Analysis Overview
SHA256
c1d11f66c89d2b7a284d8b61092fab044066c5443250d90d2dd9f3221857900a
Threat Level: Known bad
The file 6a2c1831c6131eb0f59078d477f4247f was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-20 10:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-20 10:21
Reported
2024-01-20 10:23
Platform
win7-20231215-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe
"C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | morjau04.top | udp |
Files
memory/1564-1-0x0000000000610000-0x0000000000710000-memory.dmp
memory/1564-3-0x0000000000400000-0x000000000051D000-memory.dmp
memory/1564-2-0x0000000000320000-0x00000000003C0000-memory.dmp
memory/1564-4-0x00000000005F0000-0x00000000005F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SocQ0vQKV\_Files\_Information.txt
| MD5 | 147cddf0aee7abda94e17a59f52b32c0 |
| SHA1 | 54dd21d2b9c928b4ba7ec65626f5bc4a21ab2df2 |
| SHA256 | b19bbe1d1d465993ff8d3faed7b484273d7f157520260edf9f96c1333a797fcb |
| SHA512 | eb410457490d598c6b3553813097ec5f7d9b55747b84263948110676fca8fc1d8a0ee5ea65d2de6da66694f01ec8dd7be104da68c4a8384a2c297867466bc4dd |
C:\Users\Admin\AppData\Local\Temp\SocQ0vQKV\_Files\_Screen_Desktop.jpeg
| MD5 | dbb59211e04ddb6b104e2728c1765ec8 |
| SHA1 | a1a6ef75028076151d75a820779b43218645e552 |
| SHA256 | 80531ae594940b2ae81305ea98793a646891595349006dc845e9e7947faf3c77 |
| SHA512 | b9097b3a8141f5bb8ff148033e9ea2b78531d030e3ae441454bef4e726354eb525174f2655b682b0b7fa612aa324b16c6384849ad8e5d379c718ccdace786bb6 |
C:\Users\Admin\AppData\Local\Temp\SocQ0vQKV\files_\system_info.txt
| MD5 | 5321c8bdec2ec9e3baf7106b0672b947 |
| SHA1 | b29b5514a425fc9f671620d5c7308d6fbc29ed37 |
| SHA256 | 22572c1b67fb89cb63e220aca536973b66e94444e4d7fa809713b90f0b42bcc8 |
| SHA512 | c2ef8d468a2b9a23a892b593967a9ef50c1160d46e2504d99ec85e74b75368a7b3a90f11c79ead7a04ee5f772dae5d83cbca107e8510cf00130dfdc94f5e636d |
memory/1564-222-0x0000000000400000-0x000000000051D000-memory.dmp
memory/1564-225-0x0000000000610000-0x0000000000710000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SocQ0vQKV\TO4usagagNh5.zip
| MD5 | 1fc6cb307b66969a1244b283e98b30f2 |
| SHA1 | 307f1633607b28ef7157fde5ffe7a22d1316df62 |
| SHA256 | 74ee1f1abdb51d06ba114b69994e4275856080bbf3f05d4b432ea00ea92f92ad |
| SHA512 | 2ef3af350c088133cd7d981faecd5d09c482076eb8c018f0597cb468f663c9e0f9567ccb7a2dbdfd5072d03a0449836aeb62b5496c53279681d32b7db9e30314 |
memory/1564-227-0x00000000005F0000-0x00000000005F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-20 10:21
Reported
2024-01-20 10:23
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe
"C:\Users\Admin\AppData\Local\Temp\6a2c1831c6131eb0f59078d477f4247f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | ewaqug42.top | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | morjau04.top | udp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp |
Files
memory/4008-2-0x0000000002260000-0x0000000002300000-memory.dmp
memory/4008-1-0x0000000000620000-0x0000000000720000-memory.dmp
memory/4008-3-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\_Files\_Information.txt
| MD5 | 6794f748f24c56146c5b6121afca3729 |
| SHA1 | 5cb28a27c4466428b8244dff3395c208782b1988 |
| SHA256 | a2ce1bab81642f1064779bbd2deb91ed6b9dc3324e98c18e7f32c1375f214229 |
| SHA512 | 3f056d278d6ef2e6fa5461062ea0fbfb44740af9c7689f5970d7ebb5e6ff413e163cc16fb1d45c19e72c9de0fc3fd9573b0719cfd9fde44e46c93b0bba9632a5 |
C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\_Files\_Screen_Desktop.jpeg
| MD5 | 319dd9d403a1257cd941f68e4d9488b4 |
| SHA1 | 155ec2457035abb9505ec6924b84c757e9fcc3ad |
| SHA256 | b738887d185378270ece8f1ce18fd01c7f9283eb3b2b697f526dba862b6ba581 |
| SHA512 | 18786ced575535b332491340616dba3ebd6665839843b15ee24d1d42b021ce92d2ab4d6826ac36b99028eea84c01eefb6b23e14253ecd84ac0eccd2b2962d4ae |
C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\_Files\_Information.txt
| MD5 | bb922c8c422946d787552831a41a3cb2 |
| SHA1 | bf3df008cb4d8cca4418d812e9566e9560488f20 |
| SHA256 | eb676aa5d8f29611fa2d7c3518959b3a78b59332b143051c42154043fb4e443b |
| SHA512 | bfec57996abfa37f02e8d8c6e7f25ac1bf242321d657bcde48d7d2f5be58bf2772c394abdbcf53897914726a06a12aa3c6c387fe28b54bf6bd3a2109f083a0d3 |
C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\files_\system_info.txt
| MD5 | 6db0063e17d10d709b613891f7ac21f3 |
| SHA1 | 399adcf95f0758b0411fd3ba0770f999d01f3acb |
| SHA256 | 8853a90b71c67e4008be5a1c618d227f93cb61f643e667c46865105f31700bb3 |
| SHA512 | dabb18e7926086c3e006afe81f035b185be60ab9d18dc42c8edebc1ed4fd453a04a33b7518abf7a1e7bf48d1db450c2d5838e08c772146582c7dc7d68bb65c0c |
C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\files_\system_info.txt
| MD5 | 5e8a27102fd6ecda086fcd491a2ab23d |
| SHA1 | f597fa8b60da67fb0ebaa85c983fc47028a1953f |
| SHA256 | 508e474adbba2ee9b45d83382b5b5352673f4614b2daad516501c80b26080c9b |
| SHA512 | 81233f527dc0b532cdf1a5eedda70ae8c78e1a48dda8cc6d67327aa6e527ceee4cf4ce872d4d0957cffa1d77c7dc7566c0b33c96b4682d28809ede5c35bbf672 |
C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\files_\system_info.txt
| MD5 | a45826fdc4d83fb9728260eb2b092521 |
| SHA1 | a49d1c5323f8994957779bdfa75fab9261f4a634 |
| SHA256 | a774d50b57662437f46d57ee727ee88ee423681dd34d28061591387517ef456b |
| SHA512 | c6a7bbdd67f04a0da504d419fc3c5f136567a54781cce6c5efc5713a3e503f117e962136ae1012921c188e6a63275f81bee9dc8ce2317b51e3e0d1c1e5bd5b97 |
memory/4008-208-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\TCFZm1cEvwO8l5.zip
| MD5 | 0e2a024081b63e43c2b9f2bc43ec70bd |
| SHA1 | d09d0a31dc3c46679a9805160210149b5e9d5a15 |
| SHA256 | dde74d2efd366f518bf07eb22086c7b53822dfa8ffb4b6cc8a94ddd1dca7454f |
| SHA512 | 4aa97226277c53f6a3c22921cbd65fd7cb6b7e4e0a4111d985c30fa0be067b14707cf6202f8d328f05aa01b3573606cb840dddfaeb3def94f9beb5891f0af8c7 |
memory/4008-212-0x0000000000620000-0x0000000000720000-memory.dmp
memory/4008-213-0x0000000002260000-0x0000000002300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ffky73rB335e\WLNgGapBgIuO.zip
| MD5 | 7a5fc1230afbd8397976d081e5ebaa86 |
| SHA1 | 2195a202fed1396bd39e40625c33854e1bcfe11d |
| SHA256 | e4fa828b0c7e76dc7034c616dd63f03618ae5fcf8d6bbe16468cc85f6ba7a87c |
| SHA512 | a03a43ded6da9c47148ba3df1703f143386d3c6296ae397c4b994e7be0fb029a4724595eacfd41dfa2f231d1000e88e2349ad06edc52de30458f015bb9ae03f8 |