Malware Analysis Report

2024-10-23 17:14

Sample ID 231228-2zygyscdf5
Target fe905ed17bcf3e53a9a38f0ace182e96
SHA256 2027a3fc488a5ecfa69e9a9057c8975e2d28cd6c937197ec69fc896c971285c3
Tags
cryptbot discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2027a3fc488a5ecfa69e9a9057c8975e2d28cd6c937197ec69fc896c971285c3

Threat Level: Known bad

The file fe905ed17bcf3e53a9a38f0ace182e96 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery persistence spyware stealer

CryptBot payload

CryptBot

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 23:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 23:01

Reported

2024-01-09 22:33

Platform

win7-20231215-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3040 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3040 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3040 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3040 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 3040 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 3040 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 3040 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 3040 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3040 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2764 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 2764 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 2764 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 2764 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe

"C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c UcNzcjbM

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

Poi.exe.com o

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^fEQJhwnKKuicpzjpscwvTJMvNeQkoysJJdDVeObWsMNmmUcuUwpUoKgFSxVlkhBEObLTPduDXttuWhWTGJsiVbAZwY$" Orti.sys

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com o

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Amo.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 UFXrFoIFneEBVxJsXMSQh.UFXrFoIFneEBVxJsXMSQh udp
US 8.8.8.8:53 ewaqfe45.top udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.sys

MD5 05e66b1939889acce5eecc4cf792d683
SHA1 31f073c4ff06b7fa89a54fb0313af2acc4088642
SHA256 a7532f39d502044bbc668cfd4d4a479d8c38fed9eeb0eccdcc2b3de286ee8a94
SHA512 d873b1353d4ee94de13f81653ae5b6738bcfbddc44c6fb6b1d2354adf8844b6ce9a8a2e5a0fd5f7e1570691f8468f1137398e979704a30dff7795e21c37de320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

MD5 a47c61ddcbe27461e7eafcf45f98aed7
SHA1 c458e780c0d157cf65abd4174a96f4dc855af01c
SHA256 9e9d18b35a520d4d2beb61c6fed7a2438e3a15fd3c6b05692a7bbfc75d95d5c3
SHA512 c9741d765564c9dd259a443cdc4b9e8d38acf9f085174825ac66cfe7c315a9cd192e7975a04ba8348700e60ea7cd18dc6455ba3dd0096a27e730c2655cb7a56f

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

MD5 9c6ac7039da46878db35990a4494fad4
SHA1 c70b26005f1195a3ec96afb9b2e2a311e8865f5e
SHA256 73c9c1f3ea716234fd8946a99d32ad420699776af5df36803c396e63cf1a044b
SHA512 88d0a81ddc03b01bea0f0866b5be4f8a66440afb1249b6a3414df34d0b8598d9ae683c5b49e43e0c3103b34a2abb874817673b115bc6df9bad8aa825fe401ec8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\o

MD5 ce6561957aa2ff202a8fd131dcc2865b
SHA1 1f3a5b9cd166f72539e45e3b3cb4302c3569f8e8
SHA256 787682588d67b0de45595288ce9e39b37023b1a1573118155e9f2691d59c083f
SHA512 d6701afc6d20211d7fdf2741c91024f9edbf787e8566d2011a1c47a72d3b5bfec24f21847fdffbb56f221258efa6c15ce5944e9b1c7c010458eae6a3af56cf6a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Orti.sys

MD5 e2547dcf55d47ffb69ae8badf09571ac
SHA1 b11e27e5e436e34929b5d84deb29972de1e4495b
SHA256 5298a1ae13f4409c8ef3e019692338b3d6545a494f813f6d35c88cdbd2c9ebc1
SHA512 5ed197d9301e0fc615eadb12af5d8eb1ea735f0f84c21bc7a88dcb41f146c9db8213c9679ddf08346af3899a56919f23085ee2e8e7286fdcbb661cca806d349d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amo.sys

MD5 66712fc92a4d05bfc412b18541a1e8df
SHA1 bf4fb00e6b894338aea687cbf537c90fc255710a
SHA256 750eed4b135f1ea433781bc4b9bb26029b2c49dbc647248460b3409329d30e0f
SHA512 a792210dacd9018a16b3071deb823d0a9d66ec86d043d7dae5049bbec74dbf7446565d4262b01cf3acefa7088e344d15651339e7a831f96c3b68aa88e3bd8049

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

MD5 24aba0addcef79e931696f40a65f22b8
SHA1 efe8ae3a32dac73d4f60518b879d1be8c2119916
SHA256 de4ac324ac73d439e9ec7d2f1e31d592e036bd8400299549569967f5d619232f
SHA512 2d1a2a765b099180e81725798e0aca118885004a34a231ae8236c36ed53f50cde15220121368d2fbf1666b9e51115e2f3a5d453b6eef37418e3ab6234d287fb1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

MD5 d75189a31a054571e9d3c4e289ab5de0
SHA1 e210cb44dfc18de4ba14a7177d97545759ea32b5
SHA256 6b9181fdd9783c22f06a07d48c256a7e1e61b6dea96b9dbfe7fba073dc226192
SHA512 427ea62044db3cd9b68afc6862aad3395f1920e847b70869175cdeb287d40c1a878f016d72e66146ca56e1aeb739d6cbb1b17899d09cd68a12a3e73cd8debf09

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellato.sys

MD5 a19f25da97e5d39ef4ce2251eb5814ab
SHA1 afda12d873a40cecd1cb51422cd71efb41372072
SHA256 6638a728543e9ed47f24925f30dc491332736a9a42e7ba0270a87db57a134523
SHA512 4793da9fe84158d914fafcae92d41ecf39b904ebff7e0c1b62c7c9a6d31e33e2be7d71e2c5dcc7725718e494c863f97a53806fa0753d86b6c3e50a3de1860dca

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

MD5 68e2367febb72a998b89e4afff55e5a7
SHA1 30754bf92feb3fab87cf307dcdfbd354edfee270
SHA256 c80dac88e33e54a15bcc1cf8c0da425317cc2ec59522799933133ee702c4e379
SHA512 1756fe5cbb3cef53362ae1fe44386c4177206a8be673375d26bbe9f0a486f6957de3219485a027f1d6862c90f09e29ab802904a79ab5a572aad2ffc568c82efb

memory/2888-24-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2888-26-0x0000000003890000-0x0000000003933000-memory.dmp

memory/2888-27-0x0000000003890000-0x0000000003933000-memory.dmp

memory/2888-25-0x0000000003890000-0x0000000003933000-memory.dmp

memory/2888-30-0x0000000003890000-0x0000000003933000-memory.dmp

memory/2888-29-0x0000000003890000-0x0000000003933000-memory.dmp

memory/2888-28-0x0000000003890000-0x0000000003933000-memory.dmp

memory/2888-31-0x0000000003890000-0x0000000003933000-memory.dmp

memory/2888-32-0x0000000001230000-0x0000000001231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt

MD5 ab076fcf100fce5f09c71ef0b866a00f
SHA1 ca1a0c85a5e7c9f5ee158d84e8fbd9538ea1bb12
SHA256 d9add941d40fbbb19624e7f04498dc335485949421e6e95c9272b8b08283bc24
SHA512 10be64488502a21af5e488be525816cd9b58ae40a2a8176c4d85baf6498ec606540571b8e95275fbb92e8230e8c0b2ccb4ec5844ad6fc66dbdc8100aff0e4098

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt

MD5 8a2dcc256282bc2e83af7bd38c1c3e26
SHA1 d854a11599532f7eb2c084051817b45b02418807
SHA256 c66e222beabcf3e575b79d1f8e1f209bc5689579bd120076626d8885d835d86d
SHA512 af08c1263d06c4e2beee05157d9ee6f469f71316b3407ff742c7dcad5ded55ca0605435b3c195fa8d3a58eee1215c047020d85f110c7f3cc14dff8448d210fa2

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt

MD5 505eb04cba71c5b64c28c90775164605
SHA1 07969d39187c7c1ac18ce66bb3e9a244c9583d8e
SHA256 ced40fbc5bc5d15212ebbd1688801ef4448254d9e78be974a59f8ac32271c8ce
SHA512 aa708ecdd659f02814f47761885dcd068bf4ff6cc28e6710d1dd25e4e7ed62fa3d85444111f4624a925638eedd6dac6d33fbf9cc93cdcad24872623c3b9edc4a

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Information.txt

MD5 2eb97898ea7b5ba70a54b48e116ebc5e
SHA1 dd1f77c1b084b638ed9d7a9764bd3e5137fe9192
SHA256 4296a005ee525c2e9fae850f95f8b022d7613db797ec9a88ff6af0939059787d
SHA512 724dc735e439a103de9fa7ca92ffb858c332d62084edcc0d6bfb14f6c33415ad48e24850c77e43d7198e65da955f4b8a2a8d8865613205dee2d80986a615d476

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\_Files\_Screen_Desktop.jpeg

MD5 0cc1ba97471bdd798850320490346a89
SHA1 ea5ae006cb80e16e33a8fcbe9d6cb24394be589f
SHA256 e26bf2e797121b4602be9a517604fdb59dcfaa5d778843d4d3ec1ee836b78334
SHA512 b25242f517588f5d2b0b145c209fe13199d89c7a7df9f35051329b6535e26ff63ca86e2f885e0770e1d343b06528bfb68de945a55018fecd4a7356d9f2b16dda

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

MD5 bc24221700edfc74ca9d6217a9635108
SHA1 c763992ed47c122607a6ef6eb75e29b08c7cf084
SHA256 deec0cf52e37a9bb05c0131438c1817f64b423d9b45ec767997587c32bf00b7e
SHA512 f942f35811bf1cc75dd7c7477370a543eb9f85464886567a26b23f981a18f837122a4319a9ca4bc25334bcb4c72e323ef778f8110cb86858e38616fdcb8d3a49

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

MD5 00272f530355ed9a808822cd5004f36e
SHA1 ee2f54c1d1a85f243891a03f66f9bff91509ceec
SHA256 a335153f5ca25fdcbe0b8f41225f26f2189876121af0df9efc023a9faff04572
SHA512 afeda1fd0f4df247555a1ca3bb5e2ed439d4a2428130e34650090695bcb3de63d1c9e885efbe6d3cb30cbabc8a39d9dcf5f12178fedd6d245b963f5e3af0ec52

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

MD5 9ec3aa377780a9f88cf728cc3d50f8ec
SHA1 8e3d24b8725f0f0c64bae65e2ea8abf6845a1ffd
SHA256 3983ffa8e35af2358b7dd50addec054ce5132feb595ed51b7ca1b7f6c17c2003
SHA512 f686ece883d7d0f4a1984b3a0c626d424d66892c26224848809dcbffb3aeb9141b6de2e133f74d4dc5ece315b4036d128e57c0e74969c9813d319c3a6e3acca5

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

MD5 78de8c73a6192a07859b85d12ba75674
SHA1 b13f5055f141a49aa69c0738a95e7cfa857f9452
SHA256 aa31fa5d173a25de2981456705d28440ac7d8599defc838ce86e00f88920fc27
SHA512 120383574de8a0ca7bb6c19b0bc0ba12938d2ba39e9d0e47762db2dfb72055a9915751f81a69d9767766c0461390928e38771aecb5a95809ce16d7536f53f032

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\files_\system_info.txt

MD5 bef5842ff3438a6d7db4fae5749f5400
SHA1 266d53bd91ab1a08a813ae12e3830c534f04400c
SHA256 999978604573788d308a43faac42a0f73f3b89f2d4594c607494a8a59cbb9193
SHA512 f920c030e3c530f259dabf3b14fd0099584d86cece828d2f30f43252705da61e50efbc828401c51f0c0f757dabc49c5526066eae80aa4fe8ec164ef5c21adb7f

memory/2888-251-0x0000000003890000-0x0000000003933000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ko5sY8lS6\LWnvpACPGyWrwu.zip

MD5 32b9f026d02bd7ac6d2ecb09c286351c
SHA1 370b322cbb15ef49ef9a50e190df89d784219848
SHA256 4dae7532d66c035509af4ac0b2a3f52394d414ef5c674413d43ced351fb84249
SHA512 ec83a43ee35addb761912b445566efd965f9f299c06a4d99cd9b5787acd10543470d3292a5cd80b89813d135226ef34c5c58d0ed9562bb105f2f0f3888c95dba

memory/2888-253-0x0000000001230000-0x0000000001231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 23:01

Reported

2024-01-09 22:33

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 400 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 400 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 400 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 400 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 400 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 400 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 400 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 400 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4560 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 4560 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
PID 4560 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe

"C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96.exe"

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^fEQJhwnKKuicpzjpscwvTJMvNeQkoysJJdDVeObWsMNmmUcuUwpUoKgFSxVlkhBEObLTPduDXttuWhWTGJsiVbAZwY$" Orti.sys

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com o

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

Poi.exe.com o

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Amo.sys

C:\Windows\SysWOW64\cmd.exe

cmd /c UcNzcjbM

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 UFXrFoIFneEBVxJsXMSQh.UFXrFoIFneEBVxJsXMSQh udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 83.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 udp
GB 88.221.135.83:80 tcp
GB 88.221.135.83:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.173:80 tcp
GB 96.17.178.173:80 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 udp
GB 96.17.178.173:80 tcp
US 8.8.8.8:53 ewaqfe45.top udp
US 8.8.8.8:53 morjau04.top udp
GB 96.17.178.173:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.173:80 tcp
GB 96.17.178.173:80 tcp
GB 96.17.178.173:80 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.sys

MD5 12ff8e0efd9f2562d16b1e80732199d6
SHA1 72bee424ae31db9d44af600d3ed7efe2fd302feb
SHA256 04e8cb2989a65eba72595910983a478060804d0574f7601e63ca2a2019ea2f6d
SHA512 31e5fb89c6b1e8cf8d5880cd7be02bd211621fa9173f2e809565d050b019ff04926e12a2520c404fbf7d4ae1df9dcb52e2c6da6d68abbbaecdff6ebc7032a489

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellato.sys

MD5 54f0e73b5a88d409599b7e3e750d7b3e
SHA1 505d7e828d731229a6de916484cab7dedb46b514
SHA256 34ab271f23045173ce6aba259cc4a4e4c865bad16f477e6835a8bc5b7b522dbe
SHA512 1c351347ba9a1a14f9d115f62e79817e33e8029eae9f41096d082d2edd3faec7ced9fb6757750cd72d300c7b10f651f2466899cbb1586e0014a308f2aa874d9a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Orti.sys

MD5 6204adb9ff1ab1b352c0d002898066f8
SHA1 187a0baa6edf36c368228803ca848ff936d960f0
SHA256 286df8487ecbacbd539fe964823253f8d0a8f515079b44938b09a1a1bee2e6ee
SHA512 eb9478ff389a6e392d8db73240c0f917ad004ca685f35f74a36e5f779530b5f707eabb28f64be1c283c74e640817acf85b266508ee0d3360b43abfe08fc4ef32

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amo.sys

MD5 66712fc92a4d05bfc412b18541a1e8df
SHA1 bf4fb00e6b894338aea687cbf537c90fc255710a
SHA256 750eed4b135f1ea433781bc4b9bb26029b2c49dbc647248460b3409329d30e0f
SHA512 a792210dacd9018a16b3071deb823d0a9d66ec86d043d7dae5049bbec74dbf7446565d4262b01cf3acefa7088e344d15651339e7a831f96c3b68aa88e3bd8049

memory/3380-21-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/3380-24-0x0000000004B90000-0x0000000004C33000-memory.dmp

memory/3380-23-0x0000000004B90000-0x0000000004C33000-memory.dmp

memory/3380-22-0x0000000004B90000-0x0000000004C33000-memory.dmp

memory/3380-27-0x0000000004B90000-0x0000000004C33000-memory.dmp

memory/3380-26-0x0000000004B90000-0x0000000004C33000-memory.dmp

memory/3380-25-0x0000000004B90000-0x0000000004C33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com

MD5 1947dc50b35f5fa74d801e6e603606da
SHA1 3e273830197f729a0d95a04e3f468c042791feea
SHA256 1a05861ffaff6a3e871203d69e21916bca3664674516d938fdc2394d2216c6f5
SHA512 06b7660b32f283d8c015007d7f8b857dae18128aa357569b4e608db3c8031ea517c43d8dcaba3b3ad530cdcf4f53b32e2b25a6f3fef88d94edd2ceb52365e9a8

memory/3380-29-0x0000000004B90000-0x0000000004C33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\_Files\_Information.txt

MD5 bed5729b972fc84784fee00f37b1a3ba
SHA1 279d15739db61ba6b1342ac9bcc13f35f4be63ef
SHA256 4a41eaed64a71d756be26ca15fdb9a8166982300f8a6f2676d6bc5a624a558a5
SHA512 f637fc660c5b741d7df53b31c0b9bcdf45249d2381f0da18123a929d5c8265d28a6d5b6e94d8b601490965359a7f3f51375d99fd9cdbdc74343a576a5c1dde5e

C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\_Files\_Screen_Desktop.jpeg

MD5 72bd4cd78cf511412e7ff5b1e9c2cab0
SHA1 9506acc465154ba16a270116deef0a21d2e59671
SHA256 0dd1f3acd39897d2b8014ca6f8374f9bd22d03d6e5ab8fe8f47b06a673915b5c
SHA512 9a87f47576748be24adbf58f9479e16314edfd96482b1381a89e6c43e225ebf1ea570c956f912cbb1d7f27dff2850a28e6398cf9d518e1125557410771b5918c

C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\_Files\_Information.txt

MD5 462ae8f6c55fe9f902a166e3195d26cb
SHA1 4aa75d7e3f59e730c1894ebb800fd7733bb558b8
SHA256 12fcfe636fc86ae93c7dea0b88afd91862944da26732f96727c9e9f6738f7f1a
SHA512 427d2281061f4c675ee7d331a4c3d108ede1991cdd7f33eb16c57da01726ac4461c11da267b18aace69dd39a3ea5cd04794073a97e609ab67c6929c08a245fb9

C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\_Files\_Information.txt

MD5 0a8477621b9c8e3c29af1bef6de5af4b
SHA1 62659149c21c4b89aaa2f5925f605ab2760a620c
SHA256 d6a5deccfd9f8054c330218118c39d9a0dc3d86e07ae3b3ed028ff30b1013fee
SHA512 9c49759d580af62549b0c3799b01330067dd919b1bdf9e598d03af0956c98491a6ecb5889d135246f66128dfe6eb64db82de06ca90b185fa5a4fe9546fe53b42

C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\files_\system_info.txt

MD5 388f28603075fd048569dd2193027c5a
SHA1 aeadf409ddd10eae410f288679febdc8e0cecb69
SHA256 8ed7d23b3cebc31f7edacdbef77c3171e9f5a54faf44cd795e019840449c05d5
SHA512 e22f761ac6ee5b598ded81dfe85796254643af395e071df74df21203636040ac3c0164b84e0fa7b7c00c385e3cc40a8893e492d0b419481a9555fad13ece92ca

C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\files_\system_info.txt

MD5 7f1dbdf77e6e19b6de4a449731940250
SHA1 8147f1e55532cb16ec18533bc96d98a4bba0b8e9
SHA256 5d55f3be7f56b5c683ddcbd8bf07ce7f49ee94de8f12acf88e7886bbe2ea76ca
SHA512 3d9604e6ff8e4a705a7a53276cad9a3847151b0bfda9f3c28a2766785dc8f78a6606d443463a6d3efcf668ef52c8706874ee37d0e11bac1ff9fe5e82dcd12cbe

C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\gThomeFTnYDdfx.zip

MD5 709e38c165791c0c77619cc62455707b
SHA1 60dbb775be4a83915bac31f669fdbda8f9db1d90
SHA256 0aebb247d2ad28f347d3b90b8d4a4367cd4b644227cf96c3c1bc0295601f02f6
SHA512 43464b16117f36a7c85bb75d713232303222a18b0e4503960942894562f68565432fef13e0f6e3bcaad395cac6809e7c470beee01834f5d00bd7cdfe8d01b803

memory/3380-237-0x0000000004B90000-0x0000000004C33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TlJhrsicrHUr\RgjASIq4oE.zip

MD5 1f3d3651b297133747d9fb40e815628e
SHA1 a0707e4b04d1b74e62f8b29baa65820cac4793c4
SHA256 2ca85bbbacbaccda2c2638e8f572566bc334f139f6dab35e37e90445c9f8f06d
SHA512 6e52855ac3bd9bdd8f60f8ffa4f0390c6dc9e8666708f440efe9af1156b96d079b96024262483f19f15eda4c678c1602299c42728b18469e073254df10769beb