Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2024 07:07

General

  • Target

    bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe

  • Size

    9.2MB

  • MD5

    d511554c3e89879625547bfe436cbf80

  • SHA1

    df37505e4f1bc919432b5a80c1f5d32484438ce8

  • SHA256

    bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8

  • SHA512

    360b811f826e6d695d7f1659503b33db92b8c43001f05666b2820c587a95f62e079c0ddb3b23d0159767a29835da6386c882e5383a88629fe562d251df9bdcd9

  • SSDEEP

    196608:lQKdvgDDwRB/rYSExCaWeQx12c00AL3MBEre9s4mEqaB2R5oBPLm8eiveeeI/:JVSDwRZYSExCaxk2rgR9saZk5CPSivem

Malware Config

Extracted

Family

cryptbot

C2

forcj4vs.top

analforeverlovyu.top

Attributes
  • url_path

    /v1/upload.php

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • Possible privilege escalation attempt 4 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe
    "C:\Users\Admin\AppData\Local\Temp\bdbc46f258f283a8b86c94a0f2c9b66c2ff4a35605b836034b27671b4c5974e8N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Users\Admin\AppData\Local\Temp\PDloewpjkG.exe
      "C:\Users\Admin\AppData\Local\Temp\PDloewpjkG.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2968
    • C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Users\Admin\AppData\Local\Temp\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1176
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c takeown /f C:\ldrscan\bootwin
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2096
            • C:\Windows\SysWOW64\takeown.exe
              takeown /f C:\ldrscan\bootwin
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1780
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            PID:2452
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c takeown /f C:\ldrscan\bootwin
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:960
            • C:\Windows\SysWOW64\takeown.exe
              takeown /f C:\ldrscan\bootwin
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1436
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Windows\SysWOW64\icacls.exe
            icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            PID:1996
        • C:\Windows\system32\cmd.exe
          cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Windows\System32\cscript.exe
            C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
            5⤵
              PID:2144
          • C:\Windows\system32\cmd.exe
            cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
            4⤵
              PID:2320
              • C:\Windows\System32\cscript.exe
                C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
                5⤵
                  PID:1472
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /A /C "compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\MFNDZ"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1952
                • C:\Windows\SysWOW64\compact.exe
                  compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\MFNDZ
                  5⤵
                  • System Location Discovery: System Language Discovery
                  PID:2344
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:1184
                • C:\bootsect.exe
                  C:\bootsect.exe /nt60 SYS /force
                  5⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1372

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Acer.XRM-MS

          Filesize

          2KB

          MD5

          f25832af6a684360950dbb15589de34a

          SHA1

          17ff1d21005c1695ae3dcbdc3435017c895fff5d

          SHA256

          266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

          SHA512

          e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

        • C:\bootsect.exe

          Filesize

          95KB

          MD5

          1a6a3e90d931f7902ee475c8607a3f84

          SHA1

          31cd3a9f9e3168964595267bedf448cd21215e54

          SHA256

          f3987092a7b67bfdb9d3679ae0894bae611fbabe51f5bb98d37589d10345cbed

          SHA512

          c04188566f85d4df39f22ec578c658bd5572567004c2f9e6a67d5aeef3011d6b84ffc86c746cc3a32a91d722b7288ca3d869dfbc746a5cdf3d4c417f8fe8ad2d

        • \??\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\MFNDZ

          Filesize

          431KB

          MD5

          eee8b35f215b21b278d68f4125ae9b79

          SHA1

          54ccb030eb908819e7bfc9e5d2cb39351ded0fe2

          SHA256

          9d8bdec22f9447e9f898d2fc46b1680e27e5d9b1b2c7f8e4361c1a2fddfe6e66

          SHA512

          a4a4384775b01d21ba264e5e691c563821687e263384a51d57a76228fbac95fe8163d487b8343c5f743ee0f7709b1684c97f12f3733225d640d3bd0f66ae4d11

        • \Users\Admin\AppData\Local\Temp\PDloewpjkG.exe

          Filesize

          6.3MB

          MD5

          5d6a303668e616ff81485949f18515b3

          SHA1

          fc7ca4ae06279a78d0e0fcbf7f3a874ff8230cfe

          SHA256

          d48ac7a7f98179c41d161ab90c08fac46fac8680e10b6f8fa605d5b029839d01

          SHA512

          49b86188cd9847afb9230cf59e1d29069b37bcaf178d50fb78d64dfe918ec523e140f1ee12f790d1daaa11c1e198f8744b3117683f7c91d637c91c6779a63fd3

        • \Users\Admin\AppData\Local\Temp\Setup.exe

          Filesize

          3.8MB

          MD5

          323c0fd51071400b51eedb1be90a8188

          SHA1

          0efc35935957c25193bbe9a83ab6caa25a487ada

          SHA256

          2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

          SHA512

          4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

        • memory/1452-32-0x0000000000D60000-0x000000000169F000-memory.dmp

          Filesize

          9.2MB

        • memory/2244-41-0x0000000000030000-0x0000000000031000-memory.dmp

          Filesize

          4KB

        • memory/2244-39-0x0000000000030000-0x0000000000031000-memory.dmp

          Filesize

          4KB

        • memory/2244-43-0x0000000000030000-0x0000000000031000-memory.dmp

          Filesize

          4KB

        • memory/2244-45-0x00000000010D0000-0x00000000020D0000-memory.dmp

          Filesize

          16.0MB

        • memory/2244-120-0x00000000180A0000-0x00000000182C3000-memory.dmp

          Filesize

          2.1MB

        • memory/2244-51-0x00000000180A0000-0x00000000182C3000-memory.dmp

          Filesize

          2.1MB

        • memory/2244-34-0x0000000000020000-0x0000000000021000-memory.dmp

          Filesize

          4KB

        • memory/2244-36-0x0000000000020000-0x0000000000021000-memory.dmp

          Filesize

          4KB

        • memory/2244-38-0x0000000000020000-0x0000000000021000-memory.dmp

          Filesize

          4KB

        • memory/2712-55-0x0000000000400000-0x0000000000623000-memory.dmp

          Filesize

          2.1MB

        • memory/2712-85-0x00000000020D0000-0x00000000020E1000-memory.dmp

          Filesize

          68KB

        • memory/2712-77-0x0000000010000000-0x0000000010021000-memory.dmp

          Filesize

          132KB

        • memory/2712-69-0x00000000020B0000-0x00000000020C2000-memory.dmp

          Filesize

          72KB

        • memory/2712-64-0x00000000020A0000-0x00000000020B0000-memory.dmp

          Filesize

          64KB

        • memory/2712-93-0x00000000020F0000-0x0000000002100000-memory.dmp

          Filesize

          64KB

        • memory/2712-124-0x0000000000400000-0x0000000000623000-memory.dmp

          Filesize

          2.1MB

        • memory/2712-101-0x0000000002100000-0x0000000002110000-memory.dmp

          Filesize

          64KB

        • memory/2712-56-0x0000000000A80000-0x0000000000A93000-memory.dmp

          Filesize

          76KB

        • memory/2712-142-0x0000000000400000-0x0000000000623000-memory.dmp

          Filesize

          2.1MB

        • memory/2968-33-0x0000000000400000-0x0000000001065000-memory.dmp

          Filesize

          12.4MB