Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 00:32

General

  • Target

    70f6d008869f17c3e7a0331102af159b.exe

  • Size

    3.2MB

  • MD5

    70f6d008869f17c3e7a0331102af159b

  • SHA1

    e22527ec22fd44d25e31a32c0048f09494de7581

  • SHA256

    ad7a74ddae7cc81d8610ab6bedb94857f38c03b795c4a612fbacc47941286709

  • SHA512

    9f81b856d0e477c03bfe34581316661d79c1b8d34f1c69033b93be9e638d42653caca94ee38384b4cd889ee26a9b2bcbea9b0e1fbb5fb5a9f2b1cc6e34072c36

  • SSDEEP

    49152:nZOi6qmoiGguu1bzMKmkwGYU7n5qLwAO+PCEMSOvkJgaEYotide9O5m9x4lPytUp:ZSXuuNZwRU7UnZrOv8gvqOMRdgUr

Malware Config

Extracted

Family

cryptbot

C2

bundky32.top

morfug03.top

Attributes
  • payload_url

    http://tobhay04.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe
    "C:\Users\Admin\AppData\Local\Temp\70f6d008869f17c3e7a0331102af159b.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:4884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\_Files\_Information.txt

    Filesize

    1KB

    MD5

    d833b41d54d47aed7bc762786e3bdad8

    SHA1

    b68aa241ec672d0ecf3746b9a18f95d8a85f2123

    SHA256

    6d990b8d524c08f810b49826fd032fd665da34dd055a191ee7a82a7f2783fc50

    SHA512

    0eab9b53a88afc526d5c3aa21a2bc8bdc82a5a698b14b7965d11b50e76ccc28a61ea2fbb93b8be5eb6a9dba206b741461b4394b50f7e9fe92051bb55c9e1d6f3

  • C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\_Files\_Information.txt

    Filesize

    4KB

    MD5

    005306321219f19c072a205d2fb854e1

    SHA1

    e5370940cc32745c975c072a99e060615ee33c61

    SHA256

    a3efc7e529b500e39f7655eff7aecad4d54b496d094fcdd8d04bc2849586d570

    SHA512

    c0ff490c670a0b48e77c2647404d39ee9901ad2e73d893db84cea1f6c5c3e186b779cdb4f971608423c959d483c5b96ef0f65d1522af52a163a145966fd5e3c1

  • C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\_Files\_Screen_Desktop.jpeg

    Filesize

    52KB

    MD5

    05efd7dd968d5559336850142e05aa7f

    SHA1

    8c15802bec9d36c2a427ba944e4149f24cba85f6

    SHA256

    faaabb8bf77f7a36fd38578199a80336e880a56e4c6ee71ab6448b5919e406fa

    SHA512

    730d07a01af346688f24a5878e27bee12758f2a569d22b0c5c571e9234b4b224b9dd53e2db67ce15d0714a5b6b7d626a57f636b8b4cadb63fc8102b653e2f014

  • C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\files_\system_info.txt

    Filesize

    718B

    MD5

    1f1caafdc1691b749520e6afefb2487c

    SHA1

    d64f39b6e6158204b11b938fab6d9160fa212c3b

    SHA256

    60f3c380f8e666a17b8f7698241f84c33ecee72895458d42c383fba56d976514

    SHA512

    776d42c2572e196498ce4358b41c1b4dcefb15aec1c85958c3f8ab6e3d1684a551f2b39a3be88b0f689b38703500300048e42d09f3d89fd1988e3623ecaae5af

  • C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\files_\system_info.txt

    Filesize

    1KB

    MD5

    cbf13a030532a2c5b7514989290273b5

    SHA1

    98e4c9b1de21e84bdea0b8dd7ecb2f1f2937e01c

    SHA256

    f94e0ae38ee503d36a2fab7962947388631614fd0dc030a53ce88f99c826b5f1

    SHA512

    6d533f5fb10c8026b44b49adf5e4abfaca7bde4e17ee9cde473438768c167ba3e626d6769393a76f805fa835a95090f3c9b5f5ac336ac8227617d7e91225628d

  • C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\files_\system_info.txt

    Filesize

    1KB

    MD5

    6f4462229c1ae64a5e0fb4b5aebea08f

    SHA1

    aefd4b3f1a57cf699892229e5997990633d385d0

    SHA256

    7143033f7bf773ba8f5ca759844f9d69f0105ec168e0d0be3fade84282100b3f

    SHA512

    e41996a552945c0e68d6c790e7d095fbbccf518d1797713ad30f1f0e34e9bde5395fdad52b3c29985b79b33fe619d074f96b2c4c519cca03b20d147189f226f0

  • C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\files_\system_info.txt

    Filesize

    4KB

    MD5

    a8d666f80b1fbeb1ab1a4250286081a9

    SHA1

    bc3017b0bff38239307d3a21e09bee6823b720f5

    SHA256

    2e600e1eba6d8e30ae9283a1c4ed339a393575dbdc238910ab93a9dd8d553426

    SHA512

    46e67b9ee036b638d7b1a1a33c3fde0654294a9ee749c88a9a70ec691f90a0b410500512233734939deab74f0f075d9cd3959ea72c4e694745968fb68e644114

  • C:\Users\Admin\AppData\Local\Temp\XmLkMhUWy\ujZsQEfhrT.zip

    Filesize

    46KB

    MD5

    0603583d33d065aa16ec9551c184a6e6

    SHA1

    52655d16f016b64644dc8454cad5a7de449b59c0

    SHA256

    028cbfe24496e291e0029b2e9f94543f46fbb8e2fdd7f5ec93da3c74f53d4d76

    SHA512

    002037438cea27c6ed20596c4fbb800de757f5900d854d717f12dc04f2b43a505e795c7d69c73294c6addde95925be290bbfff933d8491b6be92b97a9c51eb1f

  • memory/4884-3-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-11-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-5-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-4-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-6-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-2-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-1-0x0000000077B74000-0x0000000077B76000-memory.dmp

    Filesize

    8KB

  • memory/4884-0-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-8-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-217-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-220-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-7-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB

  • memory/4884-226-0x0000000000470000-0x0000000000C5C000-memory.dmp

    Filesize

    7.9MB