Analysis Overview
SHA256
7d5b421a001c3fa5345f5f6603e675b5d55b145a96f7669ae983a0e81fb24d2c
Threat Level: Known bad
The file 584d548c03e8861214a069d6da77fa95 was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-13 07:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-13 07:11
Reported
2024-01-13 07:14
Platform
win7-20231215-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe
"C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | morbyn04.top | udp |
Files
memory/1748-1-0x00000000009D0000-0x0000000000AD0000-memory.dmp
memory/1748-2-0x00000000002A0000-0x0000000000340000-memory.dmp
memory/1748-3-0x0000000000400000-0x000000000095E000-memory.dmp
memory/1748-4-0x0000000000B30000-0x0000000000B31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Information.txt
| MD5 | 713ad559c19169d10c176595889536d0 |
| SHA1 | 446c87a82dbbabc8b1394da25c50b2c5d0b9fbfd |
| SHA256 | 42a4879c7f2cdb3732b507abbe3eb5e65ee708949fe1a4aea2878c2a2352d862 |
| SHA512 | d3224924292105840cb9cee16f915dda8dd449f3fbb4639f41ba02110275a82194fd40b7b3a0736129f59fd3266a21fa77d81795a68cdd9b5455918c8f3cf463 |
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Information.txt
| MD5 | d4ba44cc5078f46a44bbd4f3d4f19f24 |
| SHA1 | a92666d333d27114b817aeb946455429600e2d0b |
| SHA256 | dff3b2ccc43dcc5014b836e6a616a44f33505427559f19ee100c13cfc4a0c0e4 |
| SHA512 | cb345ff00b7e96948e44afb6522e52dbfe05daffc06b3f5ecac3149aa2365c63a985e61ae8e1f205bc2a36ff0d45749c4246b10753e3a7fedf51c3d978ff590c |
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Information.txt
| MD5 | 0289dae89f725d34104a40f7eed7fea2 |
| SHA1 | d0a995f64b1e57b9a1e4f43855d885a0bbde705d |
| SHA256 | d8c66de4eec2faa6d9bd4ffb6ccea3d28c0e04861a1dbbe07ff3b33422618289 |
| SHA512 | 56a1826e411d20ed319c29aba48d4c31073fca44ea6827922c34ae3efa527cbae716b495e69ecc722fc858d029fb6ebe45b40d81e4c8b0f75a46c09bffbc8378 |
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Information.txt
| MD5 | 1303806217808a8404731ec64f65f4f1 |
| SHA1 | 51eb690b35e70e9d2b8d66d2c128ab659ebf7074 |
| SHA256 | 3e76fe2ee51deb59ae9c66bdf0ad06dfb9837994f4633173556f2430b18a618e |
| SHA512 | 1f38cc34128707a0ab7afcc4527a1107c26924eb1a201eccbc796f50dec70c8bdeba0e42bd7456a5735ea0b91a5d077155d9847fee46e85a40456968d2f3b0cd |
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt
| MD5 | c54405ec2c14058166821f39013272fd |
| SHA1 | 17c6e1a48bbd4be8edd2fa4b7bca203949e31cbd |
| SHA256 | 6457af26f6b122d77c36d7c5e4ce997c8a657618fef4c672f7e90bb073b9a842 |
| SHA512 | 131e9d6e8be7777247727aa779f8d6f5cdf5e13d9eb018fe961196458a8227daf44ddc468084a93b0d706106f5e862129f7f7743be5e6fe516acf23c457ece7f |
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt
| MD5 | 1fbc3db49727cfd267b2839f8da55d70 |
| SHA1 | 5a3be04aee98df4a2cbd6a2425001a4b2d5f7ee7 |
| SHA256 | ae0b6d65854f850bc484d16ef503a3aff0d680131b139aa55f84fe5e9a922435 |
| SHA512 | 7be09f298ec4e5c675ea6cc3ab82cbb6e2130b8a6298931c4d15cf17fb551ef106396c4a70242ae597385e75304a29fc04e8427532c799b3334df111a990ee44 |
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt
| MD5 | cc520ced9b8dce4843ef29c945c5f815 |
| SHA1 | e7c722ffa8b51df2ad552027f29e267a23c043dd |
| SHA256 | bf9aa171631d6bdbbc9ff6380a2f7add63472a6293732d673b1cdcc8ba8025aa |
| SHA512 | 5db7d1d9bc230727d487606a3140d9e9b83ec194543e5949e90f0f355f3cebb20ee8bee1f3724ebfe62f37633c6dce4a2924eca6dc171b26cc583fa4e6872943 |
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\_Files\_Screen_Desktop.jpeg
| MD5 | dfb0a084c190d08d28eb84b5e458d855 |
| SHA1 | 7809b4da9238e8ddf20ffa4286085a657eda0d7a |
| SHA256 | 7afad31a24d1fd0a90a27802dfa3c67028c4174a0045f01d9ac6d03cdddfc2fa |
| SHA512 | 3af0e4caeaa3a2c994496bb3f1a9aff6210dfe04cbfd6a10e69e1729b40627ef41e1af2439e40f046a6ca7a8b5268369339c58e555761e8d6f7580f9c5925abb |
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt
| MD5 | 9ab78f6a4c80b9573d9a87a633248d5e |
| SHA1 | affc3511b9c2939b6b84bbf4e815594cb0a24993 |
| SHA256 | 7bb4cd41dd4e22aaa0fbb0cebbb06ffc6de36381c4c6b50a9eef2e9e243f6ed2 |
| SHA512 | ca21ada4f93b81a9f7e7bb64aeb215070cbc7c7e729b21237cc09b8068e502b67683f7157b8a5033fd667b655421327bfe05978e6f689238f70e4bb1e1e71687 |
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\files_\system_info.txt
| MD5 | 46126c6504cfd2e40b1ab318d28b2a65 |
| SHA1 | 4d906329e92396a098aa4110802628c7aa6fb26a |
| SHA256 | e0ec90568eddb9b8a28ee668de9221dbe46b1bd803aed5505cfd1401bb521397 |
| SHA512 | 2f515ba274db3d200f7e1816fbdeca33570a4985eb20d6429f4857d89bd0490df33768e101ec1096c4e578197c1edbb28881283090ab86a87dab78b9578994f4 |
memory/1748-222-0x0000000000400000-0x000000000095E000-memory.dmp
memory/1748-225-0x00000000009D0000-0x0000000000AD0000-memory.dmp
memory/1748-226-0x00000000002A0000-0x0000000000340000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QPTvY8R\WmjZIrHXpK4.zip
| MD5 | 399b83e1b95f20700af58539bfa48cc2 |
| SHA1 | ab95366195d379b266e0db30c3c3b5e4070a240d |
| SHA256 | 7719b30d56b9e2543eaa0a302fceb3d8f31d019842782806fea12e5424514248 |
| SHA512 | 9057c99692ad2b77cf9b2c3e5add322f90876b157743d7ab8361473c5658fcb009d2c0269471a4170991ebf438a07da74e1ff4be7c83f1aac7f6086e97b24b3d |
memory/1748-228-0x0000000000B30000-0x0000000000B31000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-13 07:11
Reported
2024-01-13 07:14
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe
"C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | lysayu42.top | udp |
| US | 8.8.8.8:53 | morbyn04.top | udp |
| US | 8.8.8.8:53 | morbyn04.top | udp |
| US | 8.8.8.8:53 | morbyn04.top | udp |
| US | 8.8.8.8:53 | morbyn04.top | udp |
| US | 8.8.8.8:53 | morbyn04.top | udp |
Files
memory/4980-1-0x0000000000B50000-0x0000000000C50000-memory.dmp
memory/4980-2-0x0000000000960000-0x0000000000A00000-memory.dmp
memory/4980-3-0x0000000000400000-0x000000000095E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PJClorZ\_Files\_Information.txt
| MD5 | fccb2da2942af98943588b2354d3f4ac |
| SHA1 | a7160c183018a067dd6f022bf788a39dc7700628 |
| SHA256 | 238656aba67dd73a43542098596858ace5a0c67ecbb73964bec30c199e41a5db |
| SHA512 | c10cb1c46d267f6f2b6b639ea9f9ff355f28e9bf91af4a5c5d5c5bcef091359e437e1a9498ddf70c2435dc6c07cf036bedc6973bbb8ffef6b81f43dd4b53bce4 |
C:\Users\Admin\AppData\Local\Temp\PJClorZ\_Files\_Information.txt
| MD5 | 60c40f0799c2a13875b34faa647f5915 |
| SHA1 | ecee815f93d14e05fc9e6002e48f0a17feab3784 |
| SHA256 | e1f39d0f6f696ffb06da2247d5619a184ecb744f9aa522c784a806a5fb9510b5 |
| SHA512 | fe9f4a5174c137405b79f8a06818f2f908b50ce2023b1cf4476009a13f8ada6b5e74c6c7bec48f8581e397cfa471669dd5aedab23a80ebe1f2bac1f40aaeab2f |
C:\Users\Admin\AppData\Local\Temp\PJClorZ\_Files\_Screen_Desktop.jpeg
| MD5 | dbd285ec248241111875d3768d454de2 |
| SHA1 | 244fcf5b71c037310346c340b36d1dcf402d5f4e |
| SHA256 | e9e551e481c09df928379003aced0705cceed978ea34cc37c36612fbb9f1df88 |
| SHA512 | 1c9a7ebb21b8359a7635d560bbda5bbbbadbe3cfd194e5a93760e3b83a0f81740f43b1f42e90e5436dc687fa7d12e7c9718a9f953a37559e96c9c74c98ba0297 |
C:\Users\Admin\AppData\Local\Temp\PJClorZ\files_\system_info.txt
| MD5 | e0e6b46040cec0b43dfa21baf8953d3e |
| SHA1 | 6ab7d260355b7863f781bcaddbbeb43fb4be9a24 |
| SHA256 | 6a3eb64877d4306502b73ecd019f6ddd1ad4f20ef28e523de05bbdd5b3b4bb62 |
| SHA512 | 0861891fd607f12bb97985447912cf1b051373796edbba8ee492cddc41a16cc73111836a4087bdf3a3c2d11cab246aa6a5cf20943d91f90e1160c54aa3de99c4 |
C:\Users\Admin\AppData\Local\Temp\PJClorZ\files_\system_info.txt
| MD5 | 5e634961645265f13e669f40c04e26a1 |
| SHA1 | 0d65ec0024dff4f2ddfb892c1eff982c55896159 |
| SHA256 | 7db38bfe90e59e8aa64b4ecd69c2bb9b4a79fe6145a4fa529565a4ea19a036bc |
| SHA512 | 880f57aed927c7603ed48820fda1007f97628463ab0ad6c0bb199fe5f3d6448aeedd1b848d80debf3da4879e3c94884e162f094f0b7879cc4b05206aceb0bb2f |
C:\Users\Admin\AppData\Local\Temp\PJClorZ\files_\system_info.txt
| MD5 | 78c5b74438971a02ee412a41b7724e73 |
| SHA1 | 50bbf91b45a7de299659c0d82854c9df1a63e2ac |
| SHA256 | cae3b351e295bfe61bcb19f5080d11cee7183d6c82de70244e19bf4d499234ff |
| SHA512 | 097ccc2d6045488ef15eee432a2df0b7fa2a23a8a7900a39dd621e839bf3224f8558eb3c919aa3dde0037f5f65edd394c5025c0c281d558a1cff2dfbefba9451 |
memory/4980-208-0x0000000000400000-0x000000000095E000-memory.dmp
memory/4980-210-0x0000000000B50000-0x0000000000C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PJClorZ\tLJh8iCK4xPbO1.zip
| MD5 | c1e29d6f44d1d95bb79f4e34d4e1d99e |
| SHA1 | 598fc106f77667950f7332d4c8adf4e2be59d985 |
| SHA256 | 82f556f059af5605be764ae5a49e892c18adf8f2ca152fb70da8f35beebde1f2 |
| SHA512 | b6bce1b689bd2512a7da63dbc0de4234bb4fb5b6a9004fbf59ac69c6fee10df884f9d708a423b1bc9260561f78f8aab622c7d02b4e3159ccab14e23a02cfb691 |
memory/4980-213-0x0000000000960000-0x0000000000A00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PJClorZ\c4z6XIlm.zip
| MD5 | 384c7220d43f049280f4756b58b49a9e |
| SHA1 | a06413fcaa1cd14ef12eac24bb725b1bbbef1856 |
| SHA256 | f5a4885066411f3a5c20f62e149d728ed655dec8b58f856de950dd41616ae6da |
| SHA512 | f65f8f6271ae54e5a363150bdfca677b0d599bc658df54f2aa90cbbee26cc2c36d2163e507735c15456299021762bc2d9e9e87d99b664f46d572e3eebafe6d6e |