Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Device/Har.../D.exe

windows7-x64

10

Device/Har.../D.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2023, 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Device/HarddiskVolume1/FileHistory/[email protected]/LTP-566/Data/C/Users/SreejithKumaya/D.exe

  • Size

    3.8MB

  • MD5

    0afb947cb776933653e23d970a3d8d14

  • SHA1

    c8ab072395450ae11a6abf5323922d74c180d24a

  • SHA256

    ad08c7d20f5342efc20b4460ad66b0961a423804915012ab2969efe25e1288b5

  • SHA512

    ae031402db52a167e6754bf9c04b3f810ad0e2e1202349141f878dc89de6ad1fbfb586d1ef8aee3ca79efa70539dc18ec2da7ca74e3255c01e9956f57d987dc0

  • SSDEEP

    98304:zdh4mx3ywXIaszDU5j5eXOUvlDYL5JZNKdSC7ZUY6NsOoWNCCy9R:zP4s3hXIan5e+UNiuF7INNoWdyn

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

tuytee13.top

moriiikk07.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 17 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\FileHistory\[email protected]\LTP-566\Data\C\Users\SreejithKumaya\D.exe
    "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\FileHistory\[email protected]\LTP-566\Data\C\Users\SreejithKumaya\D.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\CScript.exe
      "C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\NextGen\lanret\Setup1.vbs" //e:vbscript //B //NOLOGO
      2⤵
      • Blocklisted process makes network request
      PID:4524
    • C:\Program Files (x86)\NextGen\lanret\1.exe
      "C:\Program Files (x86)\NextGen\lanret\1.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:116
    • C:\Program Files (x86)\NextGen\lanret\Setup1.exe
      "C:\Program Files (x86)\NextGen\lanret\Setup1.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\kdjuwker.exe"
        3⤵
          PID:2312
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ndqgbpxr.exe"
          3⤵
            PID:3708

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\NextGen\lanret\1.exe
        Filesize

        2.0MB

        MD5

        4632afa001ad4b9b2fa32a73deee9be2

        SHA1

        027bc0b083ecf0694622f570fb0dac89fbb6f8a4

        SHA256

        c4b1a76190d578a545a01940f158af937849920ab0e3eaef5688db745cb6aa58

        SHA512

        4c025455316cc015d0b32a83d5002b804d0a384bc44dd6cc6c60f5aac100746c5d353d9bd7b5b11c27195354c77fdc170f5d9cdbd7bc75082e951afb682ac7ec

        Download Submit

      • C:\Program Files (x86)\NextGen\lanret\1.exe
        Filesize

        2.0MB

        MD5

        4632afa001ad4b9b2fa32a73deee9be2

        SHA1

        027bc0b083ecf0694622f570fb0dac89fbb6f8a4

        SHA256

        c4b1a76190d578a545a01940f158af937849920ab0e3eaef5688db745cb6aa58

        SHA512

        4c025455316cc015d0b32a83d5002b804d0a384bc44dd6cc6c60f5aac100746c5d353d9bd7b5b11c27195354c77fdc170f5d9cdbd7bc75082e951afb682ac7ec

        Download Submit

      • C:\Program Files (x86)\NextGen\lanret\Setup1.exe
        Filesize

        2.1MB

        MD5

        56223d505921bba6a2eaed8efbc2586a

        SHA1

        a52b467278904f6cc309fc56bc45adc710f47c1e

        SHA256

        d1fb6a1beb12ae8f0fa8570c80515602c07ad9f22e22a8d92b8c9d0f26850dd8

        SHA512

        9ef9bd969a1c3f894bacd60d13139aecfdd49b585fec4d9aa66f080a8ce1b3592f51a33043a51a7bfd9dd9f7afb9e5687a4cea2f0cdd85b38603df1954b19718

        Download Submit

      • C:\Program Files (x86)\NextGen\lanret\Setup1.vbs
        Filesize

        126B

        MD5

        3ffc26d751f79fb801ecbb715885e852

        SHA1

        f54da1552aabfbf68ef07fa98234a8a1ff789a16

        SHA256

        8816d2a6adff6e256c6f478c46b283991feeb28dedc384914fe35f14f673d5d6

        SHA512

        08e00923d92f9141ec09ed420738126883772e359e6fc2e703a293020d0bb42b915d2a9961ba03676ab2ad43d8f4563b46778e119f22007073b1d9f1124c0d24

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\5ieZm5xUcewbRp.zip
        Filesize

        43KB

        MD5

        68f98e4479e2f27b4395dc80739beee2

        SHA1

        e372a6aaa8dfaa5ae69e341e1138096f0f356897

        SHA256

        96ef5319759769e43db3e932ccbb8c22c7f602a49918993d89508810d4ec8c72

        SHA512

        ba357bedae27117afbb2db9446575dfe60d3b0d165c58173d38122fd0b8b580d49f76af0cd0543466c2a8c0ffe3e79f007412f04a83e02ad7ed6c54ef292d8c8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\_Files\_Information.txt
        Filesize

        3KB

        MD5

        d0356d1340c5c85f6cc948d96217e1f6

        SHA1

        cb989ce089897e01ac1981f662afddbbcfd24f0f

        SHA256

        b41be6968d96da98368b54d6db9413225ee8368b4fbb9c835ff69848e3e99724

        SHA512

        4b6fa10ae9950ff748e18a13f7bcb3e9ba29b00565b0af80ab9ca5dd214c8fab589478f6e26a7f17844b41ffa582c336a40e0e8a17e9aecbcb0acce3415ef773

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\_Files\_Information.txt
        Filesize

        5KB

        MD5

        0546d64a8abb50dac275ba6070b87430

        SHA1

        40a3066d4e9a687e69cedc5e2e46d3bd43847e1e

        SHA256

        60587dfbc770bbd7ceba3f746518666d28dcee07c85fc4581ac6d08d49988c94

        SHA512

        4ac996a3ff93d806ba6c1803b557d625ef7ec89d1279105f4830bfc311bc5771a09cac3b939dadee8dd03057c96926f7e2409439b93ec710bc31252b61b1efa1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\_Files\_Information.txt
        Filesize

        482B

        MD5

        85cbcb54595136c78f4e1930dcc9915d

        SHA1

        8faf6ff7462efcd8a6673a5c5f48732809e38a40

        SHA256

        255e71176950ee1d91ccfe6e8ecd91c64c8ea104ae585410831033d441203aba

        SHA512

        959bba9abbfb0cc38ba88c124c09a69f4939933bb2dda0e7aeda47753c1e3c315e9a53e13d59d374b6f2b5974521edd3ca54a59e2529d95e8bcdee1177c8dc24

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\_Files\_Information.txt
        Filesize

        1KB

        MD5

        d31eed260d05ddf52f13c9261975fae4

        SHA1

        5ae24bcf7cb4d51c12c55a2b3ad9f429680613f6

        SHA256

        50090d0c0ad22ac02d8d03bbe68322935e1bf6baee6538ab2102e5dfd786eb87

        SHA512

        a1bc31e2790dd3d579b1ce26aab7236aa2895e0f0c74f0c2b5ef4ead4292a64da38d368817eab2bb46c19eedc843a113826b198a843fe024060fe0c10d4330fd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\_Files\_Information.txt
        Filesize

        1KB

        MD5

        e36fc16f49e42c4578f3b1f5ea58c6d1

        SHA1

        10a49c7f67f999d88806644e17b5c64596e9e6f5

        SHA256

        d948ea4e8796a5001af5350d41dd2a8b4e1946bffa5d255ae98a99e2578bb312

        SHA512

        fd3281539d7da00a9990ae2c6a38f5439e9c5639786b9a2383802ea3aa6c788ad92fc2446e0598e59df7c8f9aaabeea5dc4c2c8a2ca0de882fb29432380bb4c7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\_Files\_Information.txt
        Filesize

        3KB

        MD5

        ec3c09825e42d8ccb96f110ce04431be

        SHA1

        61fecc42a51b4a822b5dc5ce2cfb1299bdd4a02f

        SHA256

        40d37f46760a1dc8e77c1b19c1ab5d821bd2188090ad8df54defde472c9ac996

        SHA512

        06e042baf165d19516bcc07030e761eb9990f8e4052b4c07f97480287c0f0a1a04f17bc157663f54edb83fb43bdc3735fb56d49df65507b39c588a43dbc0744a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\_Files\_Information.txt
        Filesize

        3KB

        MD5

        4944e0340534f8b9e26f48c5248454cf

        SHA1

        c4d41bfc2015ffed9982e0faebc1e6ab39080140

        SHA256

        62b31b461d02c952077c607e14bf8e6dd2e06678dc9ff893b52aca4d1f25387c

        SHA512

        b459486644edc585a76ab15d06b853c7c2c77feaaf5758ed206e3ff9984b2332265289e1773d0acad9b69d52458b41d22dc93db7145bbb0f774f974b1dd5e32c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\_Files\_Information.txt
        Filesize

        3KB

        MD5

        2cc885096c8225ed54ddb6f50058d0c7

        SHA1

        c1fa736354127b4b1f6c1dc7fd9714febd97b1a6

        SHA256

        5a24203cc174ca96e1d85020febe58b09e606d0db713e61aa211535a12891fab

        SHA512

        3df556029c60d8091e518ac33aed4630f2bb07e23fbb1be4477c22e255bb8d00ae40e748782d1ebc9393281d3ea273663fb217ea0daf142f2a8203cbb366eb41

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\_Files\_Screen_Desktop.jpeg
        Filesize

        49KB

        MD5

        9735e9e2aea8627539014ad4af46eddc

        SHA1

        eeaaf66f563c4226abb136ca68ab0afa1b4d8b54

        SHA256

        87aa496d5723157c7a4e3a9a2d22373a1e77ea45d04dc54f8383e00673a2fe99

        SHA512

        9f6089133cb49db3f4402f7d55c3386dddf810f5bb7fc18423c6172a0223e825265d42a60857796cbf0ddcbfa56fe8bd190a0581361a7b51ef009ebae7b79eb3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\files_\system_info.txt
        Filesize

        5KB

        MD5

        56ec872a8668a1c15b475be8cb5a7da6

        SHA1

        f8a891a85b1bd7c670ecc1abcde3cdd6c9ce1d04

        SHA256

        d3dcfa983dc232ae8f570d47e3e7531c02f3789d016262b3ba6669c409c44976

        SHA512

        3b21e9ebd4b286079c61ee7a1a2c84ae618e4b4b1ffcb3be758e49b655da047b4b98b9c762fad3471e7787afd28bd7679e0dea5b410b90941325e77ba83328c0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\jwJPEOx\pDri3Zdv0R3s.zip
        Filesize

        43KB

        MD5

        beda229630a870b06b5a5d1bb341a6f7

        SHA1

        49b159edbcf50c6248923151741bdd7e94b11634

        SHA256

        80e1afd80888e0b3ac3bd83a06b50018a5cc9ff50b6c27a8811474ab79146604

        SHA512

        7341a49ea7a269269efdfa7dc91738151456cc7090827893ca1a9d7f6106b568b815ba7943db82fe7c75e788f7f23c21838ed357a2c1ca3ef2a8f0e6c7b32f07

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsb7DBC.tmp\UAC.dll
        Filesize

        14KB

        MD5

        adb29e6b186daa765dc750128649b63d

        SHA1

        160cbdc4cb0ac2c142d361df138c537aa7e708c9

        SHA256

        2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

        SHA512

        b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsb7DBC.tmp\UAC.dll
        Filesize

        14KB

        MD5

        adb29e6b186daa765dc750128649b63d

        SHA1

        160cbdc4cb0ac2c142d361df138c537aa7e708c9

        SHA256

        2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

        SHA512

        b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsb7DBC.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        132e6153717a7f9710dcea4536f364cd

        SHA1

        e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

        SHA256

        d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

        SHA512

        9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsb7DBC.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        132e6153717a7f9710dcea4536f364cd

        SHA1

        e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

        SHA256

        d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

        SHA512

        9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

        Download Submit

      • memory/116-242-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-275-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-41-0x00000000054B0000-0x00000000054B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/116-42-0x00000000054F0000-0x00000000054F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/116-43-0x0000000005500000-0x0000000005501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/116-44-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-260-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-38-0x0000000005490000-0x0000000005491000-memory.dmp

        Filesize

        4KB

        Download

      • memory/116-266-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-269-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-35-0x00000000054D0000-0x00000000054D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/116-271-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-39-0x00000000054E0000-0x00000000054E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/116-40-0x0000000005480000-0x0000000005481000-memory.dmp

        Filesize

        4KB

        Download

      • memory/116-37-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-257-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-21-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-255-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-230-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-231-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-252-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-234-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-249-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-246-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/116-36-0x00000000054C0000-0x00000000054C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/116-239-0x0000000000F50000-0x0000000001450000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/4948-33-0x00000000052E0000-0x00000000052E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4948-237-0x0000000000250000-0x000000000077B000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4948-235-0x0000000000250000-0x000000000077B000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4948-232-0x0000000000250000-0x000000000077B000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4948-229-0x0000000000250000-0x000000000077B000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4948-137-0x0000000000250000-0x000000000077B000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4948-34-0x00000000052B0000-0x00000000052B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4948-32-0x00000000052D0000-0x00000000052D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4948-31-0x00000000052C0000-0x00000000052C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4948-30-0x0000000000250000-0x000000000077B000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4948-29-0x00000000773B4000-0x00000000773B6000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4948-28-0x0000000000250000-0x000000000077B000-memory.dmp

        Filesize

        5.2MB

        Download