Analysis Overview
SHA256
d4036c235fca73a67732d884564991184b7a8ea148784f0cd70fa07adbd8e160
Threat Level: Known bad
The file 2fa9185ceeb1d25e8bde77a4cf3f70d4 was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates physical storage devices
Program crash
Unsigned PE
Delays execution with timeout.exe
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 08:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 08:49
Reported
2024-01-10 02:33
Platform
win10v2004-20231215-en
Max time kernel
5s
Max time network
151s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe
"C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3980 -ip 3980
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\IflgAoZb & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smarew72.top | udp |
| US | 8.8.8.8:53 | moriwi07.top | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | guruzo10.top | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
memory/3980-2-0x0000000002110000-0x00000000021F1000-memory.dmp
memory/3980-3-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/3980-1-0x00000000005F0000-0x00000000006F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IflgAoZb\_Files\_Information.txt
| MD5 | 4acf52d8e7aeb6431a490e496629b00f |
| SHA1 | 3f9685780ca99e785a5c3a091bdab8fe9a1276ed |
| SHA256 | 4a0ff175f19c61c4022e007561604675ea25421c50b8481be29c3c70e73aa30a |
| SHA512 | c1f85f5e2d3e0c5dae8fdc55d5b28621821604b2ca423613c1ad5d2683e312364fbd55f72927694eca388c006016b408ed12dbab5cfb96375353f4a1aa7a14db |
C:\Users\Admin\AppData\Local\Temp\IflgAoZb\files_\system_info.txt
| MD5 | 31452b021289566b8db2b97bcd38c0ca |
| SHA1 | 44773d79aac77efb76fb00b36b2752ef29a72f79 |
| SHA256 | d6f1e03b48dd1d7f8d35e07a60f84f05ab8d7c229d233937497b29b60217bf78 |
| SHA512 | 39432c57a532fa73fbe0c3c6d9bcb67fd630ce77e07b2f17695068ce43b923db0186555a5c75284801400c5641b33075fb29b7103bf45fa62b39f9565ecb8c45 |
C:\Users\Admin\AppData\Local\Temp\IflgAoZb\_Files\_Screen_Desktop.jpeg
| MD5 | c98befb5e2e7dd6f642156a48dbcc01b |
| SHA1 | 780c50dc484fd7dca4b89527cd62aa23039df521 |
| SHA256 | 6b9c28a21f16a94fcc05afebad9d84f4253a1f247e784c736c3169ea87b7e8d2 |
| SHA512 | 13e4818e2821c41d97f060bd5939ad5dcc310753da0408466fc10cabece16411bc5e9690d0da3f8ad6fd465bb54614b3ed9d2d98cbf0dffd2c2fefca62035b81 |
C:\Users\Admin\AppData\Local\Temp\IflgAoZb\_Files\_Information.txt
| MD5 | d973f047917ebc78b4dda4b0a85bc8ef |
| SHA1 | a8b454c7fa725626e4699f6fe02f12125963188a |
| SHA256 | f6b916c122279ac258028787de809314dbadde0b583bfd404a0fb85ab2b6948f |
| SHA512 | cdeab64234c5bbb7a24bb0e96eb79af98d1563839b8dc7432c77c0c1c369926af1618e59e241a6d7f3118acae5eea3053b464bd8fb5433031535b3382aaf5c60 |
memory/3980-213-0x0000000000400000-0x00000000004E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IflgAoZb\files_\SCREEN~1.JPG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\IflgAoZb\files_\SYSTEM~1.TXT
| MD5 | 1feed4f2f2047d7403cf74f3871ba012 |
| SHA1 | 53d3d012f60144d862525d88da2d41fa418b7129 |
| SHA256 | 38e63575621ac99235c7faaadcd6dc55fa2c36a45a98e0ad68e6691696098be7 |
| SHA512 | 9df2bff8634f51d8015373e9bf02b437095ef4fde31a2cc917a836c0c330fde83831baa7c86b5367fe3c1a0fdefe2f3063ba9f1e40c705e082b87032ef03d4fb |
memory/3980-221-0x0000000002110000-0x00000000021F1000-memory.dmp
memory/3980-220-0x0000000000400000-0x00000000004E5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 08:49
Reported
2024-01-10 02:33
Platform
win7-20231215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe
"C:\Users\Admin\AppData\Local\Temp\2fa9185ceeb1d25e8bde77a4cf3f70d4.exe"
Network
Files
memory/2296-3-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/2296-2-0x00000000004F0000-0x00000000005D1000-memory.dmp
memory/2296-1-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2296-6-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/2296-7-0x00000000004F0000-0x00000000005D1000-memory.dmp