Overview
overview
10Static
static
33763170476...92.exe
windows10-2004-x64
10a00f993805...f5.exe
windows10-2004-x64
6a27aa292f9...96.exe
windows10-2004-x64
10a3960e88c7...c6.exe
windows10-2004-x64
8b1adee00a1...f4.exe
windows10-2004-x64
10b9c037384e...e3.exe
windows10-2004-x64
10c0592acd47...d2.exe
windows10-2004-x64
1c14987c4c6...03.exe
windows10-2004-x64
10c203192bf3...c1.exe
windows10-2004-x64
3cf2652dc2a...c4.dll
windows10-2004-x64
10d2ba18358b...17.exe
windows10-2004-x64
3d6b7cb431b...74.exe
windows10-2004-x64
8db246897a0...b0.exe
windows10-2004-x64
3df16940f38...e0.exe
windows10-2004-x64
10e39833949c...ab.exe
windows10-2004-x64
10e98170984c...66.dll
windows10-2004-x64
1ea2a2d0b59...cd.exe
windows10-2004-x64
10eaffdf51b1...f1.exe
windows10-2004-x64
10eda6bb813c...f9.exe
windows10-2004-x64
10f4f625c6ec...fc.exe
windows10-2004-x64
10f72762cd37...ac.exe
windows10-2004-x64
10fce3d69b9c...e2.exe
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 10:53
Static task
static1
Behavioral task
behavioral1
Sample
3763170476b8a4c3cb592cbea6c4471ba2ea2463db9f7839fda502ef0a06b092.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral2
Sample
a00f9938052cd7987d8740671ba12f61cde995601edb75b63d7347e48b552bf5.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral3
Sample
a27aa292f9978f85dd0fcf599491efea6abf80223d4ce4baaf56789f870c9196.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral4
Sample
a3960e88c72a663734c17d85f5015571b340789d3a9646aa71a8d7ded643a7c6.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral5
Sample
b1adee00a132b96a6f457031953b01fd1e322c57bff3fc9517b7d92d1ba884f4.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral6
Sample
b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral7
Sample
c0592acd4714d89c4f9e10ef0b2a9b4a7f0a445f24fb5212781fd47ca7d34dd2.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral8
Sample
c14987c4c6fc2de2cac43355964465d7611652e29f699d64fa292399f526c103.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral9
Sample
c203192bf329f099fddebfc57a7a258b974550e0b51a81115c9980aff02fe6c1.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral10
Sample
cf2652dc2a844f6aa436149211ea57e54102ce3ebd808eded619298c0bb16cc4.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral11
Sample
d2ba18358b1edbac5cdb875761367ce6f88ef0e61d749357a259988d15d1bc17.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral12
Sample
d6b7cb431b16723bce5523e0ac0c99fe0e583afaf1154f51cffee7420fe4dd74.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral13
Sample
db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral14
Sample
df16940f38135c9dfa808b7f19348339deca912fe54331b2dd739decdf37d9e0.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral15
Sample
e39833949c41ebb2bcc53a374f17491536b1dda70e53700b19fa53f04bf695ab.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral16
Sample
e98170984c87aa1b92df230ef020557cad5afa4cf6815f7cbd764a70a1323b66.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral17
Sample
ea2a2d0b594f527f391abdf595d5f93424d9121dc292ff458362bff765bff2cd.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral18
Sample
eaffdf51b17ef1b7b7bf01ab6e8c2dce61a3dbd875b368e06a6d3b95e100c6f1.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral19
Sample
eda6bb813cee36866a58cc01b6c928484e8751e3c442ec9739f798aeb8e453f9.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral20
Sample
f4f625c6ec130389122077c9650b1c195a7793a173a621416cea8622c14405fc.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral21
Sample
f72762cd37962e6fc7a65ae4c414589694aef8794e6d1fa8060f270f069bf1ac.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral22
Sample
fce3d69b9c65945dcfbb74155f2186626f2ab404e38117f2222762361d7af6e2.exe
Resource
win10v2004-20240730-en
General
-
Target
b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
-
Size
4.5MB
-
MD5
57afe7c6eae81f93e3e6a085b6bd7961
-
SHA1
6af9bb4cb10f0d765cf87b71f5dcfa3c5d7d61f6
-
SHA256
b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3
-
SHA512
ebd7a6029b72385d1667fa1013241dfeac19fedf2ccf1303b22105126e5de490f39af4e5a2f3dbaba462b919560fb8a421f3228c49bfb8bc569d9f8c16c40665
-
SSDEEP
98304:O/KyGgrf/TiG4GR0msmwCiYZHImJyS5qGWxpPr2C9rPZ:MZGgrf6GRFn3a/Sw7pPnrP
Malware Config
Signatures
-
CryptBot payload 14 IoCs
resource yara_rule behavioral6/memory/1804-233-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-239-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-243-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-258-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-260-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-263-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-266-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-269-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-272-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-279-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-281-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-283-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-287-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot behavioral6/memory/1804-289-0x00007FF62E350000-0x00007FF62EA27000-memory.dmp family_cryptbot -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 10 2096 WScript.exe 12 2096 WScript.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ugtwqmfkf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ugtwqmfkf.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe Key value queried \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1804 ugtwqmfkf.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Software\Wine b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 10 iplogger.org 29 bitbucket.org 30 bitbucket.org 9 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ugtwqmfkf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ugtwqmfkf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1804 ugtwqmfkf.exe 1804 ugtwqmfkf.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3636 wrote to memory of 3712 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 85 PID 3636 wrote to memory of 3712 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 85 PID 3636 wrote to memory of 3712 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 85 PID 3712 wrote to memory of 2096 3712 cmd.exe 87 PID 3712 wrote to memory of 2096 3712 cmd.exe 87 PID 3712 wrote to memory of 2096 3712 cmd.exe 87 PID 3636 wrote to memory of 4756 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 88 PID 3636 wrote to memory of 4756 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 88 PID 3636 wrote to memory of 4756 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 88 PID 4756 wrote to memory of 1804 4756 cmd.exe 90 PID 4756 wrote to memory of 1804 4756 cmd.exe 90 PID 3636 wrote to memory of 3628 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 94 PID 3636 wrote to memory of 3628 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 94 PID 3636 wrote to memory of 3628 3636 b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe"C:\Users\Admin\AppData\Local\Temp\b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\qmxvulwt.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qmxvulwt.vbs"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ugtwqmfkf.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\ugtwqmfkf.exe"C:\Users\Admin\AppData\Local\Temp\ugtwqmfkf.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\okdllbsejnxg.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3628
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5f45625892a1222d1372678bfb5f4ea7b
SHA11efc46289fe7ea1ff2970195140507cb77ad3311
SHA2568edb52e162ff8f37e8bf2191b393b3b4a6c88bac9ee1701a1d98a0b896ffcbce
SHA512232418da4e01dcacc2ca8e7c637f38d3e248ed247a284c931dca0cde34de8c4719e8a84a541bf91661bf65d188fae7279b43c486415c08f90668e7f2ed768570
-
Filesize
40KB
MD5ffa791f78c7f20ae3252d227384d5e1e
SHA134b547f6cd001574bd66d1820b80cfbfa7fa8422
SHA2568c9fe9eb9bb3d17715d1540cd1f7bc1abdadead5e6f90bacb4d21b6ce34b4131
SHA5123ee1c8afac783b4ebd3dfa91ed13b23ea095f3ee8e1fccb5b0f47630cae4e5f8b693de3ec919e3ec6b0ca58cb458ea17f816944472d0a7151920d72038c0e352
-
Filesize
7KB
MD5b39c2749dae15bca315003ffa1b61101
SHA10bc6078934ca8571f2c4c4ea57bdde1e24b40fd2
SHA256a1b43837005f9c3d3fff28c1554e5dd17509352b987633a8dfecaa0360cf9c37
SHA5126f1bbbae84842351088785c16581e55e0f1de3c01640f7d8aa22cada165d150df7418f42decf049c50251ba4b0a176662dd3e2effe0d6ae16249e281bcd14d37
-
Filesize
46KB
MD515370cfb0f78074bd0fc11ee31e7df85
SHA180b7981e1166ea0a02d18c51ff14b81a996a1ce7
SHA256b5475d6f2615472f21248900bef2bfd9af35ffbd17cb2b4042def382df5e877d
SHA51243e560ac5016f171eacc799450d6ea93663914028a9a5aa7c4421c83d8d6d55b945ac266410f84f1077937e36731f41b00bb01478b540a7705f4fccf0a4c8c45
-
Filesize
672B
MD523848003a577abeb3d91f356e632bfea
SHA105bd8eb46860b8bd8abc1a3fe980cd20ebbd1fb1
SHA256b615bce606c8495b1bf61758f0892eda223a3d8ab4d9688cedce5b02ce2b0d80
SHA512c4a2e016a43e44dbf4633c6a9a5fc2c0637a2eedd3359be0baaf77f7726ba7c330afb914b5ab541e7c0c3aa396d238ef9999b0aaa1f49498e67fca2e2d7454c4
-
Filesize
4KB
MD55d3fd2a084a21ffffb7a727c3415a1fe
SHA12308ef915717a27c3a057dd929737c238ff41ef8
SHA256d34aca5f8317ca47a64f09bc039fd8d0bcc8742c57fc69eac1416e45961a45bb
SHA512686a3f4f542d1fbdbcff424ba768587f07322f5e24ebe866e8de88c83b6598bee9b3f221349f74676bc7d42013f51990d3e54e617f35570e67f43ccd355575fa
-
Filesize
145B
MD5184f7d1445a59ca56f2d32be1b43d509
SHA176f715ead42d9a1da91c72816856e1d024f6f783
SHA256ba196708d81cb597298c7d326f7c2228ac6acc07ccb1b44b46b8bf2cdc0cdb8c
SHA51213b3c998749332d553ccff3f12009fb4c298a7538c5cecc0c5ee595db84ac6da4978a06b76bf399606fdcba9044451fe942d52eaa44009ea625ce0d851883bec
-
Filesize
2.7MB
MD564d3edf1a6cd37e9e2193c0e1fc50220
SHA19e5863b0e717030db247fa3ff6dead07710d5ab5
SHA256b56d450c7ccbccb915ca8006bfc0fc41037cd850dd799c77275eab397ef61772
SHA5120ff5c9fef715ba203de9c239d53e99baff932e35a03b94f21369410d425f4deed0c4a7f17f6d483ffaee2acf706c031cca62b0f86f31d94c6bf704d996f68abb