Analysis

  • max time kernel
    95s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • submitted
    20-09-2022 15:37

General

  • Target

    51190e0dc5495766f83213fd34009af5.exe

  • Size

    2.5MB

  • MD5

    51190e0dc5495766f83213fd34009af5

  • SHA1

    69d9b3995105cdfb7a86f3bbf9386ef214fb1290

  • SHA256

    af0403b7c12d7b7fa9c487eb4a6e68705e9247abf7bc542f77168bd4ed3408fb

  • SHA512

    fc5e535f3329e5042546b7f491a652152293bfeafedef2e06e0eba5706a16cc946c64f130d34879be6de6a740ae520fc65143910e29ab5bb3f48ffb63a8a5b28

  • SSDEEP

    24576:YoqqcSy2wbUXoArd8SFErUYZ+uNrLFW5CPNWqo0N4IJpsqbMFGf0gAF0NPHyO034:CqcJdiq+WZdgGf6RuyVJi

Malware Config

Extracted

Family

cryptbot

C2

http://dixuip12.top/gate.php

Attributes
  • payload_url

    http://luedil01.top/bhutan.dat

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 16 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe
    "C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"
    1⤵
    • Checks computer location settings
    • Maps connected drives based on registry
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\8EA9694A506A8239\bhutan.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:312
      • C:\Users\Admin\AppData\Roaming\8EA9694A506A8239\bhutan.exe
        C:\Users\Admin\AppData\Roaming\8EA9694A506A8239\bhutan.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
          "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          PID:4332
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\51190e0dc5495766f83213fd34009af5.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\timeout.exe
        timeout -t 5
        3⤵
        • Delays execution with timeout.exe
        PID:4680

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\8EA9694A506A8239\bhutan.exe

    Filesize

    2.7MB

    MD5

    d47d413547e7ce9bf6b452439f3866a6

    SHA1

    6a795e52652fabb79680c6e6469f18eb007547aa

    SHA256

    ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4

    SHA512

    29561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b

  • C:\Users\Admin\AppData\Roaming\8EA9694A506A8239\bhutan.exe

    Filesize

    2.7MB

    MD5

    d47d413547e7ce9bf6b452439f3866a6

    SHA1

    6a795e52652fabb79680c6e6469f18eb007547aa

    SHA256

    ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4

    SHA512

    29561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b

  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

    Filesize

    2.7MB

    MD5

    d47d413547e7ce9bf6b452439f3866a6

    SHA1

    6a795e52652fabb79680c6e6469f18eb007547aa

    SHA256

    ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4

    SHA512

    29561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b

  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

    Filesize

    2.7MB

    MD5

    d47d413547e7ce9bf6b452439f3866a6

    SHA1

    6a795e52652fabb79680c6e6469f18eb007547aa

    SHA256

    ca1b9cf687917d780931d2c1b38fac9342167535bdd0ef96d1b8984efa4e0ff4

    SHA512

    29561e52da7689c8c8c5e6a185d89f433663e478a7646de4d0c969097b931473570b8ecf27b42e185e7d7a7755ec7d80dfe585f40df748416bda1cc4c147836b

  • memory/520-133-0x0000000002DD0000-0x0000000002E90000-memory.dmp

    Filesize

    768KB

  • memory/520-136-0x0000000002DD0000-0x0000000002E90000-memory.dmp

    Filesize

    768KB

  • memory/520-132-0x0000000002DD0000-0x0000000002E90000-memory.dmp

    Filesize

    768KB

  • memory/1560-147-0x0000000000DA0000-0x000000000148E000-memory.dmp

    Filesize

    6.9MB

  • memory/1560-152-0x0000000000DA0000-0x000000000148E000-memory.dmp

    Filesize

    6.9MB

  • memory/1560-143-0x0000000000DA0000-0x000000000148E000-memory.dmp

    Filesize

    6.9MB

  • memory/1560-145-0x0000000077B60000-0x0000000077D03000-memory.dmp

    Filesize

    1.6MB

  • memory/1560-144-0x0000000000DA0000-0x000000000148E000-memory.dmp

    Filesize

    6.9MB

  • memory/1560-146-0x0000000000DA0000-0x000000000148E000-memory.dmp

    Filesize

    6.9MB

  • memory/1560-148-0x0000000077B60000-0x0000000077D03000-memory.dmp

    Filesize

    1.6MB

  • memory/1560-153-0x0000000077B60000-0x0000000077D03000-memory.dmp

    Filesize

    1.6MB

  • memory/1560-141-0x0000000000DA0000-0x000000000148E000-memory.dmp

    Filesize

    6.9MB

  • memory/4332-154-0x0000000077B60000-0x0000000077D03000-memory.dmp

    Filesize

    1.6MB

  • memory/4332-155-0x00000000003A0000-0x0000000000A8E000-memory.dmp

    Filesize

    6.9MB

  • memory/4332-156-0x00000000003A0000-0x0000000000A8E000-memory.dmp

    Filesize

    6.9MB

  • memory/4332-157-0x00000000003A0000-0x0000000000A8E000-memory.dmp

    Filesize

    6.9MB

  • memory/4332-158-0x00000000003A0000-0x0000000000A8E000-memory.dmp

    Filesize

    6.9MB

  • memory/4332-159-0x00000000003A0000-0x0000000000A8E000-memory.dmp

    Filesize

    6.9MB

  • memory/4332-160-0x0000000077B60000-0x0000000077D03000-memory.dmp

    Filesize

    1.6MB

  • memory/4332-161-0x00000000003A0000-0x0000000000A8E000-memory.dmp

    Filesize

    6.9MB