Analysis Overview
SHA256
5a1a8ce59103a53a79bab7db80b55ade80805711dad05d3e974d8f252bf53e2b
Threat Level: Known bad
The file 335f90c29d9255fa1239707c5beb9600 was found to be: Known bad.
Malicious Activity Summary
CryptBot payload
CryptBot
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Runs ping.exe
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 10:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 10:57
Reported
2024-01-10 09:47
Platform
win7-20231215-en
Max time kernel
146s
Max time network
146s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe
"C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Immobilita.jpeg
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mumoPPZWGBimmUlaTguxGjzvRKrMQXdfkNTRNxDOmizugKidJWVUULLjMedyLjuIlRhMwaFmKaVnTjoiCMeTevxAwGtKrnejqKVvvxfd$" Deposto.jpeg
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
Ottobre.exe.com U
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com U
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ObMLxgUcjfInosLKibMCGj.ObMLxgUcjfInosLKibMCGj | udp |
| US | 8.8.8.8:53 | ewazqx71.top | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Immobilita.jpeg
| MD5 | 3611fe089bdb6afb3fe4d4ec09e47d22 |
| SHA1 | 724b400e99ca66d5f18e98d227913cd793151bda |
| SHA256 | a26dd7ee53256d1a72ed01f1f109ef192e142a05b3d26e7ce9afe025d2fd4a56 |
| SHA512 | 8335d51cf9ddc87f837ace6e204d5d64ef51004d02b764fba1d06fb4cd238c33ae8bd8bbf7b9463c9f49bbcabca9c8c8e196ddf105501778f1e3a7320eecc2bf |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respirato.jpeg
| MD5 | 9d4c1ce3dde66558c9ce5023839040b0 |
| SHA1 | 97f0f1bad1e0a562a24d325b90f9b7e50ea04822 |
| SHA256 | 288326dbe1707422ae6164402f9c118c35d9f1ea39ba42b7881a0032cbe514ed |
| SHA512 | 50c8d573177c1f6902e407833e9d9f32bc46228dc209008f0acb40d6a3a7fee0e4530a8cbec9e53ca7cbca114e3a5ae2505146b1f87bbf804f3f429e8627a05b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deposto.jpeg
| MD5 | 9c785807d7df67e25292763e4cb1f4f7 |
| SHA1 | befa1c8bba817d1b56d6383cdbc4177cd9c3e550 |
| SHA256 | 12c551302118d893bff89bcb45e915ada5d4a5f2467cacde9e5f163d2dcd1d79 |
| SHA512 | 8f1849c72120de2d8235c6d3d4f389055a262069e9e4692b8de83b2229e66b3e7233cd0817bf79b122027e44fd9f5ed86def8076cee45ec9f191c3e54806f1cb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
| MD5 | 240a0895de29e5cddcab5307c548ea31 |
| SHA1 | 4658d15fd986b01894ed5768f0d6593433ca18c2 |
| SHA256 | 6af382092a3fc0bc5b1887e3967868160fcfc7c7825dab0b55ca8705cb5193f7 |
| SHA512 | a67539ce0996f24e9872a8bbf3da4508dee0f0bab93a3aaa468d50d66b64fa5a899a1a6bae01eb823cd1269a485332f0418ce6115c9659ca1853152ef580d318 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mani.jpeg
| MD5 | ce77273cb63c3f4999b6c7966071de93 |
| SHA1 | 22c58f53c6c60b889f8f770cb7b86b4a7953671e |
| SHA256 | 4dff952a57883347535439e6830cc8fbc4579e61f502ed72aaa512acb3edb84f |
| SHA512 | 5e585bf47168c0c4f2b1818428c60f7e3df88f8500afcf5afad0378a4a32bd6091565a4410de842c34af7e448e3fb4c9e59ddbdc0dcf0ceb5d3e4c04898d2773 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
| MD5 | bf9fec647d0748586dc52008b3f78c33 |
| SHA1 | d20976cf9d5000106f2010c32a925fa59930a9b5 |
| SHA256 | 908a2b93831f8c76e3d1ce3fe1d8a549e849450d28c88ddfcfc8099735ca269b |
| SHA512 | d9b009a8ff1a69dd9b34593cab880d2b8a4f838f2a5d95fce3e5351422086d662e55f2065bb3a54afd53505503bf856d558135483440976589aa694c5841ef3d |
memory/2992-24-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2992-25-0x00000000039B0000-0x0000000003A53000-memory.dmp
memory/2992-26-0x00000000039B0000-0x0000000003A53000-memory.dmp
memory/2992-27-0x00000000039B0000-0x0000000003A53000-memory.dmp
memory/2992-28-0x00000000039B0000-0x0000000003A53000-memory.dmp
memory/2992-29-0x00000000039B0000-0x0000000003A53000-memory.dmp
memory/2992-30-0x00000000039B0000-0x0000000003A53000-memory.dmp
memory/2992-31-0x00000000039B0000-0x0000000003A53000-memory.dmp
memory/2992-32-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/2992-251-0x00000000039B0000-0x0000000003A53000-memory.dmp
memory/2992-253-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 10:57
Reported
2024-01-10 09:48
Platform
win10v2004-20231215-en
Max time kernel
168s
Max time network
181s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe
"C:\Users\Admin\AppData\Local\Temp\335f90c29d9255fa1239707c5beb9600.exe"
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Immobilita.jpeg
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^mumoPPZWGBimmUlaTguxGjzvRKrMQXdfkNTRNxDOmizugKidJWVUULLjMedyLjuIlRhMwaFmKaVnTjoiCMeTevxAwGtKrnejqKVvvxfd$" Deposto.jpeg
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
Ottobre.exe.com U
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com U
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ObMLxgUcjfInosLKibMCGj.ObMLxgUcjfInosLKibMCGj | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Immobilita.jpeg
| MD5 | 3611fe089bdb6afb3fe4d4ec09e47d22 |
| SHA1 | 724b400e99ca66d5f18e98d227913cd793151bda |
| SHA256 | a26dd7ee53256d1a72ed01f1f109ef192e142a05b3d26e7ce9afe025d2fd4a56 |
| SHA512 | 8335d51cf9ddc87f837ace6e204d5d64ef51004d02b764fba1d06fb4cd238c33ae8bd8bbf7b9463c9f49bbcabca9c8c8e196ddf105501778f1e3a7320eecc2bf |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deposto.jpeg
| MD5 | 9c785807d7df67e25292763e4cb1f4f7 |
| SHA1 | befa1c8bba817d1b56d6383cdbc4177cd9c3e550 |
| SHA256 | 12c551302118d893bff89bcb45e915ada5d4a5f2467cacde9e5f163d2dcd1d79 |
| SHA512 | 8f1849c72120de2d8235c6d3d4f389055a262069e9e4692b8de83b2229e66b3e7233cd0817bf79b122027e44fd9f5ed86def8076cee45ec9f191c3e54806f1cb |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Respirato.jpeg
| MD5 | 9d4c1ce3dde66558c9ce5023839040b0 |
| SHA1 | 97f0f1bad1e0a562a24d325b90f9b7e50ea04822 |
| SHA256 | 288326dbe1707422ae6164402f9c118c35d9f1ea39ba42b7881a0032cbe514ed |
| SHA512 | 50c8d573177c1f6902e407833e9d9f32bc46228dc209008f0acb40d6a3a7fee0e4530a8cbec9e53ca7cbca114e3a5ae2505146b1f87bbf804f3f429e8627a05b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ottobre.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mani.jpeg
| MD5 | ce77273cb63c3f4999b6c7966071de93 |
| SHA1 | 22c58f53c6c60b889f8f770cb7b86b4a7953671e |
| SHA256 | 4dff952a57883347535439e6830cc8fbc4579e61f502ed72aaa512acb3edb84f |
| SHA512 | 5e585bf47168c0c4f2b1818428c60f7e3df88f8500afcf5afad0378a4a32bd6091565a4410de842c34af7e448e3fb4c9e59ddbdc0dcf0ceb5d3e4c04898d2773 |
memory/2656-21-0x00000000045C0000-0x00000000045C1000-memory.dmp
memory/2656-22-0x00000000047D0000-0x0000000004873000-memory.dmp
memory/2656-23-0x00000000047D0000-0x0000000004873000-memory.dmp
memory/2656-24-0x00000000047D0000-0x0000000004873000-memory.dmp
memory/2656-26-0x00000000047D0000-0x0000000004873000-memory.dmp
memory/2656-27-0x00000000047D0000-0x0000000004873000-memory.dmp
memory/2656-28-0x00000000047D0000-0x0000000004873000-memory.dmp
memory/2656-29-0x00000000047D0000-0x0000000004873000-memory.dmp
memory/2656-30-0x00000000047D0000-0x0000000004873000-memory.dmp