Analysis Overview
SHA256
70526e6e5bd07f7a0eb2dab278c107340fcd9f59505af54507528fd8032bc5df
Threat Level: Known bad
The file 720783dc09fc172c0983eeb3b489564c was found to be: Known bad.
Malicious Activity Summary
CryptBot payload
CryptBot
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-24 10:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 10:47
Reported
2024-01-24 10:50
Platform
win7-20231129-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe
"C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
Files
memory/2988-1-0x00000000024F0000-0x00000000025F0000-memory.dmp
memory/2988-2-0x0000000000310000-0x00000000003B0000-memory.dmp
memory/2988-3-0x0000000000400000-0x0000000002406000-memory.dmp
memory/2988-4-0x0000000002490000-0x0000000002491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Information.txt
| MD5 | 0711014736cadd9d62fb17e2b5c5bf80 |
| SHA1 | da13b150a095de44a03890882336c86570cb632a |
| SHA256 | e11b7b5f7e67f1541f639adcca11be74a7aebaa05f10dbf0bbf4a2e897765b52 |
| SHA512 | 061518f65545ae3354c1b7b541080b772b9d62975f114454e09551ca807886d0241f2174e1e64506af50e44112a517ee3f9f441aea0a2df33f6a9622f709f3d7 |
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Information.txt
| MD5 | 3964d390dfc60d775ed64605053561c5 |
| SHA1 | f79da731e048aab22ef3de9f10cead9e0b0e9fb2 |
| SHA256 | a75b07188b19adba342495ed5cf56e62cfd652e30a254e9093cf5bcb5446cbfc |
| SHA512 | 2f0bb5ad62cce3cca9889a179c0da0e122aa80821f24b426a0b663716018e9ad0c6166b5c87aebec27e1e91d2977acd45496236e2f85e321cbaaea655ecd2ee0 |
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Information.txt
| MD5 | 67778e70e9edc6e6f9dbeef3d1289fd3 |
| SHA1 | fd89b01ab880078e10bd0d81a6264e44093701c7 |
| SHA256 | 19f9ff24e8d178b74be637d8da20eea9dc6061ce14854ad1d1b92bae3d9d8337 |
| SHA512 | 68073c906866e625645fc246996961d3e58feb28bb2c3aecf5dd045f8c6e02314bfb2a6446876147c0b8c59892fc014b595d61f1d394f4a1560121e28f873cc8 |
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Information.txt
| MD5 | 668ce412d429cb3a0c225dce3728a2fc |
| SHA1 | 5fe4336b2f31ce09f48afe0ee99f1f555bd78656 |
| SHA256 | a213facd208af1e82993e04d8bd1f3abfeddaa9cea2fa95862aa891e536202da |
| SHA512 | 5919cdb608e152093d103c13d8b47036c53f8ff36f84cf8c5ec5a4517e290c0ab87febefad2e1d089db6b87d724f1ee48c6936d242ebae0e5b5efcd2716b5a84 |
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\files_\system_info.txt
| MD5 | a72c4e038d21b8589c5e76b5db95efbd |
| SHA1 | 372f54d722a9c6a75fcb78ff510425b2b61fbe33 |
| SHA256 | 8fd0b31dfe02a2cd472831122a488510038b2cfcb217d732861df2ad6b5adc06 |
| SHA512 | 32971d2d5584a7164a32434ad63426b9197a90283de1c8bd351266150c226d31f4252f79c4557c66bf4ec9ba5ed6b41da136e8cbe8d2c7e3f4f83a0b50893344 |
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\files_\system_info.txt
| MD5 | 381bf1811f1eed2b808b7f6b9f6b89d9 |
| SHA1 | 8240593b30c4fc094dc3badf480bbc83adc72864 |
| SHA256 | 79a7f6756387f8724b05d35792425af0fa40936f4ab615ae43ce8031c649a19b |
| SHA512 | 08d0b34a6814b8db2dc8d7d746fba6f860afedb71903ccea50fca0b4a22787589c43e9ab5bb6ae444fe76d61dcd90b78a2199932e08e489003d72edf1be379c1 |
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\_Files\_Screen_Desktop.jpeg
| MD5 | 2b2597c6b0ea3a6bd3157813882d96f8 |
| SHA1 | 1ceb1bfbdd614be82ce356e03655bdd6127678fe |
| SHA256 | 7f71340848a81ecd5288f7a97d28e5a870e69cba3f59168a0c743960c0c0f13d |
| SHA512 | 05eb58332a857c3312ab8b0a7da35be9c363eff54d06a69f8d6e333f3a40268c92bdc1eb0432f259a9fd0315dba116ca802e729acace6d594a5a6c984c323c35 |
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\files_\system_info.txt
| MD5 | 684ba351d5c0ec6f3316afc3516f2cd1 |
| SHA1 | 332635d0b10da4aa1ec471482bdb075ad61ec6dd |
| SHA256 | 0abdeb43834f717b2445ea4364c17dafc15ecfc9a542ac78d4a43807a6107b36 |
| SHA512 | b3a5b6ed3eab301a9ff9200c34514b0fca0bba292e72c0ec229dc47ff071fa5790b0456e805f7f2a698826a74211a3a5988f4d9b7b829c62e2ab07b827380da7 |
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\files_\system_info.txt
| MD5 | 1860a288caa5253207f4529cd55401a7 |
| SHA1 | fca3c15c7e474994b04659b0d105366f41eb302a |
| SHA256 | d2bd41fbb5a21816ffa400cfb18d3e89a75adead5dd25d11f5e231bee762bf20 |
| SHA512 | 708789ce5032682de4a0b09758440566c13a8974304589aeadb948d0a9e82c435eca24e01302ec393d41deee7d4c45f27b5b3d0a6e1f7b011452a696c64ab590 |
memory/2988-221-0x0000000000400000-0x0000000002406000-memory.dmp
memory/2988-225-0x0000000000310000-0x00000000003B0000-memory.dmp
memory/2988-224-0x00000000024F0000-0x00000000025F0000-memory.dmp
memory/2988-227-0x0000000002490000-0x0000000002491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ev8JaGK\DWZgKStjZqykg.zip
| MD5 | 9d4872c34d4fa6a0e19d36c0d82a7c3f |
| SHA1 | e646009925c04bb7abea0db9fc1dfd6dd1c5db62 |
| SHA256 | 6ba072b7a4200262ed86f4da0c48da415b0fd03bb808256ad0d9567ae40a5e72 |
| SHA512 | 4ec8fc79700b0fafa498031a5879da366895f6326cd1d7e05329b00103255d1c70db8e40b82db68f301d12cb167487f914a29fa9921bf5cd908c3d653c6c488e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-24 10:47
Reported
2024-01-24 10:50
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe
"C:\Users\Admin\AppData\Local\Temp\720783dc09fc172c0983eeb3b489564c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | knuzjh62.top | udp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | morwye06.top | udp |
| US | 8.8.8.8:53 | morwye06.top | udp |
Files
memory/4340-1-0x0000000002620000-0x0000000002720000-memory.dmp
memory/4340-2-0x0000000004150000-0x00000000041F0000-memory.dmp
memory/4340-3-0x0000000000400000-0x0000000002406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\_Files\_Information.txt
| MD5 | ed9142ba627a4d40df81a9e7dccaaefc |
| SHA1 | b446f953721d4b73dce5db9ccdcf8ee7054b9d8b |
| SHA256 | 5f6be384beaa5a3d6d83f1ac8cf92e0e50fd6e84920d8ece77034aafd7bebb74 |
| SHA512 | 3a16d2e317425fd82cd91c4a64e2cadcf36b3cc880332830f395405608e5bfab255cfa4b1c1aa7b086f4fc38419b7d567f2838bbc3fdcea409868cbc01cc64ab |
C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\_Files\_Information.txt
| MD5 | ba2b2acce6f4bff98b95766aefa122ab |
| SHA1 | 032778f3d31eade9d91b3244270c8b75b400c77d |
| SHA256 | e8934a028d9dec40f09c7035d8acc7ea1d93ea5f70f5b1c1ed2ae62c24bf1a21 |
| SHA512 | 15ebc245485785e6c64727ca5da8928f4cd87ff7be17f2bff4cfa10e344927bff27e8aa88e2107f7237f92a7a176fdd6db05b0d3c027250695ea43952a6b22d6 |
C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\_Files\_Information.txt
| MD5 | b2caf3322b8ca46205b66428ebaf62ef |
| SHA1 | d7aec95ed2567ed3d924f9636757715c4747973c |
| SHA256 | 36c3fead154607ca32f98f5aab64bd8143bf1db7b7f8bde57d08045ac1b541ea |
| SHA512 | 488d3bf6d2ff28d2a382afb5afa8eca22587b7191e05bd787e0687d8f5b20bb495e4cf886b228cd9df100cd5b13fc84decbfc80925600ac4792790a2a745176f |
C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\_Files\_Screen_Desktop.jpeg
| MD5 | 97c23900391c2b430dcc9ba0a0b23053 |
| SHA1 | 9a1037d14f4a6d5bc736cf7673bd3e4d98c650b5 |
| SHA256 | 18ea6f7e1efd00fd86ca385c9776c302ca7a13a37d2d6107c7665ad3f7b95830 |
| SHA512 | 9b3a07fc6569b717135d849129b4e5df49675ce4e56cb1fdc37d31e76f088725dc5db1e176ffa7e5d87de07d109d295390c3347770ee36b531f00addb22b96a9 |
C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\files_\system_info.txt
| MD5 | 59f9354fd11aa5760597228093613520 |
| SHA1 | 78e0046c41aab5aae8fcc6c169a946458277ff74 |
| SHA256 | a2dacb518067b1a190a02ea8b94d3690f8435561404cc103c81cdcb0165ea56f |
| SHA512 | 78672f14b8a9cf196901a8169d7d035ea87682e1dee87b24d48f47bb6dfc8ee16296c6c6cb1ddba142eca5a6f7d91cc0da8a37802dbe5cba253789d3bbe72fac |
C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\files_\system_info.txt
| MD5 | f693488194e528fb3ed1055c4d446e83 |
| SHA1 | 854ae5b11303ad3acb57b81cd0a5e80a450ec06d |
| SHA256 | 3309043d4ecd26df4e583ac784ae16f0735cdfd495106dde3ccbc25567a7d83d |
| SHA512 | e4f3e761026d364443bb5550e7cbf0503abab191d1b242f80607105230846642bfe0e8d34891978db88499771a85dd70d202bb431c55d057a479422054ed2976 |
C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\files_\system_info.txt
| MD5 | d633532be5085bad69cacd15e794d0ab |
| SHA1 | e596e1b1974c53335cbb61504558255b6f36553b |
| SHA256 | 47223e2779f0129de8e0d92733cf907c1e26e701485846abeae24ba2b882c1b1 |
| SHA512 | 3ab8802108ae208a43235266e779d627ab7891bee04ea875afc594939cbc2a625c94d8d4d5464a3b33a660125e0bde26edf250556826babedce02b206883bcc3 |
memory/4340-208-0x0000000000400000-0x0000000002406000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\5AIbdOQWKxW.zip
| MD5 | 6b61bcf72bf18e4dbdeb9234894cbba8 |
| SHA1 | db58eb673791f46dc80f129b9c25a84aa887da2b |
| SHA256 | 39526454077167ac85b958827432ba7f4a816490098c52f1f66c760676851dab |
| SHA512 | 214ec8035098e5fcc218663e325f0eb828bc6c016fefd1ccb7a597078e2f15be219f822975e1dfe553881144bcdab8d822e82710324c0ca4e5e1e2a2cfe8bcd3 |
memory/4340-212-0x0000000002620000-0x0000000002720000-memory.dmp
memory/4340-213-0x0000000004150000-0x00000000041F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zqX3z8f0Prg\AfobSHSaqYUF.zip
| MD5 | edab6b8368454d0dd2f26cea56985912 |
| SHA1 | b63f75be394e14aee31d8abde887efca19c233af |
| SHA256 | 50abaa96a85d33bb2880662457b053ffe57b41db118139f1eea34296800da154 |
| SHA512 | 9beb2d17b9f55b06e2984c2041234629c3d5efc7837a9dd638708f7c6cfe9532c8d98cc006b9642167c0d52ec0a956651df8e43e25b1eeed5a894b44ebd4420f |