Analysis Overview
SHA256
48ab70d33532409f5394c271fe0fba6234b15b36584234d5b595b9791972bec1
Threat Level: Known bad
The file 6ec80a2e8194a457f2f555506986e490 was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 04:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 04:55
Reported
2024-01-22 04:58
Platform
win7-20231129-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe
"C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | morxeg03.top | udp |
Files
memory/2024-1-0x0000000000600000-0x0000000000700000-memory.dmp
memory/2024-2-0x0000000000310000-0x00000000003B0000-memory.dmp
memory/2024-3-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2024-4-0x0000000000560000-0x0000000000561000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Information.txt
| MD5 | 0c43cfb68af2109f0c277371a7b6daf1 |
| SHA1 | 8564c9996910cd8292a7cb7630b8d2e83d0f92a3 |
| SHA256 | 6660737f23a35608a609193f1cb74b3f9b234d3bf102f584af0266ef5104dbd2 |
| SHA512 | eaed2d40cd2d695d49b43d971309c0e1dcd86229df2766b7bf44828a5be5d5f3f54f069e7361679712857b420b80b753bd58f53b1289872e3747ad3fddf4607b |
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Information.txt
| MD5 | 66830ac012a3563ec7d14de3a09d77ee |
| SHA1 | 3628cce373fd075ac009ae843d3264fdb88a1ebf |
| SHA256 | f67e18b1d0b585ce8a8f35c9de41376bc538a2ab2b008013330b43540470c4f9 |
| SHA512 | 5c51acbca7e15eaf1375d7df2678c2680498cd27921b1025153e15ecc184f51f97fc494108f19b978b4d002d0a4fa008d2f333723b27fa97a2c50336088f27f1 |
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Information.txt
| MD5 | 213e63ab19d7decb83c253813ddf76af |
| SHA1 | 8ba0c69b9eb042a19904ed4e2adccbb605fa6306 |
| SHA256 | 98bc228c80efa014bc77a49dbafaf29a1d12e3b379b7b6a9cf9e50f77d2479e5 |
| SHA512 | b84d21d64038ac74419a94e2ade8c3e74c631750749ba23db39b717cb7e65add7ea9eaa14fdc50428e81c971cfde80da065ac31c790e110c1ab62a4ffebd5237 |
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Information.txt
| MD5 | bf29f9cddfd81b9116bcce6775cc39f7 |
| SHA1 | d0f49372295e0bc98c7273eda1240f8e91eeaf7b |
| SHA256 | ba8347de95d826dac29789ea28d39706614c2b0f8fb79539f146bb506e646925 |
| SHA512 | 4c0bdff0501c97a4d93c950a710f462495e7cbb120f89d49aab2f6f8a985a0c0365af7be44ce1631d8c06b7d7fb93c3f669ba6abde24c6f13641d2b7c8360330 |
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\files_\system_info.txt
| MD5 | a0e153cca20254757c789969bc462d5c |
| SHA1 | 7402d4a15d63784ffb8c7604339665416d97ef49 |
| SHA256 | e77c0f1fd0413f20fb14ae6def1b1faf479b3857c3275dc5fbbad92ed3b02762 |
| SHA512 | 1f1f78e606147b1ca69362c79f8dc438e6a49ca90aa6d7e73ad502a490d5985b926ff48599774717fa851991aa6d8ce62ddbfe10e8e8a39ad7a5fcd30b312236 |
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\files_\system_info.txt
| MD5 | e0c53319d8ac3414eefe798ab79bdd10 |
| SHA1 | 4bace5f5b1c3805a95e629bb2a83de78d835ad6a |
| SHA256 | a9d08c0a178ee1f405dd7b0c470eb962d0a1d72696908e2d60891a33578dc249 |
| SHA512 | f03a61db0c7868a2c7f8d166a2b4ae902c1530e53119e7efd28b9697d1d40381d233e684e5f09cb5f5f7c5c2246a52f4836449da5d432ff7050a70e46671fb57 |
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\files_\system_info.txt
| MD5 | 95fc5ac6bfeaa486af470eb4f0d1a680 |
| SHA1 | 10e7fac789107c73d057ab0bf30d8c6c26f34d64 |
| SHA256 | b21a1553ebb95d8a894e7c5b2bd27ae3cad74374a696cb412ccb52682f9c2ff8 |
| SHA512 | c77b741ed886eae0dec6ecc0259560b32417e796eb3aa5eb6dc7dade8bc7bc268cb4cf99c053e5ee5646109abca6d1fff0bfe0b7c81c2bf4b8b396539973e432 |
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\files_\system_info.txt
| MD5 | bdaebbad51f1d45481c6487d1478166b |
| SHA1 | dfd8532c7a969fbef603cfa77155caddb44d381c |
| SHA256 | 6eda7a621fe064fea5db1b5ca64bc4698e4ea4a7eff143b0e9cf0ada4c8e2d28 |
| SHA512 | 72f54b169e8dedabb81629700aba64e44e103344b992b20e056fe60937e2b57a7ffb40f8d586114faf8e7a8cc46e73a2e3b278bebdd72de1d9cd9c68285fe870 |
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\_Files\_Screen_Desktop.jpeg
| MD5 | a881dabf737d7817908cc26aa471d8d6 |
| SHA1 | 97c2e25cba9c356a4f52b94f87ad08a2be6b67ce |
| SHA256 | 994a53be4febcda1534f6dd3b257c8db28e6cf787ec8e136906ed789def682c5 |
| SHA512 | 44d9cc5bd4c63700b1eb3484d5c3ab074239e7bb081971ebd0b21faf48dc85cd514a9aee8ad38f53000bb611550b375312464efccaad6e26375cf3195f2c0f5b |
memory/2024-222-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2024-224-0x0000000000600000-0x0000000000700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rDm8iprvl\m7xXV3dhgENwNL.zip
| MD5 | 71b72055997ddff01da3b102fe7de6d9 |
| SHA1 | a040c8f78734960f1e821eaf40b54ad708d3557f |
| SHA256 | 16b5277220a4474de6034d503d83b0af04e0fbbcd58dbd54659d080d6b704dcc |
| SHA512 | 465bd5bc3b99ef65a0a38b7cf68082b4e48aa2c9451fefbfce61436943a4e02554ee03c655e06f3e5f6e5037772e21e3b1dca48a09e208a0740719b9862dbded |
memory/2024-227-0x0000000000560000-0x0000000000561000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 04:55
Reported
2024-01-22 04:58
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe
"C:\Users\Admin\AppData\Local\Temp\6ec80a2e8194a457f2f555506986e490.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewayab32.top | udp |
| US | 8.8.8.8:53 | morxeg03.top | udp |
| US | 8.8.8.8:53 | morxeg03.top | udp |
| US | 8.8.8.8:53 | morxeg03.top | udp |
| US | 8.8.8.8:53 | morxeg03.top | udp |
| US | 8.8.8.8:53 | morxeg03.top | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morxeg03.top | udp |
Files
memory/5016-1-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/5016-2-0x0000000002280000-0x0000000002320000-memory.dmp
memory/5016-3-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\_Files\_Information.txt
| MD5 | d0474047dbe87fabc657fef78ee45b23 |
| SHA1 | aa3074df1faf0d4c959bd6ecede2d10e687f9a49 |
| SHA256 | b4dadb9c063b6876b247041f42400e0120f1ef44fb1993314001ba62cfcf7efd |
| SHA512 | a52b724232d39797f427935b82052d1a4a116844fb1060e29c27bfa28b208292fae5a6ddd5b0badd04a1dbdac65796a23a68b143c76a73a2d59dfcbdce5d7603 |
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\_Files\_Information.txt
| MD5 | f81e0a1e03870d9264a43f7fe8e7a94c |
| SHA1 | 62c0bb4c5234d417ceab896693260a3a55d8c64f |
| SHA256 | 9ae1b95f19618228214c7954f412cdebdc1f0b99d0bd8432d7bb9fef0301a7d3 |
| SHA512 | e037f64689596bc50cc8973110d29ea511181e749a97f7f751893c3c4188f8c10462f0b8e96643916852a92028e5547c132c9b3ad14f6e2d0f9a8ba716b6efb4 |
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\_Files\_Screen_Desktop.jpeg
| MD5 | 774081a8ccc56ed0e9bbd7df1f01249a |
| SHA1 | b5a22c89a49cf3e8748582dbec7a02c294c682bd |
| SHA256 | f9772ebf0cd4987ddd9b42df44b50959150688a79df82abf824c44d31fe5c90e |
| SHA512 | 0fcfb42f257fce9bb8bbc70f048811febdaea76694ec196dbfbbb1f9f68cffa1ed22a7a63959fbf1237144a01266c51efe79a9f2ece4b7860ccdd0a25480aa58 |
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt
| MD5 | 4f724cefa97bb4fca3804fa468bde6a0 |
| SHA1 | d7a28ecb7f866873da085d848c4b14faa9931489 |
| SHA256 | 5912ec80b75ecdbd11ec07d94fd3e77e06f4ce1fcef216d918c05054a61176eb |
| SHA512 | 1f314e92b60a674312692dc3ba78192499d5344f98095ca53bc55ce9c8f0fc64477a35c17f501711d35941f1394a3072076559459d0486cfb2284892c92c02e9 |
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt
| MD5 | 37769fff937f3cdb56086916cd587ee9 |
| SHA1 | 82f58aa10d170714c93df517f4d178075fc983c5 |
| SHA256 | 10275f334bf55560f82b9b90521c3f8bc3612c156b50962578f7cda5058ee05f |
| SHA512 | a4198d456cccf0f8f03a7e6cf51a6fc424225bf879706bf497944f4134af5afcd8f343ed6a18096112fd3c114f43188e235293b17f29bc1392791a41830696ee |
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt
| MD5 | 1c2d8d0c21f2df423b31c819f12cf5a2 |
| SHA1 | cd05230d8c988299549ef37f3060f75b4867ca61 |
| SHA256 | c99873e5569df8472c8d4cef35cb4cee93f50675c03fa75361df8c43cb6212d5 |
| SHA512 | 50e5ad2b87fd9889f630348c011466ea27c4117eee40b8c9986117601222ecfbf65851228213bbd0318723d10e59613ca88f150935330d4559780c999d0945be |
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt
| MD5 | fd35fc9d91abb1c23b967ea1280349c9 |
| SHA1 | 2e7b0591883f78cfc8a4c3b5c1aa244d8c7302e7 |
| SHA256 | b746ae11f722311cdad620c221d46e24f858192c9132e6066e9c9a467a2298f9 |
| SHA512 | 137fc5ffaee74412756cc5022029c7a473ebf34c9dfc28eae20a385e8ea2ebc6ef27e2bfea5c372fa1b6ec7a908cfd4f76d36a6fad30f372063671fa45c172e3 |
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\files_\system_info.txt
| MD5 | 0255332dc6670a1a4315beb31f2b5583 |
| SHA1 | 9d8f8bc1a99b23dc3fbcfbb8957e2532d36726e3 |
| SHA256 | 24e5f522cee8ac191f6019e71cd0d44cd4482b0cf49fa0c52851abbf0095e6d6 |
| SHA512 | 27b3be19590559d1756681db0868f3d770a1f7c5885151b03633b188d5cf5eebeafb41eb0d3486de297c47838243534595e3a6f24de69465cd751489b27d4144 |
memory/5016-208-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\tlpouQWYxBOd2g.zip
| MD5 | 25f6e6c21ed122f9cf7c61749d88a0e4 |
| SHA1 | 3bc265074b1164e53b635c99d7571b73d6cc0c1c |
| SHA256 | 3a0c80f1d57b3e60df2649630f016abb498a361161a2ac1785768beacaa66d44 |
| SHA512 | afb9e50c8edba170a4affbe8c5c05cb00f877cbe780c08068cd5edebad36848d8cf7a0d4b955e8fad68c7cadad406e7bb0493113b5103d099b726a80b37d2565 |
memory/5016-213-0x0000000002280000-0x0000000002320000-memory.dmp
memory/5016-212-0x00000000008E0000-0x00000000009E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EGsZqzd\ZhjtyYCiM.zip
| MD5 | c189d7bf8606cb60894236a7a6d43019 |
| SHA1 | 4d3792fe786e9ecba3bb473d77a75953a05a1c33 |
| SHA256 | f703f42aef42e9f62876ded850caac3978b0e3b7bb68db2d55d3f22996b3c2bc |
| SHA512 | 45533ef418e9dd33e43fc66e9b6ed0e872a065bec0b5b5b583053da9b46d25cd07557ad9d11c82dcdd65aa60906f76e3777424ba665204a233ac9ebc3df649fe |