Analysis Overview
SHA256
262448352a09eb1da2f969f825c849cce7ec7dbcb79deda59611ca94fa7f099b
Threat Level: Known bad
The file 681457fa460dff885eef657f166d5ef8.bin was found to be: Known bad.
Malicious Activity Summary
Cryptbot family
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Deletes itself
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 01:28
Signatures
Cryptbot family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 01:28
Reported
2024-01-23 01:31
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe
"C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 01:28
Reported
2024-01-23 01:31
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe
"C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
| US | 8.8.8.8:53 | unic16m.top | udp |
Files
C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\_Files\_Screen_Desktop.jpeg
| MD5 | b5e49f1fbd980dcfcae319727f1036ff |
| SHA1 | 67756731cceda77b955aa4a50675880c076038e9 |
| SHA256 | 2f2cfae472ddab5d58efdad055875e671affa51be73565bd4995fce2e31adbd6 |
| SHA512 | 2ea90083b24ed9abf940e8a7389c3b4ae93e47516e6f789fadafee293b26529767a1b266fb9deb471092ca6f526271485cf086a48a249d699689bd550e9b3b54 |
C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\_Files\_Information.txt
| MD5 | 2d094c1af69d172848a7f480f1af6f68 |
| SHA1 | 59dbf9849800d64e1e598ab0f875b1219ea55b88 |
| SHA256 | 69d97fb41ef136c995b9bb73ba45b96b63ae142211194941163ee505a6853c0b |
| SHA512 | 66714c891c3f5598e04f89acfe635b13702251cda82e5ae68cd061b0c9894f988a337ea347f4212e851a83bcd6df54d2207e55d5d392db9ba526c28316506c1b |
C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\_Files\_Information.txt
| MD5 | e24fed1ffa967f5128ebb49ef4d8aef1 |
| SHA1 | a2ad707f6da81e88f6df1284c9dcffb49762ccf8 |
| SHA256 | d722779316ac838fa7c33a0a4768754d632126f8dc9d7f57d57605c29a581d32 |
| SHA512 | 52db06e170f914c234dd14af9fa9274309d725712533fb27d79ca3063846fe8eb916d0b8d90ced3be22b844e28d753f859a8c94aff39dde090cab01059a18810 |
C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\_Files\_Information.txt
| MD5 | 67c77e77a00a38d972bc107209bbb080 |
| SHA1 | f2b305b253db2ebefa5361b9510a0f311c59d424 |
| SHA256 | aa19330e6cce7f491ea10b28b04550366caaecd721299a1b4762902cae41f2d8 |
| SHA512 | 359e7777b42a6c42aeb5b51fffcfba4fd7caf608722cb5b2c36d8ff849bdc6c0c764e8e1dbe76d901b75146160722f0c3f6983e192c9efcdeafcf15272a4bfc3 |
C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb\EcVdGeJTNQpTC.zip
| MD5 | 98befa7052a255b88aa66b6503c09b53 |
| SHA1 | 8b2443c7a8696646e1a79bc0b1585879490f7e8b |
| SHA256 | 6a631c42b4378fb6a73ac302ddcee0e4c1fd553d4f447cfbe670db5bd428ff7e |
| SHA512 | 6c3f236c63d0c5219b42da0e98b0c17d00b74b135efb585da3628438136a614d685dff99f637d8d082dff051f4bbbf0e0448813d44c2732a27e9a0de88151470 |