Analysis
-
max time kernel
146s -
max time network
179s -
platform
windows7_x64 -
resource
win7-20220718-en -
submitted
02-08-2022 02:04
General
-
Target
5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614.exe
-
Size
2.1MB
-
MD5
d1d3a5dcd374f68a43e6969a8ad68b73
-
SHA1
1c2739031f26a15d613349eca5560496d38fee4e
-
SHA256
5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614
-
SHA512
3bfd7f6718f734be855708143a6c42f9dfdfcb02f46a8ccba84e2fe87b0251742c08696097d0b3aa0ccfeee712ac2e8c934ce3a2041e2ea3a9f60fb88d729971
-
SSDEEP
49152:UDtxhbTXJvWe5tLXPUMtC438/pQTKykvsSF52ZFYPAsVMq:UD7Jt+0frtC4382TKyz/FYPAsVMq
Malware Config
Extracted
cryptbot
perrr01.pro
Signatures
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614.exe"C:\Users\Admin\AppData\Local\Temp\5ad8e103ec7393b4463b2a15edaba69f4c9a1ffc944968fa133faf45050cc614.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1772-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1772-55-0x00000000011A0000-0x00000000016CA000-memory.dmpFilesize
5.2MB
-
memory/1772-56-0x00000000778A0000-0x0000000077A20000-memory.dmpFilesize
1.5MB
-
memory/1772-57-0x00000000011A0000-0x00000000016CA000-memory.dmpFilesize
5.2MB
-
memory/1772-58-0x00000000011A0000-0x00000000016CA000-memory.dmpFilesize
5.2MB
-
memory/1772-59-0x0000000074971000-0x0000000074973000-memory.dmpFilesize
8KB
-
memory/1772-60-0x0000000074671000-0x0000000074673000-memory.dmpFilesize
8KB
-
memory/1772-69-0x00000000744E1000-0x00000000744E3000-memory.dmpFilesize
8KB