Analysis Overview
SHA256
89425ed57b370731f3eb964d7d2bfce74b8e9e4be1be23ad76990c2d3da93579
Threat Level: Known bad
The file 6f25a0962565b1974bedce661c201529 was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 08:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 08:02
Reported
2024-01-22 08:05
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe
"C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
Files
memory/3556-1-0x00000000006F0000-0x00000000007F0000-memory.dmp
memory/3556-2-0x0000000002190000-0x0000000002239000-memory.dmp
memory/3556-16-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Datar
| MD5 | d63e3a8d4109b7212d419e17141dd862 |
| SHA1 | c9637da0763277477e60128ae2cd26fb314fa80a |
| SHA256 | 0cdd05fd9d9515c99e713a0cdf201fae20cd5db884c08a292ce16471725c521f |
| SHA512 | dfee6ccabfe03415bea0d817ac0c393e98b54a0dfff102f0eee21c8e85d903e11a073aa97b7a3e8b95d88d5f86afd4c9782e7618e3119727da1e01d4895315e2 |
C:\Users\Admin\AppData\Local\Temp\LYwW3uoPxqt5\_Files\_Information.txt
| MD5 | 59378601b3e5dff7077189d9e88edd4e |
| SHA1 | f8fad865550fc83baffcd14c63a9043423b6cef7 |
| SHA256 | fdc3cc7b6801278364279ecaae8a67cbab8a88fecaac2d1004f2c9aed050a3ff |
| SHA512 | 20d93ef7c567a206cc310240598727dbc84e3ba10464315b8e1a63e19452f18f2e1cdfb0376ccca37e9076e0e7e6386783d2e119545741d1ef5c9aec1b8d77ab |
C:\Users\Admin\AppData\Local\Temp\LYwW3uoPxqt5\_Files\_Information.txt
| MD5 | 851e61f67e428ba4c08837784ad10173 |
| SHA1 | 25e58c4e6d603c07e1cd165aceac15abdab9f0e0 |
| SHA256 | 10d963505f5dbd25180e2c9aa2b93637fb1d224b87af6d56e73c0a08df87e157 |
| SHA512 | 872efab6d6af65d9e00a98c3c74e1abe93a0d18b1086bfad36a239ca69c4b12f3a2ba19c568b5633f917cd5f6ada8410f99b7765a87d38a37582e91c1169dbdb |
memory/3556-121-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/3556-123-0x00000000006F0000-0x00000000007F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LYwW3uoPxqt5\tijWaTPZSNlVK.zip
| MD5 | e38a6436d8821813c7509cb0e861d06c |
| SHA1 | 2a3ae589abe31b98b20c8f3beac13744bc275a4b |
| SHA256 | b0041af3dbd4f36964fe66be3b1b380fbbf15f57d9a7d4e055e3b0cc6dd7a8de |
| SHA512 | 0dbf85b2604a9f6903c859aa0347025922f6ff6fc573e62ae6723dc39be3ec435e90e8ad15cea6027c6d34f5e9ec2ddbdb7e9f369fc3b7a3efc483ccac905e49 |
memory/3556-127-0x0000000002190000-0x0000000002239000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 08:02
Reported
2024-01-22 08:05
Platform
win7-20231215-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe
"C:\Users\Admin\AppData\Local\Temp\6f25a0962565b1974bedce661c201529.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
Files
memory/1032-1-0x0000000000690000-0x0000000000790000-memory.dmp
memory/1032-2-0x00000000002B0000-0x0000000000359000-memory.dmp
memory/1032-3-0x0000000000400000-0x00000000004CC000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Datar
| MD5 | c5ab22deca134f4344148b20687651f4 |
| SHA1 | c36513b27480dc2d134cefb29a44510a00ec988d |
| SHA256 | 1e9bd8064ca87d8441e2702005ef8df9a3647d5542740737abb8a70be7ec9512 |
| SHA512 | 550f45132525e967d749106b9d3b114d17b066967527bfd5c66613d61b6f3995f87b0f3c09def19eed14b5b757f2501645b5103505d126f1dd66994f50e1257e |
memory/1032-18-0x0000000001DB0000-0x0000000001DB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wkusYT6\_Files\_Information.txt
| MD5 | ed83f3066a915cc1f8e9d02206cca3e1 |
| SHA1 | f7ee5d8c68dc6370961283fcfa5ba8e81476012c |
| SHA256 | c6a5232084fce611bd18ba42c0c1c94192d577d50d650d39ee780022b9933ec7 |
| SHA512 | b774ef12fb8573a46c4af266d05e6a934246f3206491c8b63ac48320f1f7ec2e8f751136a47ef9951608dcbec1e17c4afa9347276b23e7511de8ac8c71d01a90 |
memory/1032-128-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/1032-132-0x0000000000690000-0x0000000000790000-memory.dmp
memory/1032-133-0x00000000002B0000-0x0000000000359000-memory.dmp
memory/1032-134-0x0000000001DB0000-0x0000000001DB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wkusYT6\WWKr3o1Tvz.zip
| MD5 | 610ddca0af15f5ec9d2b43c05ddc4536 |
| SHA1 | 35e018d5798f99cfbb0ed8e51df8c021d664fb6b |
| SHA256 | e474d941116286e0326167badd970972df41b5aa97753e3226d0fc682b2d86e8 |
| SHA512 | 775fc10742031a0b70b65de6b504a2edf72d1c446f1b5979799ceeaa36f802842c575d66354da8d2b2beefdac965493a6768301e1db4d74d3f48ded5409c1934 |