc87bc27d93acf824bd82266c625919d0c5
SHA5126e4b2b36c7339e22ff917e636d80f995c5605aab5495dac266b92e875a8e97554e4e0522efa255b83d762acbefebd8731ae967ce6bb697862a530077b4f8269c
-
\Program Files (x86)\Taras\org\com\18.exeFilesize
2.9MB
MD5fe46cf63820ec9a916ba9913f5c93a67
SHA1a7ba5fd9cc6780b27a6721d94184fc6231c04151
SHA256a842ec6b502a19617bc6e677eee04dc87bc27d93acf824bd82266c625919d0c5
SHA5126e4b2b36c7339e22ff917e636d80f995c5605aab5495dac266b92e875a8e97554e4e0522efa255b83d762acbefebd8731ae967ce6bb697862a530077b4f8269c
-
\Program Files (x86)\Taras\org\com\boind.exeFilesize
3.3MB
MD5b85c87cc45326ffc33a4488ea54a209b
SHA11ad857c5638e2e948389c20e0c26673a9d8cd401
SHA256f866b825857a23d1fa605c551fcc81333a50ff2ad27d3aff290f5ee434b0b706
SHA512c980f521021bca2955f953af27cc86ebfae116a250eddc5f6d102af92c0e138e06dfa82902f0eb85ae21a2ca5fea8e0de2d14a28cb48e09771b88145bb4b9002
-
\Program Files (x86)\Taras\org\com\boind.exeFilesize
3.3MB
MD5b85c87cc45326ffc33a4488ea54a209b
SHA11ad857c5638e2e948389c20e0c26673a9d8cd401
SHA256f866b825857a23d1fa605c551fcc81333a50ff2ad27d3aff290f5ee434b0b706
SHA512c980f521021bca2955f953af27cc86ebfae116a250eddc5f6d102af92c0e138e06dfa82902f0eb85ae21a2ca5fea8e0de2d14a28cb48e09771b88145bb4b9002
-
\Program Files (x86)\Taras\org\com\boind.exeFilesize
3.3MB
MD5b85c87cc45326ffc33a4488ea54a209b
SHA11ad857c5638e2e948389c20e0c26673a9d8cd401
SHA256f866b825857a23d1fa605c551fcc81333a50ff2ad27d3aff290f5ee434b0b706
SHA512c980f521021bca2955f953af27cc86ebfae116a250eddc5f6d102af92c0e138e06dfa82902f0eb85ae21a2ca5fea8e0de2d14a28cb48e09771b88145bb4b9002
-
\Users\Admin\AppData\Local\Temp\nst7A9E.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/620-102-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/620-105-0x0000000077880000-0x0000000077A00000-memory.dmpFilesize
1.5MB
-
memory/620-73-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/620-57-0x0000000000000000-mapping.dmp
-
memory/620-75-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/620-74-0x0000000001170000-0x0000000001862000-memory.dmpFilesize
6.9MB
-
memory/620-86-0x0000000077880000-0x0000000077A00000-memory.dmpFilesize
1.5MB
-
memory/620-68-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/620-77-0x0000000000400000-0x0000000000AF2000-memory.dmpFilesize
6.9MB
-
memory/944-89-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/944-97-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/944-100-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/944-101-0x0000000001490000-0x0000000001C06000-memory.dmpFilesize
7.5MB
-
memory/944-79-0x0000000000000000-mapping.dmp
-
memory/944-107-0x0000000001490000-0x0000000001C06000-memory.dmpFilesize
7.5MB
-
memory/944-98-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/944-106-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/944-99-0x0000000001490000-0x0000000001C06000-memory.dmpFilesize
7.5MB
-
memory/1108-54-0x0000000076721000-0x0000000076723000-memory.dmpFilesize
8KB
-
memory/1108-72-0x00000000027A0000-0x0000000002F9F000-memory.dmpFilesize
8.0MB
-
memory/1108-87-0x00000000027A0000-0x0000000002F16000-memory.dmpFilesize
7.5MB
-
memory/1108-65-0x00000000027A0000-0x0000000002E92000-memory.dmpFilesize
6.9MB
-
memory/1632-82-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-95-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-96-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-94-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-93-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-85-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-83-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-84-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-103-0x0000000001270000-0x0000000001A6F000-memory.dmpFilesize
8.0MB
-
memory/1632-104-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-81-0x0000000000A70000-0x000000000126F000-memory.dmpFilesize
8.0MB
-
memory/1632-76-0x0000000001270000-0x0000000001A6F000-memory.dmpFilesize
8.0MB
-
memory/1632-61-0x0000000000000000-mapping.dmp
-
memory/1632-108-0x0000000074101000-0x0000000074103000-memory.dmpFilesize
8KB
-
memory/1632-110-0x0000000073F41000-0x0000000073F43000-memory.dmpFilesize
8KB