Analysis Overview
SHA256
fb7f48daa45730568caa82cfa74c3c3a16130d2428ccef71eb266daa4146efde
Threat Level: Known bad
The file 6393577eccbb54f677ff7dd65c984807 was found to be: Known bad.
Malicious Activity Summary
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Checks whether UAC is enabled
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-17 20:51
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-17 20:51
Reported
2024-01-17 20:54
Platform
win7-20231129-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe
"C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe"
Network
Files
memory/2220-0-0x0000000000F30000-0x00000000016B7000-memory.dmp
memory/2220-1-0x0000000077080000-0x0000000077082000-memory.dmp
memory/2220-2-0x0000000000F30000-0x00000000016B7000-memory.dmp
memory/2220-3-0x0000000000F30000-0x00000000016B7000-memory.dmp
memory/2220-4-0x0000000000F30000-0x00000000016B7000-memory.dmp
memory/2220-5-0x0000000000F30000-0x00000000016B7000-memory.dmp
memory/2220-6-0x0000000000F30000-0x00000000016B7000-memory.dmp
memory/2220-8-0x0000000000F30000-0x00000000016B7000-memory.dmp
memory/2220-9-0x0000000000F30000-0x00000000016B7000-memory.dmp
memory/2220-7-0x0000000000F30000-0x00000000016B7000-memory.dmp
memory/2220-12-0x0000000000F30000-0x00000000016B7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-17 20:51
Reported
2024-01-17 20:54
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
CryptBot
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe
"C:\Users\Admin\AppData\Local\Temp\6393577eccbb54f677ff7dd65c984807.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokfgl36.top | udp |
Files
memory/5028-0-0x0000000000330000-0x0000000000AB7000-memory.dmp
memory/5028-1-0x0000000077734000-0x0000000077736000-memory.dmp
memory/5028-2-0x0000000000330000-0x0000000000AB7000-memory.dmp
memory/5028-3-0x0000000000330000-0x0000000000AB7000-memory.dmp
memory/5028-4-0x0000000000330000-0x0000000000AB7000-memory.dmp
memory/5028-5-0x0000000000330000-0x0000000000AB7000-memory.dmp
memory/5028-6-0x0000000000330000-0x0000000000AB7000-memory.dmp
memory/5028-7-0x0000000000330000-0x0000000000AB7000-memory.dmp
memory/5028-8-0x0000000000330000-0x0000000000AB7000-memory.dmp
memory/5028-9-0x0000000000330000-0x0000000000AB7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\_Files\_Information.txt
| MD5 | 96ffbfaa37c5b07727b82b4d56ec51c2 |
| SHA1 | f38d3efe58bfa231117f96b662a2678a9c0dd7cb |
| SHA256 | d0bafdec6260e5a340c92582679548e3037134dec8b892febe320278c18f460e |
| SHA512 | a7c23e8b369bd5f96f4d13235ff38b9364220575c02d63e2b45a088aa1fac87ca35dfc1db45eb37d5a3394dfd30dfc7dab3f2a42647f58f407827888716e9706 |
C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\files_\system_info.txt
| MD5 | c80b34b7ed70aa50d575aa08b72dae89 |
| SHA1 | 65ac42b532a98652dc29ba876d64edafde5e9fd2 |
| SHA256 | 58964d53a58dd513ae30f5e0fb5d1f0557176ac7c245c46dcafbbb0ed2cc2e11 |
| SHA512 | a6800418c83442df4435d27e5c7f004c904df39f061f130bb517a2229dce695207ba0b3566541e749b1e4e6aaa777bef1fb8246adf7323166d515b8d834d5496 |
C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\files_\system_info.txt
| MD5 | fa7022c7b7de97783dd6f8fd53c7765f |
| SHA1 | 0a7d12e638076141b1459148a6ab2a27b5079a28 |
| SHA256 | 3fca66c54d53a357757cc3d252e9767e3259670a8678701bf3bdaf86145c9004 |
| SHA512 | c72ae59bf28bea9249d1b6d71490fc420942ca94c0c63e7384332e8a0d57709dcce13c2d0db3f9a15a1d55bc05d77ef4ab8dcfbbf9fd6062a4b1a0772cef4444 |
C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\_Files\_Screen_Desktop.jpeg
| MD5 | c3fec46d69dc2680f687f4fc5c85fe3b |
| SHA1 | fe703003991b3bfe38a659c16b8b6ae38f7523f4 |
| SHA256 | 086426fc37bb68b0bd39e25390005b74f63f75aaeb585c59dd925cf71c37fa96 |
| SHA512 | dce417b59ea47252a706657257e7bb9dbba55df3af1d98c92aade35fbe76c04055d36db97a24e6f9be1832739daa87623fb5fbbfb84974f84c5b30f5f27cb452 |
C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\_Files\_Information.txt
| MD5 | 9e822e58a87cc95596d8d0e3fc04662c |
| SHA1 | f5040ac163e1c03dc2d67e3921a2a28e27fedfe7 |
| SHA256 | 753248ab1507fa63e69d4391e227f870f2e2f311c1fc0fb2baddd7216cefcf41 |
| SHA512 | 4b9dcbfc93401126dff26aab28e89fcda4e0c3ab35d1aa1843a9146ef823f5a3752ef1dddf1c91e205f401ecebd535670e48b8849617e8e065629ffac522d0ba |
memory/5028-215-0x0000000000330000-0x0000000000AB7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GsLFEVFifBP\gieLUSbFIld.zip
| MD5 | 295adc1381c9f0f393604d5133917369 |
| SHA1 | 18e20289c5cdf9c836dde90344c743f0e19ddf25 |
| SHA256 | 1187c53a11377607b06c7111587909fdd8866f98a93c4718c7ff2379f7dbff19 |
| SHA512 | 83405fca8a223b4e6cc977be09aa8db99ee439e910e198acd1c087d0cfae4cc6af2b170584565e3948751c1e2327d4db0e0900764587138d0665f00488ebd756 |
memory/5028-225-0x0000000000330000-0x0000000000AB7000-memory.dmp
memory/5028-228-0x0000000000330000-0x0000000000AB7000-memory.dmp