Analysis
-
max time kernel
99s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
02/01/2023, 00:13
General
-
Target
InstallerAppSetup.exe
-
Size
325.9MB
-
MD5
eef2077222940d85cb9571717c29d263
-
SHA1
55cf9ddfab15589836f4bb5e50cfefab06f9a921
-
SHA256
fa838b0dbb429c61dcbef1a837e6840d6cfe8928c120dc76a30fb7146e7edcdb
-
SHA512
3e86e9fbb950bf515500cd3361a9348c6ac8474b074048ac7e03edf12d7d004ee5318568af61dd600bce866a59b54e5cf4efc544d93deda912d8a383e5865653
-
SSDEEP
49152:im6vBTjPh5zriTZ6KeC+LkT/RhlqCPFhMNvGQGQsQe8y15/jz7KiGlTT+5Gtoiy2:imgTK6Ah5gTZgoGx0Ivx0wWKf4F/VB
Malware Config
Extracted
cryptbot
http://luvasm712.top/gate.php
Signatures
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\InstallerAppSetup.exe"C:\Users\Admin\AppData\Local\Temp\InstallerAppSetup.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C schtasks /create /tn \Mozilla\bqwggods /tr """"C:\Users\Admin\AppData\Roaming\pdsveoiww\mchost.exe""" """C:\Users\Admin\AppData\Roaming\pdsveoiww\mchost.chm"""" /du 9700:20 /sc once /st 00:05 /ri 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \Mozilla\bqwggods /tr """"C:\Users\Admin\AppData\Roaming\pdsveoiww\mchost.exe""" """C:\Users\Admin\AppData\Roaming\pdsveoiww\mchost.chm"""" /du 9700:20 /sc once /st 00:05 /ri 1 /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\InstallerAppSetup.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout -t 53⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Roaming\pdsveoiww\mchost.exeC:\Users\Admin\AppData\Roaming\pdsveoiww\mchost.exe "C:\Users\Admin\AppData\Roaming\pdsveoiww\mchost.chm"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD596907358470716ecd839c83cbd2bd71c
SHA10e68ba16a07d9bb258e871360602ac86cf807e9a
SHA256bf431dfaf39b3daa481b16a9593993d3a05e08564bf3b0fbca183d3e6c7ffd86
SHA512cbecc8ad928b2c9ff9d7b121610712f7bc4d9f01b1b14e4f198329ba2a14108196a7c5b6bda70a9939583543f3bffda31a9842d1dccf7f26491fa7226846eeb1
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
868KB
-
Filesize
868KB