Analysis
-
max time kernel
145s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
15/04/2023, 15:45
General
-
Target
574afcec719331221014fefc45e623e57ff81468b21fcbc186fa7f448be48a40.exe
-
Size
585KB
-
MD5
9a75a6d3afd26306f563d96dc2517225
-
SHA1
fadb011bcecdd3919242b4019d0746772ac48ce6
-
SHA256
574afcec719331221014fefc45e623e57ff81468b21fcbc186fa7f448be48a40
-
SHA512
3ee3787329425f3e71b507d58b84797df54f82e535e23b146a3185e892c93628daec0e9fe6fd3d64bef50ec4e1f378e93c45fd38ae3e11aafd6c4f8bfff56782
-
SSDEEP
1536:6aRU9m4HYvSIX0u+7+j71iMs5gU5OuTcjCNON9PApdpihLNafpo:kOhX0N7+f1iV5bcj0wWduLIho
Malware Config
Extracted
cryptbot
http://bluejackover.com/gate.php
Signatures
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\574afcec719331221014fefc45e623e57ff81468b21fcbc186fa7f448be48a40.exe"C:\Users\Admin\AppData\Local\Temp\574afcec719331221014fefc45e623e57ff81468b21fcbc186fa7f448be48a40.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout -t 55⤵
- Delays execution with timeout.exe
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD5a3a36a25ef7c683aa2f509aec17e6a71
SHA114cea488cd54796c32f02d2fbc946e752c447dce
SHA2562812845af7c11d6a096a483dfc01badebdd2671c2e825fbacf4cfe4aa7e6b9a4
SHA5125e2ee9c0d967ae960e4280924a91992e5f7a4d6fe0c7af1a6f4e734e2f32da6d7b74b3b27846c689713e64c482d4b85f87ce3dd3309299b13fad7f46eab4a192
-
Filesize
72KB
MD52b8e1b75b4d4fdf0c640838191ac3946
SHA1dfac012ccaa015f6a9ec5bd1c55ffa7b8074fb7f
SHA25617a69481ffd684f025b0fe6b0f22529bd8454c49915e580da43fcb08a0c56e4e
SHA5123c4de03250813dc78b772cc7e3246ac2726c37fae00844bfceda683e05506b53ba7ea95a06e2929e8ec736ccd50a9138e9f6e3c80980ebde5ed7ac66f06cc038
-
Filesize
351.0MB
MD5a0255d2458d8a8089b444120e94c0057
SHA178a82cb307b5b9e82e26a36f6bba3d79464746fc
SHA256234c8b8c391d17d2bb64f12db5ac50b2bfaf81e57f1b233daeb3f0e4429ababa
SHA51240ae6484c161535c21a87e05d94e04ead1fc4054256051f092654bdfaddc25c58a612da8c23ecc959ecbc31d450cad4500da12d23be2c203de6e28ad157051f7
-
Filesize
351.0MB
MD5a0255d2458d8a8089b444120e94c0057
SHA178a82cb307b5b9e82e26a36f6bba3d79464746fc
SHA256234c8b8c391d17d2bb64f12db5ac50b2bfaf81e57f1b233daeb3f0e4429ababa
SHA51240ae6484c161535c21a87e05d94e04ead1fc4054256051f092654bdfaddc25c58a612da8c23ecc959ecbc31d450cad4500da12d23be2c203de6e28ad157051f7
-
Filesize
351.0MB
MD5a0255d2458d8a8089b444120e94c0057
SHA178a82cb307b5b9e82e26a36f6bba3d79464746fc
SHA256234c8b8c391d17d2bb64f12db5ac50b2bfaf81e57f1b233daeb3f0e4429ababa
SHA51240ae6484c161535c21a87e05d94e04ead1fc4054256051f092654bdfaddc25c58a612da8c23ecc959ecbc31d450cad4500da12d23be2c203de6e28ad157051f7
-
Filesize
351.0MB
MD5a0255d2458d8a8089b444120e94c0057
SHA178a82cb307b5b9e82e26a36f6bba3d79464746fc
SHA256234c8b8c391d17d2bb64f12db5ac50b2bfaf81e57f1b233daeb3f0e4429ababa
SHA51240ae6484c161535c21a87e05d94e04ead1fc4054256051f092654bdfaddc25c58a612da8c23ecc959ecbc31d450cad4500da12d23be2c203de6e28ad157051f7
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
136KB
-
Filesize
584KB
-
Filesize
3.3MB
-
Filesize
520KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
216KB