Analysis Overview
SHA256
05da0612d29c4c2d08bd90ca30551c109bd6501aae8fe06807f0864e26848637
Threat Level: Known bad
The file 6dc81b421428a561e64da3e3d54e3994 was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-21 18:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-21 18:58
Reported
2024-01-21 19:00
Platform
win7-20231215-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
"C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | morecj05.top | udp |
Files
memory/2900-1-0x0000000002E10000-0x0000000002F10000-memory.dmp
memory/2900-2-0x0000000000220000-0x00000000002C0000-memory.dmp
memory/2900-3-0x0000000000400000-0x0000000002CC1000-memory.dmp
memory/2900-4-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\naraihIm0V\_Files\_Information.txt
| MD5 | 2c2823577fc219b818f37d357c810d58 |
| SHA1 | c6dbe7f00765f3e15f117aeb037bdfa414005ca7 |
| SHA256 | b7f2528ee8ca2dc4fb6181372d0d9b7cefd19ca652d304d69114838d2a9df11b |
| SHA512 | aaae930a4ff51b3e444a43c4681a3ba3dc28f3eb46aef13a072ced3b02e9481a05ee5cec462c4d5fcaa3cc9356327bed8f6b257e5560a8cc6e2e9ce2182f5358 |
C:\Users\Admin\AppData\Local\Temp\naraihIm0V\_Files\_Screen_Desktop.jpeg
| MD5 | a6e538bab21bc7f2b2bb09993467c0c9 |
| SHA1 | 1b20938914be8193f28472d6e2717d05995f6312 |
| SHA256 | 8687636ac1aceac64f17998e693135161cd5486b533ec1b3d4567a35dd4ef662 |
| SHA512 | bfded190b308ec4dab9442031556fe8fd293291836fd9f6a6a57238e3fead0a1ff23ca67bf6f137cf48baed0d9210beaa3f5d6aead91d9e2c70528b8823b32cb |
C:\Users\Admin\AppData\Local\Temp\naraihIm0V\files_\system_info.txt
| MD5 | 70b95c65d9691b69f3a809eb7ffeacef |
| SHA1 | 423a4ba66929edca5e41d0ee5de2f723b24accff |
| SHA256 | e4db95b4058bbea132d42666c98ddbfaa09e27ac65fb1b8496f0e5e3473f5b89 |
| SHA512 | ca87ba34b8d0e219c883dec445a84ab952bd499f2cc06608bcb27bf35231e262581455b80cdfbefc6a22ef7057ea533c0a975698348e49ef712f3270ef5abd6b |
memory/2900-221-0x0000000000400000-0x0000000002CC1000-memory.dmp
memory/2900-223-0x0000000000220000-0x00000000002C0000-memory.dmp
memory/2900-226-0x0000000002E10000-0x0000000002F10000-memory.dmp
memory/2900-227-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\naraihIm0V\jNMgG6Wbek.zip
| MD5 | 310a40867f9b3b67046a23c1cbc4b2f7 |
| SHA1 | 5e661bd860f88cbe37b9fdbb1bff95081aca9b92 |
| SHA256 | 5b7981b9eee65da8fdb5f281faf7cb4e6902842f7c2ad5accee1d6eef995711b |
| SHA512 | 892353ddf32519a4da0b35c040373cb1d6c959b80d0baa1e8bd97b9638058d626e64ce85f11fb4bfb6033def7476dfb4a73c6349f67991511d4e69512bfabedc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-21 18:58
Reported
2024-01-21 19:00
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
145s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe
"C:\Users\Admin\AppData\Local\Temp\6dc81b421428a561e64da3e3d54e3994.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 848
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.113.50.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | lysano52.top | udp |
| US | 8.8.8.8:53 | morecj05.top | udp |
| US | 8.8.8.8:53 | morecj05.top | udp |
| US | 8.8.8.8:53 | morecj05.top | udp |
| US | 8.8.8.8:53 | morecj05.top | udp |
| US | 8.8.8.8:53 | morecj05.top | udp |
| US | 8.8.8.8:53 | morecj05.top | udp |
| US | 8.8.8.8:53 | morecj05.top | udp |
Files
memory/2816-1-0x0000000002F90000-0x0000000003090000-memory.dmp
memory/2816-2-0x0000000004A30000-0x0000000004AD0000-memory.dmp
memory/2816-3-0x0000000000400000-0x0000000002CC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\_Files\_Information.txt
| MD5 | 556ee95ed74ee26186bc4129dca44ffe |
| SHA1 | 4ed2ff9e66a3034a5523b075dba4b8f599d9b2bf |
| SHA256 | 37ed3ceb2bfa99ed51513ed7a740850ea9862bf41bea07c54dc31bbc0a32de1b |
| SHA512 | 70a8123ffd04b84cd2ffb3623fc07c3b8f9c1cf9062c10b297eab9552c9c6bdf3e3f531c1a118469e87ff8e97b95bb23296d212831853ac43085ed2e5f809930 |
C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\_Files\_Information.txt
| MD5 | fa6746b9a8cce76ede5e30696c4a3f02 |
| SHA1 | 998d5c841bf112e9f1cf44d472a94b5522aa5183 |
| SHA256 | 79c8b2c8a6684cfec6b381886fbced89f66e8aedf20375a60254bdb9d07829df |
| SHA512 | 8afc88adb2aa56e0fa8ba874545c5bba919533dd92a74e67ad759a0f05dd490e6ba172c7d678a3fbdd846b9b40bf8f111f9144f5009172a6ddeb870348033093 |
C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\_Files\_Information.txt
| MD5 | 07c9668aefdee73703d14d9ccb32e7b3 |
| SHA1 | 399b54ae8c56c15167cc8b27d39ef899ce20137d |
| SHA256 | 812b1d5feb830b547673b5ed55208768028555439b1f6bd3f4da07c2b0d8486d |
| SHA512 | d641fd9df67eb34644ec3a167a91988ed34db0ebb4584aa7f3575eee9a5dd96382a028a06a0606d82dac2a5ad57914906699f141070e5ce2a16172481b480ea5 |
C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\_Files\_Screen_Desktop.jpeg
| MD5 | d36c2d46e692b9d2ac7d166a4b8463a1 |
| SHA1 | cde298f2900a15e18422831f21fb6ee4eb1d330a |
| SHA256 | 34401d99974a776adf6d3935c3e3a77e21c1765e6e9356f6cdb02ff5219701d2 |
| SHA512 | 366901cb2f25806b1faa278bef904e9940586ded5e4846b12866009a446a6b854984fa22aa9d25c9454caa85b9440ea06b7b08ee98c2bb64840c55de83f605b2 |
C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\files_\system_info.txt
| MD5 | 2ae185af5eddfa4de3d0544562362bf2 |
| SHA1 | 38216e85cf1b6327b726a2ee1d937cc941f28638 |
| SHA256 | 32d07a67fabc7fb5acd071afa1b889bf9a8e3901ec70c8ecde5ae72ff762e3ae |
| SHA512 | 9af005039c4be5dd7cafa03c2b0ccd51e1ad76da2c3479c21cb579c2d97480e6de34638728cf23c1b74ac522faf566eee1483eef079d49c2ae5b2353a40f0571 |
memory/2816-207-0x0000000000400000-0x0000000002CC1000-memory.dmp
memory/2816-209-0x0000000002F90000-0x0000000003090000-memory.dmp
memory/2816-212-0x0000000004A30000-0x0000000004AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\CTZ3wqfHEb.zip
| MD5 | b2c7826f4cdaa667b450688f559bfced |
| SHA1 | 3eaa7ce61b859217a524e7050d784891740d0984 |
| SHA256 | 74c9195262578a3ebd97fe70f687671703161da45ee059430b2d940b01f67efb |
| SHA512 | 75de0f2a129f7b7d745fcb709cb005f735b0e5d9ebb9735d4dbac5558f3ab6f67b6f3e66b40caec9502511f7f40af40085814879b4294101b15816c2ee342e6f |
C:\Users\Admin\AppData\Local\Temp\eNrlCgxKs\Vl3v7okdrr.zip
| MD5 | 92b1dbb17a65323768f9f80988f197bf |
| SHA1 | 69a2a983bc91cb49a6f0723d793dbb426e1d7982 |
| SHA256 | 5c003ce5869ad507c6c4425b3f70e6374dfd9d2a9eae96517c2c057fe0f9d285 |
| SHA512 | 405c52a723dbaf7a180320b2afb656d13979a203458daf2787b377114eb89f899ff6676692887de81510065bdf7931e6581850b67c3f43a66537a00e525310de |