Analysis Overview
SHA256
7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8
Threat Level: Known bad
The file ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Manipulates Digital Signatures
Reads user/profile data of web browsers
Executes dropped EXE
Reads data files stored by FTP clients
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-09 18:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-09 18:40
Reported
2024-01-09 18:42
Platform
win7-20231215-en
Max time kernel
1s
Max time network
122s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe
"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c dOPsYvb
C:\Windows\SysWOW64\certutil.exe
certutil -decode Sorso.xltm Pallore.accde
C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode Sorso.xltm Pallore.accde & cmd < Pallore.accde
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VagMWnXqBIFcKZdYcTQuiOWIjFBjSYnEBJsCtnoFZOuMjCNfLyEyGViicGmsXKiClqUqIOUWLkuzIlcJRjBNxaYFClubZRHgGDBk$" Sapro.vst
C:\Windows\SysWOW64\certutil.exe
certutil -decode Subitanea.xlsx l
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com l
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
Illusione.com l
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | oRegnnIvXUERNtJlw.oRegnnIvXUERNtJlw | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pallore.accde
| MD5 | ff0a5d410cb9c7ac26fb826444110430 |
| SHA1 | 999a5a7c1957091e2972974db59f02c7465e1d4a |
| SHA256 | 660bf9d18618e101d9f547ee57329731e8c36d9e6b41c22b8d2db5aceadf4e6c |
| SHA512 | 6958e216cb2b872f1df7626be10a097ef1ab8990a5cad354e2002f872acab0b162d55d882735c3f477a528cb41142f3254e68ae30b07a1ccf97e58c882c0c8cc |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.xltm
| MD5 | 8ed844dfd87dade7cf42085edcbeed5b |
| SHA1 | 6a32bd4c765b720988105f155ff0f7ef24d4d635 |
| SHA256 | 39960e1c7fe74e983fc1f3772a0fca8be5835d4928524dd56848b459c232756c |
| SHA512 | 26258c17fe26db165c583aa91ad33179dc5ed1069382e2dd25ed96b3061376e01bddf5dfc5ef1fdc3004741e87855bd31ddc99c0e0eb3732c575df402c1fd48c |
memory/2604-25-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2604-27-0x00000000037B0000-0x0000000003893000-memory.dmp
memory/2604-28-0x00000000037B0000-0x0000000003893000-memory.dmp
memory/2604-26-0x00000000037B0000-0x0000000003893000-memory.dmp
memory/2604-30-0x00000000037B0000-0x0000000003893000-memory.dmp
memory/2604-31-0x00000000037B0000-0x0000000003893000-memory.dmp
memory/2604-29-0x00000000037B0000-0x0000000003893000-memory.dmp
memory/2604-32-0x00000000037B0000-0x0000000003893000-memory.dmp
memory/2604-35-0x00000000037B0000-0x0000000003893000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-09 18:40
Reported
2024-01-09 18:44
Platform
win10v2004-20231215-en
Max time kernel
174s
Max time network
182s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe
"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c dOPsYvb
C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode Sorso.xltm Pallore.accde & cmd < Pallore.accde
C:\Windows\SysWOW64\certutil.exe
certutil -decode Sorso.xltm Pallore.accde
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VagMWnXqBIFcKZdYcTQuiOWIjFBjSYnEBJsCtnoFZOuMjCNfLyEyGViicGmsXKiClqUqIOUWLkuzIlcJRjBNxaYFClubZRHgGDBk$" Sapro.vst
C:\Windows\SysWOW64\certutil.exe
certutil -decode Subitanea.xlsx l
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
Illusione.com l
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com l
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | oRegnnIvXUERNtJlw.oRegnnIvXUERNtJlw | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
| US | 8.8.8.8:53 | fhjweheef37.top | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.xltm
| MD5 | 8ed844dfd87dade7cf42085edcbeed5b |
| SHA1 | 6a32bd4c765b720988105f155ff0f7ef24d4d635 |
| SHA256 | 39960e1c7fe74e983fc1f3772a0fca8be5835d4928524dd56848b459c232756c |
| SHA512 | 26258c17fe26db165c583aa91ad33179dc5ed1069382e2dd25ed96b3061376e01bddf5dfc5ef1fdc3004741e87855bd31ddc99c0e0eb3732c575df402c1fd48c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pallore.accde
| MD5 | ff0a5d410cb9c7ac26fb826444110430 |
| SHA1 | 999a5a7c1957091e2972974db59f02c7465e1d4a |
| SHA256 | 660bf9d18618e101d9f547ee57329731e8c36d9e6b41c22b8d2db5aceadf4e6c |
| SHA512 | 6958e216cb2b872f1df7626be10a097ef1ab8990a5cad354e2002f872acab0b162d55d882735c3f477a528cb41142f3254e68ae30b07a1ccf97e58c882c0c8cc |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sapro.vst
| MD5 | 524c5cb95000d79ff092ac1bbc834051 |
| SHA1 | 9015a75614448901985a74caf632aca9742fb6f9 |
| SHA256 | 797d9bb4e5dc777f4204fdb50ce85b3ed956e3e151c06e1d78d97663a81cd042 |
| SHA512 | 6a9af9fc45e87ca35c447a409d554984820b11de2871b3ccfef9b46685055d979b17352b649dd6344f23566a1c1fe829c58994125c58b59622656dae0344a4e1 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Subitanea.xlsx
| MD5 | 6f738d19c97ad52482daaeb7dd740f56 |
| SHA1 | 65c1a1e843906a8f557f9d83001d61925d9bc9d2 |
| SHA256 | 85cd887056455ce2d4ac5ba252eec2baa91d1f0b75f30afec153bb02941fbb88 |
| SHA512 | 01733aaa9a0234bedb3714e37fdf585e5b82ece6dc5a2ddc650c4a074fed94f0190fe538e097a8e69b5eba60764c726a5606f122dcba471e1a213baa56d13869 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l
| MD5 | 05eb879d18fb669c75062eef75a5c50d |
| SHA1 | 9aec8a888907ece2a20d184324d9d2f61b01e592 |
| SHA256 | 911dd3e2748cea7b384f51b6c5d41a5d252533b32b299f4480ce23d3595f683d |
| SHA512 | 60c832b8a164a59535ace303bd55ecaca48c63d53c46be4e28e7a539f4fcc8327cae5cbeb529119edf862e521c52c3bc529bdd8c08070785847b333836af543b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aveva.vss
| MD5 | 970b6737c469629d6a289d1c1ff45a62 |
| SHA1 | c94b7d73545fcfebf16d74864816de0083448afc |
| SHA256 | 6d93374eed3e39ed112d76647c8df9a0a4651970d0dec309a1370483ddd06864 |
| SHA512 | eabe5c49d52a31cda5b25e3aa8d02ff8f12eec1f02eb07818fcda6f186f87aa23ded297193ef5dcdb56bff7ea6ea42750753685a66d95e6b40a92ab0d8b63016 |
memory/5000-22-0x0000000000B80000-0x0000000000B81000-memory.dmp
memory/5000-23-0x0000000003C80000-0x0000000003D63000-memory.dmp
memory/5000-24-0x0000000003C80000-0x0000000003D63000-memory.dmp
memory/5000-25-0x0000000003C80000-0x0000000003D63000-memory.dmp
memory/5000-26-0x0000000003C80000-0x0000000003D63000-memory.dmp
memory/5000-27-0x0000000003C80000-0x0000000003D63000-memory.dmp
memory/5000-28-0x0000000003C80000-0x0000000003D63000-memory.dmp
memory/5000-30-0x0000000003C80000-0x0000000003D63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Information.txt
| MD5 | 2bf79bf9edc025cdd506262ff04778c8 |
| SHA1 | b104dbbecc498d0e2dafce37547f6df86d04b9c9 |
| SHA256 | 67223d8c890c33a8a06f3fd86f2b1d15420398a505973eec5658457a304d06a9 |
| SHA512 | 7791c77d35adb926ca5d2e33bd1284a994ae2b328024dd5150d4f20538f0ee4dfda30d100f7de3e93f0305fd1bcfd6c52618702292427c6c661566aaed79feae |
C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Information.txt
| MD5 | 5acacc18c14175f65496c9e456d10b3f |
| SHA1 | 7be1529525269f71d920ac20f2a9e6cbb20a5e52 |
| SHA256 | 84efc45170a3b75b5725f42196ddaf9d5e3d9ded7dca7789e7737ab3144af6d5 |
| SHA512 | c5a4c9153cdde62b61881a55e19e0f50a01d38c7deb033d5f14f9ce86db08f14aceda383cf0cdcc14fe893941e8a9e6bef39ce47c092609f4ce96fdc6f8ae065 |
C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Screen_Desktop.jpeg
| MD5 | a2b6fe410de3a3aa8495868c9e59dc7d |
| SHA1 | 104d47f6192e0a4986251da56df58837d34eb6e9 |
| SHA256 | dfdd4d026c5cdae7526181080ba465294e8f7fb84407af8aab41e0e1ab50da95 |
| SHA512 | f0eeade79b9563dc1341b7e49b650ef9555c0ae01fea17c53e9300c48495f3c71767052c3e6c009c9d3cf3ea605e59d4803a30b1f80d3bac82a2acda6b7eb785 |
C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\files_\system_info.txt
| MD5 | 62f646cdc1347714a98cd4994ed274dc |
| SHA1 | fe72676cb86e51295f432cfe2c4d52c9996ad6de |
| SHA256 | 40ae7ef5cc6143869dab891da7c13fcc9444fa2617c3d0939af041dccdc4475a |
| SHA512 | 4c56fbb8fe08440df764a6366feffb307dec0b72bedb8ce5052961fa9ca6e69a47109b8f1eb2f3ec445e518518924f315a7cbfec0f3f654cf98849c2f07ca629 |
C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\files_\system_info.txt
| MD5 | cd9b62233ad25912384bbb98c9c1b7d6 |
| SHA1 | b365c3c1f99ffdcd45dde38952ad133d28a2f0d0 |
| SHA256 | 0053d55f566a6701ec596032ba1c7fa0861832968cb26ad4dada4b130dfcfcb0 |
| SHA512 | cce4d2948789c6d146b2629cf6234889dec989813fcad38d38232751606056dc0cf8120b1b26fb4e4c009a06d2a98e47f43589f31c6cf2c598a3635fb85da601 |
C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Files\OptimizeUninstall.txt
| MD5 | 7f43502e321a9638eca593044a20ee3d |
| SHA1 | 48583ce38eee8c899641bda2e3fefe3f36aac19e |
| SHA256 | ca1fac42968df2ee10f16b153a7133ecfbc611a321d8209981a83a4aa07f1493 |
| SHA512 | ab84aaad62f9e9fa0fda032811db5aee2e05e78b9a9c5d067c1016eadd5d65a1c01798cb478366ce4854f3956b40613da4105314b9923f7fb32d4e14e1f2946a |
C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Files\RenameEnable.txt
| MD5 | 06374e31ac45bdf090518c00cea0acd7 |
| SHA1 | 76ae839518a7fa0e31ffe781dfa87cb76cc26c02 |
| SHA256 | ed0ca6e20c094d7d59caca6781758bcd8ae85ec16ebd3088edd486706e2dcf61 |
| SHA512 | ab5e19b12b444c413130c3720857b81fd0aad1935c7758f4f60fbbe482c6cda7a3ddeda501709e0e20314ee63be37cd05568d050b30ae1401042a7ef59c5472a |
memory/5000-250-0x0000000003C80000-0x0000000003D63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\fiYRGoGXMOv.zip
| MD5 | ddbbf6bd61d7ff783622803cd29441db |
| SHA1 | ac3033b0ff4f250ab8fdbf660c173efc8d7ac436 |
| SHA256 | 7e4bff1e6ef87e5f4d4a0dfc7b659b65d5b536114e3a523d5bb14efa9508f01a |
| SHA512 | 61619a6edc5dd8af4d507309b2ca5b41cdb042c506dc0342b9b0094a0b41c6a8fbbafe4283bb9477af6558fd0ce73603b2c01af5a7e1f462ed0ca4cd37cc0ae0 |