Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • submitted
    20-09-2022 15:37

General

  • Target

    51190e0dc5495766f83213fd34009af5.exe

  • Size

    2.5MB

  • MD5

    51190e0dc5495766f83213fd34009af5

  • SHA1

    69d9b3995105cdfb7a86f3bbf9386ef214fb1290

  • SHA256

    af0403b7c12d7b7fa9c487eb4a6e68705e9247abf7bc542f77168bd4ed3408fb

  • SHA512

    fc5e535f3329e5042546b7f491a652152293bfeafedef2e06e0eba5706a16cc946c64f130d34879be6de6a740ae520fc65143910e29ab5bb3f48ffb63a8a5b28

  • SSDEEP

    24576:YoqqcSy2wbUXoArd8SFErUYZ+uNrLFW5CPNWqo0N4IJpsqbMFGf0gAF0NPHyO034:CqcJdiq+WZdgGf6RuyVJi

Malware Config

Extracted

Family

cryptbot

C2

http://dixuip12.top/gate.php

Attributes
  • payload_url

    http://luedil01.top/bhutan.dat

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 16 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe
    "C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"
    1⤵
    • Maps connected drives based on registry
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe
        C:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
          "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          PID:1120
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Windows\SysWOW64\timeout.exe
        timeout -t 5
        3⤵
        • Delays execution with timeout.exe
        PID:336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe

    Filesize

    2.7MB

    MD5

    d47d413547e7ce9bf6b452439f3866a6

    SHA1

    6a795e52652fabb79680c6e6469f18eb007547aa

    SHA256

    ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4

    SHA512

    29561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b

  • C:\Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe

    Filesize

    2.7MB

    MD5

    d47d413547e7ce9bf6b452439f3866a6

    SHA1

    6a795e52652fabb79680c6e6469f18eb007547aa

    SHA256

    ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4

    SHA512

    29561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b

  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

    Filesize

    2.7MB

    MD5

    d47d413547e7ce9bf6b452439f3866a6

    SHA1

    6a795e52652fabb79680c6e6469f18eb007547aa

    SHA256

    ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4

    SHA512

    29561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b

  • \Users\Admin\AppData\Roaming\AF34AFB69E0AD18E\bhutan.exe

    Filesize

    2.7MB

    MD5

    d47d413547e7ce9bf6b452439f3866a6

    SHA1

    6a795e52652fabb79680c6e6469f18eb007547aa

    SHA256

    ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4

    SHA512

    29561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b

  • \Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

    Filesize

    2.7MB

    MD5

    d47d413547e7ce9bf6b452439f3866a6

    SHA1

    6a795e52652fabb79680c6e6469f18eb007547aa

    SHA256

    ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4

    SHA512

    29561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b

  • memory/364-67-0x0000000001140000-0x000000000182E000-memory.dmp

    Filesize

    6.9MB

  • memory/364-71-0x0000000001140000-0x000000000182E000-memory.dmp

    Filesize

    6.9MB

  • memory/364-77-0x0000000077570000-0x00000000776F0000-memory.dmp

    Filesize

    1.5MB

  • memory/364-76-0x0000000001140000-0x000000000182E000-memory.dmp

    Filesize

    6.9MB

  • memory/364-66-0x0000000001140000-0x000000000182E000-memory.dmp

    Filesize

    6.9MB

  • memory/364-70-0x0000000077570000-0x00000000776F0000-memory.dmp

    Filesize

    1.5MB

  • memory/364-68-0x0000000001140000-0x000000000182E000-memory.dmp

    Filesize

    6.9MB

  • memory/364-69-0x0000000001140000-0x000000000182E000-memory.dmp

    Filesize

    6.9MB

  • memory/1120-81-0x0000000000D50000-0x000000000143E000-memory.dmp

    Filesize

    6.9MB

  • memory/1120-78-0x0000000000D50000-0x000000000143E000-memory.dmp

    Filesize

    6.9MB

  • memory/1120-80-0x0000000000D50000-0x000000000143E000-memory.dmp

    Filesize

    6.9MB

  • memory/1120-79-0x0000000000D50000-0x000000000143E000-memory.dmp

    Filesize

    6.9MB

  • memory/1120-82-0x0000000000D50000-0x000000000143E000-memory.dmp

    Filesize

    6.9MB

  • memory/1460-65-0x00000000020E0000-0x00000000027CE000-memory.dmp

    Filesize

    6.9MB

  • memory/1884-55-0x0000000000380000-0x0000000000440000-memory.dmp

    Filesize

    768KB

  • memory/1884-58-0x0000000000380000-0x0000000000440000-memory.dmp

    Filesize

    768KB

  • memory/1884-54-0x0000000075201000-0x0000000075203000-memory.dmp

    Filesize

    8KB