Analysis Overview
SHA256
656dd9e677ea4da1892f14f0b38ca7d989d6d8a07d1ce3d1675cf2ff1b030653
Threat Level: Known bad
The file 519a5e8618177c423039f4e5c47aa27a was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-10 20:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-10 20:58
Reported
2024-01-10 21:01
Platform
win7-20231215-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe
"C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lyssen62.top | udp |
Files
memory/812-2-0x0000000000310000-0x00000000003B0000-memory.dmp
memory/812-1-0x00000000009E0000-0x0000000000AE0000-memory.dmp
memory/812-3-0x0000000000400000-0x000000000095A000-memory.dmp
memory/812-4-0x00000000009D0000-0x00000000009D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zSuWGMr\_Files\_Information.txt
| MD5 | 8088e3ab5c16cd024183761df3806864 |
| SHA1 | 8a07a9e5169d2fbd4ed51f2c8171ae654d9d7f00 |
| SHA256 | 93d0ea13a5a5c50bed7df667ab4b2323be9c34b438b9fe26e0893bfd759b81ee |
| SHA512 | 70223e48a848b0fd38f60da55aa41f25a164896dc24220073d0bfc6f3fca349c65ed0c0b885c3fe10fad3ff37be9f05f53ba70ef10f627c8b611947472937c06 |
C:\Users\Admin\AppData\Local\Temp\zSuWGMr\_Files\_Screen_Desktop.jpeg
| MD5 | 440038e6bce3174305c6efa21805ad70 |
| SHA1 | 28cb2e7b692c8adf2abcb5cb3d00569c069144d3 |
| SHA256 | fece7af270540e1b057ce3456afc15f4e1c2edf550c19c1e181632b16b4f9365 |
| SHA512 | 981d48e1fa116cb279c080110a22faa671000ad12599cc475422e4dd320a8b76acfa11828791448cdf52266efdfa24c8ab0ff9aff464dcd31ef6baa81660b7fa |
C:\Users\Admin\AppData\Local\Temp\zSuWGMr\files_\system_info.txt
| MD5 | 657e58c60df206ec33cf1c86c83364fb |
| SHA1 | 42f446ae4836c45ed15e8f2b1def8069caed89f3 |
| SHA256 | 9ea8cec4039e06e586d39deb1e74e3ebb46713daa422ee010e8ba7b287a41b0d |
| SHA512 | 917c30bd2d066a350979774633f7fa9c45862f1da6e2fdcf394782d2aee30f86202aa3dca12201c0dea02cc6b841359fe2275151b018ed8436226d5f69858b20 |
memory/812-221-0x0000000000400000-0x000000000095A000-memory.dmp
memory/812-223-0x00000000009E0000-0x0000000000AE0000-memory.dmp
memory/812-225-0x0000000000310000-0x00000000003B0000-memory.dmp
memory/812-227-0x00000000009D0000-0x00000000009D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zSuWGMr\JSZmQrsdDXMA6i.zip
| MD5 | ad098d5722726ff474bb1dccf5e9988a |
| SHA1 | 475babb1aeda23c4eaa3bb6445d7818bee4c1db8 |
| SHA256 | f3f619086b8fda738c699b0f78c0753735a1b364784dd92627ee9f353605ba47 |
| SHA512 | 1c5cf6d14e1e05be8d280767b0e8bee7d62c935f04c03ae843818bc13f6071c3588d46f6c9db48656d08deece5b3d9582957272ca04a3e4d020835c34ba37f16 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-10 20:58
Reported
2024-01-10 21:01
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
145s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe
"C:\Users\Admin\AppData\Local\Temp\519a5e8618177c423039f4e5c47aa27a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.165.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 135.5.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.57.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | lyssen62.top | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 96.17.178.210:80 | tcp | |
| US | 8.8.8.8:53 | morwaf06.top | udp |
| US | 8.8.8.8:53 | morwaf06.top | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morwaf06.top | udp |
| US | 8.8.8.8:53 | morwaf06.top | udp |
| GB | 104.77.160.23:80 | tcp | |
| GB | 104.77.160.23:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 104.77.160.23:80 | tcp | |
| GB | 104.77.160.23:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.178:80 | tcp | |
| FR | 2.22.57.155:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 138.91.171.81:80 | tcp | |
| GB | 96.17.178.178:80 | tcp | |
| GB | 96.17.178.178:80 | tcp |
Files
memory/4428-1-0x0000000000B50000-0x0000000000C50000-memory.dmp
memory/4428-2-0x0000000000960000-0x0000000000A00000-memory.dmp
memory/4428-3-0x0000000000400000-0x000000000095A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\_Files\_Screen_Desktop.jpeg
| MD5 | 6b0e49f33245e9d9cd0c4b49354f94f6 |
| SHA1 | 99c16e6cb99b0faaaec9a66854b37b3973c348d6 |
| SHA256 | 9923568ef710aa556b4809854ca04290e318babc0303793f5141a2b40d4d2b66 |
| SHA512 | 9fa2010fd49f1a04c59b75e9eb4627ff67906dc666737e629a20f725e9fd13e0b29adc94161eea4844eb22e53b186851d8a48c3cf1fc1b62a6890a629e73d2b8 |
C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\_Files\_Information.txt
| MD5 | e0ec0e78a1626d45585cb5cd6e274952 |
| SHA1 | 5d68d8beddcb481ae55a9780fb0561faa0be66b1 |
| SHA256 | 26c5b31b171c970ccc4b397ad79f73f43221d1de341b4f305c1412b49d846bed |
| SHA512 | fc578f46eae45d85c702a1b86c258d1982865fb9bbfe5f1996c1d7210631d5f9e8e21d2a2d383581a04277c2f422066a9cf20770b74c1e91db9bc712629a64b7 |
C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\_Files\_Information.txt
| MD5 | b7dd22a373ad35516b6fb4117e5c8a3f |
| SHA1 | d8d9a799b20348eccbc64dc1b5851cf2c42107a1 |
| SHA256 | af3895f7c5c56d3e5d575bfdfaadfeca86fdaedb1d784c73c7108754968b7fce |
| SHA512 | aef8b5a0ff2c9a79c3733ab63c8846f935b7ffc6f2a4780950eed0b46c6b2d266c12b590ae6427768ee5f9be2df9f7c7b3206006c921d0a62c173e34183e2349 |
C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\files_\system_info.txt
| MD5 | 9d4d0ac0112d201e8659529b82eb7337 |
| SHA1 | 0235f852cff10691f07ab853736e9226d6fe393f |
| SHA256 | 866d4ed183dc704f3068fad07a5703c79c84c3519bb379e706f7ab16678a2a12 |
| SHA512 | 4fb10f904af9b3830c11d21f2479a0818e6161ac8543a37bc631e56c1ab6341e368c3c244f18b58b4beb981fbf1930af665111abb39e1fdf154833e8d17e4a60 |
C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\files_\system_info.txt
| MD5 | e11a7b251671edc1a5170b7d5cc1a38f |
| SHA1 | 351df1be8644cfd3da6a44e667cb4906fe5036fa |
| SHA256 | 11d689b3cc2ae592d6494d29a762d3a187722fa6c62ebfc377e359a173d3b66c |
| SHA512 | 26c62370ebaef92dc7626b0e8e3d41f5ba35de95390ae9d1b4c5f284ce56ab516361e9b198b479eca4dc2004aa973bb87e04a6de48ff6b6ef7aa49ca0cb882c8 |
C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\files_\system_info.txt
| MD5 | a6f16e9cb322be17d3555b014b698d22 |
| SHA1 | c2e4bf475a10763614f0df35713072d238f7078b |
| SHA256 | ca8aebdd8fd24c2cbe0db5a74073f56096fff2ccacc5e31db069f07b215277e3 |
| SHA512 | bcaffc051d24ef3df23780608bd3a51372867b6e2bc8d7baddfbfb8529f9b26720e7af71bb7558a5c06a8cdbfaf0cce1d0ccaf0c364ac90081df1a3decb7e61a |
memory/4428-208-0x0000000000400000-0x000000000095A000-memory.dmp
memory/4428-211-0x0000000000B50000-0x0000000000C50000-memory.dmp
memory/4428-212-0x0000000000960000-0x0000000000A00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\yVf6un6xKoVBMf.zip
| MD5 | 9764767a43064f47283e34f730be9297 |
| SHA1 | 444d3b9374a230e44753b83554b62556990ab6af |
| SHA256 | 40cc871c6391f8c302b50b77390eb07263d56b83691cca478dab22fd06a62aa3 |
| SHA512 | 314588f2b4dc599bcf95e1f3466c933fae1f36109e91114fb35f5ecff5d94d2ee9327ba8ff8459f145dd254503c9c3c036343813ffa963e6681de4c159def65a |
C:\Users\Admin\AppData\Local\Temp\eXWkqV0pt\bFogcARCIrQ.zip
| MD5 | 031178d4340d07f11caba3aad80b8935 |
| SHA1 | e20494e700ed5f17f653408a65cdc02c162aeb6c |
| SHA256 | 289e8550bd31901c338555d51b5b123c4cf4cac0eb40f2ed4fd14cc67b73d9f2 |
| SHA512 | cd4954a1e4e934973e198ba45b8354a93bc67bd33eabf9e42b18487a4a2e9c35a247ab5d592d9b822baec4ad790871341e421583fc68d4d6b126cd85ccfbd476 |