Analysis Overview
SHA256
6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0e
Threat Level: Known bad
The file 6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN was found to be: Known bad.
Malicious Activity Summary
Cycbot family
Cycbot
Detects Cycbot payload
Modifies WinLogon for persistence
Reads user/profile data of web browsers
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 00:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 00:29
Reported
2024-11-08 00:31
Platform
win7-20240903-en
Max time kernel
110s
Max time network
61s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\7EA2A\\ACAEA.exe" | C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe
"C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe"
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe startC:\Program Files (x86)\LP\EA37\F8C.exe%C:\Program Files (x86)\LP\EA37
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe startC:\Program Files (x86)\2AB67\lvvm.exe%C:\Program Files (x86)\2AB67
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | armoredlegion.com | udp |
| US | 8.8.8.8:53 | namestoreforyou.com | udp |
| US | 8.8.8.8:53 | nodatatransferhere.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | transfersakk.com | udp |
| GB | 142.250.180.4:80 | www.google.com | tcp |
| N/A | 127.0.0.1:62747 | tcp |
Files
memory/2408-1-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2408-2-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2508-12-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2508-13-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2508-15-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2508-11-0x00000000021D0000-0x00000000022D0000-memory.dmp
memory/2408-16-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2408-17-0x0000000000400000-0x0000000000491000-memory.dmp
C:\Users\Admin\AppData\Roaming\7EA2A\AB67.EA2
| MD5 | d93a8e6740d979d5dda3ef7f8d6e371b |
| SHA1 | 2c022456eb40656a04b557b5851c819d4785bdbb |
| SHA256 | e34a5317fbd98a9c3b454b4ae0a1cc8e595ab4e6611b594122e715b1e073d4be |
| SHA512 | 6ba0354c45e075a10f6dc7a584d9ce209536b74de1dc80534e836050dcd27e7e4778f53be495cb77df70e0623dca73d139d5408012e57a075236dc8311ccc68a |
memory/2408-78-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2292-81-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2292-80-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2292-82-0x0000000000400000-0x0000000000491000-memory.dmp
C:\Users\Admin\AppData\Roaming\7EA2A\AB67.EA2
| MD5 | d97e8b479b8223ec13919d8be83e3877 |
| SHA1 | 180e2f65acace10657931eaeacbefc365e017cd8 |
| SHA256 | 17a4a2dbdf40a8285f9751da5201fe7bee742f71b0f7f1591c3da6e8062d6c7e |
| SHA512 | 095b87db21fa7b264df631fad0d8de668a0acc8ee86ecd02fec4eb194b4be6d5844780d0a551a8114bc939da56a922e541a7e7cd52711f202ebf5e69f5e9b758 |
C:\Users\Admin\AppData\Roaming\7EA2A\AB67.EA2
| MD5 | d6c34b2700befb8d03769d1a58eaa626 |
| SHA1 | 89dcbec5203575c5369c249392fe6e8d70b2f658 |
| SHA256 | 90feeb603fa25f92742ffb9b01553e1c6416b198624c3926b88779fdef2f9580 |
| SHA512 | 16af3f792afe88a4f6e0503a906fb8a75b0cb0c89dd9f657d6f86cdb539522e356ed4e53244337583883fc1e1ac4767da375b3c275f884cb7eee59ac5ad942bd |
memory/2408-175-0x0000000000400000-0x0000000000491000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 00:29
Reported
2024-11-08 00:31
Platform
win10v2004-20241007-en
Max time kernel
110s
Max time network
97s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\8D525\\71DA0.exe" | C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe
"C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe"
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe startC:\Program Files (x86)\LP\A058\D7E.exe%C:\Program Files (x86)\LP\A058
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe
C:\Users\Admin\AppData\Local\Temp\6cb546e19d1756da2fb7ec6f080693d3606d1b7ca1fff004a483353c81232e0eN.exe startC:\Program Files (x86)\25012\lvvm.exe%C:\Program Files (x86)\25012
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | battleon.com | udp |
| US | 172.67.68.171:80 | battleon.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.68.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freerapidstore.com | udp |
| US | 8.8.8.8:53 | freerapidstore.com | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| N/A | 127.0.0.1:51455 | tcp | |
| US | 8.8.8.8:53 | freerapidstore.com | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:80 | www.google.com | tcp |
| N/A | 127.0.0.1:51455 | tcp | |
| GB | 142.250.180.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:51455 | tcp | |
| N/A | 127.0.0.1:51455 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/2888-1-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2888-2-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1144-13-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1144-12-0x0000000000400000-0x0000000000491000-memory.dmp
memory/1144-15-0x0000000000400000-0x0000000000491000-memory.dmp
memory/2888-16-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2888-17-0x0000000000400000-0x0000000000491000-memory.dmp
C:\Users\Admin\AppData\Roaming\8D525\5012.D52
| MD5 | 8c0937df1d361ced5702f35b72da1ca5 |
| SHA1 | dee5c01249c908dba6826883add31d41dfe27272 |
| SHA256 | 6b8081f2c589be5ec23f2dffedd4257d5c54a32d0d75fdbdbd8c64ac30f67278 |
| SHA512 | 895846da9174a69a610b65bd66551cffd8a96a248f4b55ac9c0a2ad99a428fe191229c33dbfbbc11d2c77262bb659a3160924d7954b8a6fb7f51fda49d02a7aa |
memory/2888-82-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4256-85-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4256-84-0x0000000000400000-0x0000000000491000-memory.dmp
memory/4256-87-0x0000000000400000-0x0000000000491000-memory.dmp
C:\Users\Admin\AppData\Roaming\8D525\5012.D52
| MD5 | 084334989ce86f57c6507ae33ae64f5e |
| SHA1 | d9b362a5729d4d34c3c62aba782d25d85d10fe1f |
| SHA256 | 6f20bb0178de423848d394a1bbd790bb460ff0b5805bfc18b2cf268a0360c3c3 |
| SHA512 | fdd2071adcaeaac811d768c14b6f8fc7b61d966569adc72091890548aafedce9ead273450d9ca092d394e2e04393852c968a25c6ffaf676d22b7c38a0cf84735 |
C:\Users\Admin\AppData\Roaming\8D525\5012.D52
| MD5 | 920053adc6c42456064869734d59ad7d |
| SHA1 | 004d970d7575b85c0fa84503c55ce23e58b8f61a |
| SHA256 | 709d6252afe5decbc98da901fd14ff3b18931bb86982ac72439e11fd65111838 |
| SHA512 | 108686bb2fa11adca7dd672d5491f18c3a7cb084361e40774173823309e3f346e26649f4adb4da55cfae56b2a23829aadd48d6245ba2aa06d68122e9023f5e0e |
memory/2888-194-0x0000000000400000-0x0000000000491000-memory.dmp