Analysis Overview
SHA256
11f1b6976617dd9180c13e3605183f58ef4ddcf3c93a41ec43c1dbf03cf1e9f1
Threat Level: Known bad
The file 4f50cf39b0256b79367090cc533779fc was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-10 02:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-10 02:17
Reported
2024-01-10 02:19
Platform
win7-20231215-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe
"C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
Files
memory/2232-2-0x0000000000540000-0x00000000005E0000-memory.dmp
memory/2232-3-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2232-1-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/2232-4-0x0000000001F20000-0x0000000001F21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hea7lkEY\_Files\_Information.txt
| MD5 | bf9f0733d3d66ec0bcd9d75b3d2c8555 |
| SHA1 | 3e1fb07807a018473d274c873e700852dc8d9bcc |
| SHA256 | ce587e531a70cf196223f335492c7d6ca59ac0b4445a793be6e7fdd872af2f0e |
| SHA512 | 8d87df88d9f39c1cca24c4a14c6b3d476bdf828cdfd72b039292fa3051acc08ecaddca8bbdb81ef844b38245e0f768fde543b0a6ddb9decff04039b4e5a1512f |
C:\Users\Admin\AppData\Local\Temp\hea7lkEY\_Files\_Information.txt
| MD5 | 2d48213848cf869f3cbfd0b014b87f35 |
| SHA1 | 29424abad49648964102135a7207c0c82df0fc21 |
| SHA256 | 01d15ed82b481c0e6f8004901a6b29798e5a7f8d6625f7188da5e4bf89ea5b78 |
| SHA512 | 7a5aee0b338a3fc617ecd59e04c979283c9f2e110ef54599d96a45d1ab3f81d19dfa7568543012f1f086864430bfe742ba5446c5f8dee399e54c718b03e9f4f1 |
C:\Users\Admin\AppData\Local\Temp\hea7lkEY\_Files\_Information.txt
| MD5 | fdc33b63e72329231cae28979018033f |
| SHA1 | 804be36cb2d9daa0efacc6bab028d4b67faaaaea |
| SHA256 | 9bf99c888750571f7baef058beb00e633f487c5addcb016e687fd4b43a8a387e |
| SHA512 | 02f65777a83daeff4d97eec8a9b1dc6ad877fe329fa868d5aabb72d7ab47fde359cf5d637fca954b722141fdc1b748f8a8f8f031dd5b9eff14bd6b31344af378 |
C:\Users\Admin\AppData\Local\Temp\hea7lkEY\files_\system_info.txt
| MD5 | ee2fc61dd1b99d9023027bd94ed76238 |
| SHA1 | 77e5e714c9e873f39bc522ee42d01b1f7b1cf830 |
| SHA256 | 1dcd9767858111038ebe62dcce8313350e2d833f7ad2c1fa0ff5b511ffaef804 |
| SHA512 | 1ec379c240551c39c2264e80dbf5421a921e3c0b0a306b6c080a696c5f0b9523dfbcad824314e2727988f2c841e7017ae180fb258b079b477bc5aaf83cad5fb6 |
C:\Users\Admin\AppData\Local\Temp\hea7lkEY\files_\system_info.txt
| MD5 | 3c9664603b45bfe06e159907c072dbc7 |
| SHA1 | ba905b68673aec2f798445ed44166e1d108c3d3b |
| SHA256 | 567d1e2e9551f876ea5e66d12d06c3ad5a1e42766a535cc103d491f09cf30287 |
| SHA512 | b3da8b8a877e48e2549f2f0d688150d630a4cdeb703cb8be67637bb6e17c116628f7ef09358d3929348b350d3f987986312cbb0a168ad6209dcf0cf8c827149c |
C:\Users\Admin\AppData\Local\Temp\hea7lkEY\files_\system_info.txt
| MD5 | 38dd45697406ea402fc11de34ebf16d3 |
| SHA1 | ae9827994e0cda4037af0c84a1c35036a27ebd3e |
| SHA256 | 3d9166309dfe7a96271e4aaccf33b52ee03a4cbe21071c4a1b0987f30bb899a0 |
| SHA512 | 880841adffe071d3cf4d4275486318661dc35da5592435bd33997618439f5402deba94513fb95f9ea1019fef9bb0d0450b455fd4a75bfd51a788ba1fecd8a2df |
C:\Users\Admin\AppData\Local\Temp\hea7lkEY\_Files\_Screen_Desktop.jpeg
| MD5 | ed7ddda889be9a5e89f32878af5bd9d2 |
| SHA1 | f344579f66d4ca19b2fc8c88a76873115a6249ca |
| SHA256 | 7231e48f52880ac3094c2d3ba9831bd0eb4498f0086b9437d4d9d06144c12a14 |
| SHA512 | c03f803cfd880b70b7071b26f0a960f73de4e727d82a1121a849e3e25a49bdf59633b1825eb568867d11fb2642f12bb8d997224657f5a666298ae578ba1d6303 |
memory/2232-221-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2232-223-0x00000000002D0000-0x00000000003D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hea7lkEY\iva6nZ0Xbh.zip
| MD5 | d258bfbbb4c4cdce5b6217bba071a675 |
| SHA1 | 18275e3c0abed32906ea7411cea02f94662d1917 |
| SHA256 | fc59407576d0de2f301d088c6bb9028e2a50d5a9f63e86ccc793f0e521ae0a33 |
| SHA512 | d77cb16986ae0f7ce006b7fe27f8fb4bc87737a63eb6fdbeaa31c85cc84269a698814f87ccc521704d0dad01732f3734887decfae4e0ebe013840999a73b56c2 |
memory/2232-227-0x0000000001F20000-0x0000000001F21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-10 02:17
Reported
2024-01-10 02:20
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe
"C:\Users\Admin\AppData\Local\Temp\4f50cf39b0256b79367090cc533779fc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | ewaymo21.top | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | 185.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2900-1-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2900-2-0x0000000002290000-0x0000000002330000-memory.dmp
memory/2900-3-0x0000000000400000-0x00000000004C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\_Files\_Information.txt
| MD5 | 6c1036dd7c203a463d58767bb8949d69 |
| SHA1 | 867f2cb419f070c72d1d9cbaa9588cc853f98469 |
| SHA256 | e5cff436556957154925cd1e50f15ab852484d4640d7b1608f1bc2fbbe16ae85 |
| SHA512 | cf75d223615181b15e60e0c2bb8ab914eb41bfa972aa5edd0e8fa52ba334410faa26629f5cbde4f9a26f87bda2a46c023daf08ba89f54e2247182bf440d6c092 |
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\_Files\_Screen_Desktop.jpeg
| MD5 | 4ccc6b691f53c6f7be0d94e0151899a7 |
| SHA1 | 22cce274a78d23ac0d0edb4ebf96a45d4161fee9 |
| SHA256 | 2b29d2a3cc6206668524078dc2d74082fa5dd498c3c4868282fbb9d07a289d51 |
| SHA512 | c9b2afc7f30e2a259199b1a694e58751e06473f97a268bc7e988d7244cea07b6b977238165fae7b909e1bc341a403606cb5623e1e9db528fea437fe011309543 |
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\_Files\_Information.txt
| MD5 | e1f90efa61a6567d25f43c4dcc6fba07 |
| SHA1 | 6f7c9714c0f457daab1443855beab22511b88026 |
| SHA256 | 3cb2748e858a534155cdcb6fb551859468180aae6a95381704611befa8408749 |
| SHA512 | ae45d9e613fdbd091ecdffeae84006639b040742331443f63bf814b23e33ba1e2ce45a29c8b8ee207bee9083b2d6ed2c1ecfb45c1634a0e7094439dc8b295ced |
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\_Files\_Information.txt
| MD5 | 68b89c2923f8ea8f4485ee96bc4f47d8 |
| SHA1 | e8d19164800ae594880a47ac09bd0507e75071db |
| SHA256 | 0cda1bd913545739e6f2b00489e546ee35ac1ac2049659b15e1512d27773ed98 |
| SHA512 | 3aec31038c92090fb69a7389722a5579b1b38059e5142513cfb5f979cfdb0af007588c25afe00be46dbb33864f60d9082796d62a7ea1b12da35d0fb5f647820c |
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\_Files\_Information.txt
| MD5 | 1c42196f5081d63a9fc8cbba4d3aeb81 |
| SHA1 | c2420001382fbd9dd509d40b1abb13267e88333f |
| SHA256 | 75389a097bc0cfcfdd7e355f2d6ca46c7ef8f8abc90fa58fc698fa3b41c7fa1f |
| SHA512 | c7e91e2f6e685f6bfd96425ea5912a2e5cc5d82def72bb6843c8ee6e8b55f807dd9840541c27413e4be10ee13dba6d04de6d81dce6541edd8f7d9d8d3bbd4c3c |
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\files_\system_info.txt
| MD5 | d850a314d791766451cdb9ce49d393c0 |
| SHA1 | d1ed83a4e976efdf860230fb7323d6715e1b87eb |
| SHA256 | 10accfba71b9bd46fb227b2f0c5371785494974deab43462171e8ae0008b0323 |
| SHA512 | a1d2c5724b73c6bd2207e73097fdd515e6f95fee0dd1a369440278dde0861cc4bbf44fe365b124bed13fafa75f5bc485cd4fbb2a58f9b0828259327d74ea1ce7 |
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\files_\system_info.txt
| MD5 | 142204b8ce5c299c2e91734f0535fc66 |
| SHA1 | 085fcdb55a317cc4a4bae37faec07ecfaf410b2c |
| SHA256 | d2e3e1c512e262480f5031376c48b05b609d3d97f9b44d9cf975a321a15ea1af |
| SHA512 | a93975c8e21641cb46fc96367b6247f2ae3694eedba85745aa78095d3b1bf0f409358bc8d7582d0e54940e1389d7e45deea252b31525de96b926678de6606c57 |
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\files_\system_info.txt
| MD5 | 7f8f39af30d9e553df2c6128946a7be8 |
| SHA1 | b4a4435dc75c83557a884785e152ac4bf59a98d5 |
| SHA256 | 8d67bd2f2130a7c642b6f77220d43b580c850c46532278f9d00768245dcd74da |
| SHA512 | b9cb3cfd8e299ceeded74fb2995902ed106ed798d5f27980a5e1991e3ac10f9d6d5dbe5f64ed6caa4137eaa23c1db3519302bc650231dca2a0e7773bf74d5a38 |
memory/2900-207-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2900-211-0x0000000000620000-0x0000000000720000-memory.dmp
memory/2900-212-0x0000000002290000-0x0000000002330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\CZnjGbNmWA2x.zip
| MD5 | 15d9f6ad06ae01356bb9fa493e4895d7 |
| SHA1 | e0747ac5f2a700b9c2cd195a2f60ac6f307a4054 |
| SHA256 | 0fe60309812e7ae43e97492b414dd555a7246bc277bddd840a99077a5d00b2ef |
| SHA512 | 765021bf55211bcf689b01362e68c3ed1121841fbee77638be290bfe58d61481ca30d68566bc001f8caad25017e829f43def76c198a4913ea79995016d44c2f4 |
C:\Users\Admin\AppData\Local\Temp\nXA7TM1r\sgRm6oKK.zip
| MD5 | e22f5718b98363f2901ebac25779295a |
| SHA1 | 01bb09728ddadcecd92bb0d90da775c1422ae27c |
| SHA256 | 70e67d84ec1cb25b6d246e9d532f5beca1171f63ff73e97c1f2568d41be7cf35 |
| SHA512 | 25be9250688f49051c66760d80495a127318022a4575b3d476d63a68d45737610bd923567d6de2ff5f499f92b0d577462f56a70349f1b58732ddff3e10c9efb6 |