Analysis Overview
SHA256
1c0e9c19952db42f2e8b9b8c158e1d761e1d58a548eda1b09984a510ed9c7541
Threat Level: Known bad
The file eace6cd84265058817841921eb59d13a.exe was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-09 19:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-09 19:01
Reported
2024-01-09 19:03
Platform
win7-20231129-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe
"C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ewaumk24.top | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
Files
memory/2732-2-0x0000000000300000-0x00000000003A0000-memory.dmp
memory/2732-3-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2732-1-0x00000000005A0000-0x00000000006A0000-memory.dmp
memory/2732-4-0x0000000000590000-0x0000000000591000-memory.dmp
memory/2732-222-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2732-224-0x0000000000300000-0x00000000003A0000-memory.dmp
memory/2732-226-0x00000000005A0000-0x00000000006A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iTVcBtI\1bmrwfBkduO1K.zip
| MD5 | acc56d4bafdaa22903a2f89642a4dac4 |
| SHA1 | 03a32325e7fb2a3962d9a7ff85877931af969aa8 |
| SHA256 | b308197147bb70e7ca305f9577455ab93ffa7a6f3a4de1974ab3945b140007da |
| SHA512 | 35c691e0dd67cea7f7d412059bba8383d1a89e99b1d1763093d2224ff92f5b49a4be0206107eb146e424fab8006fd4121ee93d2fa95e8440f923d4e02b1ed56e |
memory/2732-228-0x0000000000590000-0x0000000000591000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-09 19:01
Reported
2024-01-09 19:04
Platform
win10v2004-20231215-en
Max time kernel
158s
Max time network
169s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe
"C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaumk24.top | udp |
| US | 8.8.8.8:53 | ewaumk24.top | udp |
| US | 8.8.8.8:53 | ewaumk24.top | udp |
| US | 8.8.8.8:53 | ewaumk24.top | udp |
| US | 8.8.8.8:53 | ewaumk24.top | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaumk24.top | udp |
Files
memory/3752-1-0x0000000000850000-0x0000000000950000-memory.dmp
memory/3752-2-0x00000000020F0000-0x0000000002190000-memory.dmp
memory/3752-3-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/3752-4-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/3752-5-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/3752-6-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/3752-7-0x0000000000850000-0x0000000000950000-memory.dmp
memory/3752-8-0x00000000020F0000-0x0000000002190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\_Files\_Information.txt
| MD5 | eb46e22df190419f833b99ac6675779d |
| SHA1 | af5fb73f4b2b52c5f94bd3c62b8ee2bfbc8bd1cd |
| SHA256 | 4e7ad5447b2188d37d4459186d392805c06144b0ab5fed958629e31dbbbd3ffa |
| SHA512 | 5df3c6d3fcc910acff6265ee68554884543e80886b4f366498c268a554385d19daea22f4580470b324306c06b34706686b7ea996926beef3827fe5de9d48974c |
C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\_Files\_Information.txt
| MD5 | 1d672df726b06220fd7bac4c8840bdfb |
| SHA1 | 71a578615f193173e2ad6bd52eeac297b546a5bf |
| SHA256 | cf50ef4a2b879dfa8848a558d44618dc605236629aa1e4f1c6a77ccc706d5e28 |
| SHA512 | 161def5f36af01cdaa3b24ac5588d384e48ccb59866c71aaa49258ddf383cd7efadf8e1821917f44db22fb4c3cd0b998e54ad7ec37b6212dbe176493a700cc50 |
C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\_Files\_Information.txt
| MD5 | 4d4f3ea884cf16a44bf2fb9381533330 |
| SHA1 | 044fb511d5796c88e44936f86790b51100f0b747 |
| SHA256 | 2fc4d58f9c68d9e1788588e3597085bf6815688812b0c8b289516cc043a374a4 |
| SHA512 | 347daae8d155295a76ee26585a8db5802967bc87b3fa36407cd3f6e8b9218f8b71cdbd4ce62f3cd10b46b4280e3576e05b967d9e466848a975b7bd9de56e7743 |
C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\_Files\_Screen_Desktop.jpeg
| MD5 | 6020ae6a78c026255896903896e41915 |
| SHA1 | 8150f91a97da34afd6f2b07522bdd46d57576e05 |
| SHA256 | b2ecad1518849cf10e5387c31ec06df01c4e947c68be265ea3c8cbfbaa45e297 |
| SHA512 | f7b052f7302e0e6fd0ae1b40515f4c21ff3d896161cbfae3c533740c3eeae61318d469d78be09171ec125ad59a7737a9ff6f723da1c873a9fa1d87fa966a769d |
C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\files_\system_info.txt
| MD5 | dfb9cd1c06fcd881d1ff965022d87759 |
| SHA1 | 890e18595754330da8666a810d768a9325520c07 |
| SHA256 | 75b5975347d08889fe3cf7cf9f759d954a3b0dcaf86165111ce5fbe5a7c718c8 |
| SHA512 | 36a4c5300cfe627375873dedda7ffc13e8cb9999b67d7d91a6adf04f08bbc3fa50af34c025eddb6ef06d947ad2bd64abfa05debec6c0a879af255c81e99dc5e9 |
memory/3752-218-0x0000000000400000-0x00000000004C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\La7Vd5cM8VDF\LhDynhtVNgOznb.zip
| MD5 | 93967b40ff70c65b6c07ca32aa057e96 |
| SHA1 | 4da46c80aeb245b6ec95d1f338d5891a77798411 |
| SHA256 | f7fdedb4e9425e834885e5ef677a40c194091f93e4a1fbb70391dfb2a7d0508c |
| SHA512 | 953e08f1f51eba35ea8c9f36be6b0c18f41dcc571d021f80afde97ed7702142ee1a30792395ca5418abbf1b5aee80b6c3f6da0fe2323327b51d29d7a9321f003 |