Analysis Overview
SHA256
b937f9098ea56ff4120f21634aaf765cd11f62950cbcf1f4727cc673785a9560
Threat Level: Known bad
The file 6920aa5adac327d0b77bcbcf2c105098 was found to be: Known bad.
Malicious Activity Summary
CryptBot
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-20 01:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-20 01:23
Reported
2024-01-20 01:26
Platform
win7-20231215-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
CryptBot
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe
"C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe"
Network
Files
memory/1252-0-0x0000000002BC0000-0x0000000002C44000-memory.dmp
memory/1252-2-0x0000000004540000-0x000000000462B000-memory.dmp
memory/1252-1-0x0000000002BC0000-0x0000000002C44000-memory.dmp
memory/1252-3-0x0000000000400000-0x0000000002BBA000-memory.dmp
memory/1252-6-0x0000000000400000-0x0000000002BBA000-memory.dmp
memory/1252-7-0x0000000004540000-0x000000000462B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-20 01:23
Reported
2024-01-20 01:26
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
159s
Command Line
Signatures
CryptBot
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe
"C:\Users\Admin\AppData\Local\Temp\6920aa5adac327d0b77bcbcf2c105098.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
| US | 8.8.8.8:53 | fokuti41.top | udp |
Files
memory/2376-1-0x0000000004840000-0x00000000048D2000-memory.dmp
memory/2376-2-0x00000000048E0000-0x00000000049CB000-memory.dmp
memory/2376-3-0x0000000000400000-0x0000000002BBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\_Files\_Information.txt
| MD5 | 947505e9747ec4eabef836abcc91b2ad |
| SHA1 | 19b1f54c6eb03765167bfc62df9a600c1917b737 |
| SHA256 | 3ff9d8a0105613e3603fc108ac0477e5ff98d7804d0a6427ba5656dad5a558da |
| SHA512 | 09b4ea6d97dc66ca000428eae65ac27d5e578bea1123f3096547ceb0b5526d4e72498b4278913fd3638539c5ec11faa23c85cccc8a4be8cf9189d8658b60b575 |
C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\_Files\_Information.txt
| MD5 | 041772a5665a6876e2be990aa8227a27 |
| SHA1 | 7a2b564866678c6add46b7e1a94e3c0499659caa |
| SHA256 | 7e9af1c72d3f42a207c35bb98e05d689116b8bd1cf0510c7ddd77a19ba70ce5b |
| SHA512 | 2c6125679735a14be912ce056887a58af086d17ab6befee82f2b64f105a46ce0f39ad59a3799747a5a35bfc21e066615488aa81b6fc0e69bfc95dec6685da1e0 |
C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\_Files\_Information.txt
| MD5 | e225d30bf20d0f79f0a34447168455af |
| SHA1 | d93bf0bb31b4b156706850fd7a14c0032f1771d6 |
| SHA256 | 72c3f6860fdf60df3ee1c7ee37e44e5b3d586553992483d1b7d0f95d84b85162 |
| SHA512 | 0858d8fb3c982df72a20565ccc33df4e291d9bd435ea013c2abd5391d08992cce4433daeb4d52b8b2d4206b17b4312456c552ee14b7c4a962a04067339aaadb2 |
C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\_Files\_Screen_Desktop.jpeg
| MD5 | de5b85b11b03e97ee91f21128a03e795 |
| SHA1 | 4762cee80d9f7fab2d84f2614581fe5a347f5cb2 |
| SHA256 | 25ea8c3709fcfcbfebc573bc1536e7abb7226a1f382455e93fcd5e655a5af287 |
| SHA512 | 9f2e08ba7a372af623d97a9de9947c676fd6132c132efcdbee7073069ddf32ad75597e1205e8d675867e3f68f9aa6d0c09ff349ae42a81b1a7a2d94010ae2083 |
C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\files_\system_info.txt
| MD5 | dda65fdd08cc7179a5d99a2714300581 |
| SHA1 | f880560a51b59c7f1f1e0dd04b4aad17a54d6ca7 |
| SHA256 | 51d86c00e9a4f16e2b0c49e9bcbfd1b149337052dc47ddbc2e66ed418d21076b |
| SHA512 | 1d1f2c7eff60412e6c313996cce8ff1856d97c992db05fea27c52ac2c23b3f5ab3fe1f156e097ff3927c4871f5d87d7e34ad65b855b5d127ae170ab97572e169 |
C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\files_\system_info.txt
| MD5 | cb8ede430b3e9f6441de48e9362248b9 |
| SHA1 | 47f7bc4655d0b69c211cdeaf792b6fc2868e55ad |
| SHA256 | 368c7aa2a0df76de37005cb66d22411c4cfde6947fc0b83b5045c1bb36731a1a |
| SHA512 | c64f3833ff3fe280eb94d2918591fa9add94ab2836b05879469d132518d46b8743d2c6ace5bd800ceef923eb27957d3c13f78d4396f0501fc6e7374a1923294b |
C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\files_\system_info.txt
| MD5 | cb2ec89d1ad166671d5c904d8f76ab34 |
| SHA1 | a658c13d453ff92e4927b2f53d6a5a828df4a378 |
| SHA256 | bcfd9a8383caeeaa43158146d9b2ad9a83798844e25f9ba25cea7496bb163899 |
| SHA512 | 049e5326a9e7d2cf9be378ced4813c1c590414a9211586275ac18ced33669b0c050c2578b3a611a767b02b28d1fe8a78cf110c273f8f1e18bcd6a54c164836dd |
C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\files_\system_info.txt
| MD5 | 8a39e4fad89f5b2d2fb4ad699fff2302 |
| SHA1 | 05f215572f1ddcd65f655ab76f92d1ed3d0b406d |
| SHA256 | 70075bf23375961dd2ac501e2aab2a4b88457d666e1c74ca09661efdcdc156ca |
| SHA512 | 94f1443425223ec83561c38ef3966cb71d470b3f0a6bf5f327b88aa03846cc0fb3ad56e1fab4776044cc564171272ae6c610f66f4838ae960dfce7706549da87 |
memory/2376-205-0x0000000000400000-0x0000000002BBA000-memory.dmp
memory/2376-210-0x0000000000400000-0x0000000002BBA000-memory.dmp
memory/2376-213-0x0000000004840000-0x00000000048D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eKaFFUjNkGb\SLfJRKXSKGeA.zip
| MD5 | 013ceea176da651e55d1075865117677 |
| SHA1 | 914a1d6f8b44e0a855097a38e2953eb6325d7b21 |
| SHA256 | b223e2d9cc8e0b7a4ddb1424fcb3a0d554f5d8734b37fe120937c72fb8471d0f |
| SHA512 | 0784e9e2a29c03b47da5b1fc57015ebf780eb7b2d8772642a9947577c5376a8a4bb76f6192248fae0355eaebefeaaf425a366515cb7217d89c4373cecc10fe6b |
memory/2376-215-0x00000000048E0000-0x00000000049CB000-memory.dmp