Malware Analysis Report

2024-10-19 02:36

Sample ID 240125-cv2w5sefcq
Target 737d02c261755ff5c920fa52d4f03fce
SHA256 50f41c07db1d0d625cd0746a78dc15a1193f4fd0f80e6a4df40315f24efe2110
Tags
cryptbot spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50f41c07db1d0d625cd0746a78dc15a1193f4fd0f80e6a4df40315f24efe2110

Threat Level: Known bad

The file 737d02c261755ff5c920fa52d4f03fce was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer discovery

CryptBot

CryptBot payload

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Program crash

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 02:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 02:24

Reported

2024-01-25 02:27

Platform

win7-20231129-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe

"C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"

Network

N/A

Files

memory/2936-2-0x0000000001D20000-0x0000000001E01000-memory.dmp

memory/2936-1-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2936-3-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2936-7-0x0000000001D20000-0x0000000001E01000-memory.dmp

memory/2936-6-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 02:24

Reported

2024-01-25 02:27

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe

"C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\737d02c261755ff5c920fa52d4f03fce.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2772 -ip 2772

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1656

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ewaisg12.top udp
US 8.8.8.8:53 morvay01.top udp
US 8.8.8.8:53 winezo01.top udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp

Files

memory/2772-1-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2772-2-0x0000000002300000-0x00000000023E1000-memory.dmp

memory/2772-3-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\_Files\_Information.txt

MD5 29e8bf252fb4de044be8b2ce9a9e8dcf
SHA1 c40c3c71c42fc88a030ae312534ed10b358a1e01
SHA256 3b4e9cf2ebeb4529fd678617995d624621ec8c6bc7d37f80a3cfb4a77b87f5ef
SHA512 eacbcee49c2e1f3e12235f08645891bdca34f26d1ef2222832a95e53d0b2f07e70c784a237c6a567532953ebb3925df530adccac9dbb90467b3568201b9b6bb3

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\_Files\_Information.txt

MD5 2c026d96645dfcb8ae0efcb02ff3d247
SHA1 861e4c644c78a2cf9e813b6e52d465a661e0e39b
SHA256 ba0adeca6da6f7f4b7ff6b232fbec518c336ddd30aa6a01aafed0c07a23cd5ad
SHA512 f4158a1f890556d748abde57451a0748823ecb738860f7e90a2e35c55fe864d546ab28cde2031fc029cfffa885b92e6f9e604960bff495130a0bed2cd169d5ba

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\_Files\_Information.txt

MD5 fbea420b3d024d7f0ae2569fa85359d3
SHA1 6567fa01a19f8205adcf0cc4022c46be3eaf4140
SHA256 d1031948e743b06fda23504a1c2deade6f398f2cd4e0ca37248e859eb6e17e49
SHA512 10417e1d71aec20da3ac9f0418b4c4303c3551c3671a415d6acbeea415b5e07deb6ae435e0f12c001e1c6a039f09534d9a3f90f30627a3f25f25181617baa2b5

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\_Files\_Screen_Desktop.jpeg

MD5 d1b9c80cd1079a8ad77271bd076e14c9
SHA1 216c0bea5a938c8b188e3a710100333bd139216d
SHA256 9e8a4bbb555a8ce13a54aba7c6376fc157f93423cc38c4e39c05783350bc075e
SHA512 027498e8e98c90988cd10f43444d3f83a46f38d875014231cf2ce9803ec12fcac39760f32ccfb02875d720af17cbfddd8db54ec76d4ddd0a7171029fbcdb88e9

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\files_\system_info.txt

MD5 89799f775ed03f1f0e101e476d96e24c
SHA1 18f475e120ffc7ea6cef2813a56ebbc7affc9b0f
SHA256 f7978077b305d519988098ba441fce2f1cdf969fbad6d5d9154561c04bd06416
SHA512 6aba83268cf3a429fa3806ac07e68f54fe95f4757f666d7e0e3038e4c487a36164d4619a519b3831fc5fd04c253e5f308e959f743df7768c167bd632d8522cb9

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\files_\system_info.txt

MD5 ba6187ae0e05c7aa0ccd39fc62f2b403
SHA1 6df44d482be9d8a025381a5d1283c4ccf6e837e4
SHA256 4cd1fb56edf733227097b7c0b37ab23ab50293346e74799ed85aa0e006a995cc
SHA512 02f51ff7cab50d62b44e1cb76581ab7938ac00ee702dd812e407e90d4be76e9027df62be151e97e20f60b3a99458d57eb86f0846750fc71cd3bd31e6428e69cd

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\files_\system_info.txt

MD5 2858d3392008fef526bf489a093aa339
SHA1 9665f1023d35869d4777b7bf1aca385f6054f60b
SHA256 3d451743022a5a227c7364757bca38ee2a8c5183e45b53254e3db216005fbfb7
SHA512 c5f4edb487c466f95a4ede869035bf271f7a19bff357718eaeb4face8b71fa8b4eb6e8bd2235b20b639343ba729a91f0e267c46aed114680ebdb75d83313dd6c

memory/2772-213-0x0000000000400000-0x00000000004E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\files_\SYSTEM~1.TXT

MD5 0b772839a39ab50f56954d664c3dba2f
SHA1 7ef34102ca329a9f9ea063af19d7470af8f30c45
SHA256 ccb2d57daaf39acca1673a72baf122cbdbcc97744201ad0ee9ebb2080f434270
SHA512 6c9031acfc01ac83ad7574a76f386a9d1608df5bf0e235b6e204ebe533c54fd3d5e21a6cc157dc277a595cac671c2aab8b46af710f127c4bb63250759b9f9020

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\OSCPXD~1.ZIP

MD5 e7840dfe3037e9c89b7eaffd6749ae60
SHA1 55fd95b3282d9c6437384b5aadee80f29e943859
SHA256 1be96545295c6b68198df2e4f98de0bc49111075cb595165ef3ca4a9a4424af0
SHA512 08d2b34743d37cb8ab3c62df7cde1981b150270f1ccc663562485df8f3a9240032aa284290a3f5c1cfd5d0831dfbe64ca2dacfcad7bb194046762dca3ca8028c

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\_Files\_INFOR~1.TXT

MD5 c9b7579ebca5a7ee3753ca300169e6bf
SHA1 5235868e6b7801d2219c74fa0c939335c9155292
SHA256 8050792c02656151d1c5b79de5d71b59cfa56095d83ae5561853753d13235bd0
SHA512 02d5d6369754f0fdb4caa061ad2aae4d5cfe36a077ed17ee02b5d375612027b90f27122760ea3ab085f446f0cd4f55a3763845bf1a214ad5b2bf5bc02679f111

C:\Users\Admin\AppData\Local\Temp\MlyZcXFIlenkW\HIQZNH~1.ZIP

MD5 56ded12bea87b6f5880a194cf8faad2f
SHA1 cc54fa871dbf7f84b6ee3bd56b27661adfc56abc
SHA256 f0a0f5b8fb43be5e7ded0ca56153671b7a6bb8ecf3f11128c3a914aa3aef3c9e
SHA512 3308772fc97088f88924aa21538df92038a768caa04ce1087e78d4222d9621ac57abcdfcc133b8d776096620c3f6ade53107b2aa55fa55a530d16170739c46cb

memory/2772-221-0x0000000002300000-0x00000000023E1000-memory.dmp