Analysis Overview
SHA256
6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f
Threat Level: Known bad
The file 6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f was found to be: Known bad.
Malicious Activity Summary
Cycbot
Cycbot family
Detects Cycbot payload
Reads user/profile data of web browsers
Adds Run key to start application
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 22:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 22:58
Reported
2024-11-13 23:01
Platform
win7-20240903-en
Max time kernel
140s
Max time network
119s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" | C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
"C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe"
C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | psfk.com | udp |
| DE | 35.158.87.123:80 | psfk.com | tcp |
| US | 8.8.8.8:53 | zonedg.com | udp |
| US | 8.8.8.8:53 | zonedg.com | udp |
| US | 8.8.8.8:53 | separatemilkandtee.com | udp |
| US | 8.8.8.8:53 | zonedg.com | udp |
| US | 8.8.8.8:53 | zonedg.com | udp |
| US | 170.178.183.18:80 | zonedg.com | tcp |
| US | 170.178.183.18:80 | zonedg.com | tcp |
| US | 170.178.183.18:80 | zonedg.com | tcp |
| US | 70.32.1.32:80 | zonedg.com | tcp |
| US | 70.32.1.32:80 | zonedg.com | tcp |
| US | 70.32.1.32:80 | zonedg.com | tcp |
| US | 8.8.8.8:53 | highspeeddbsearch.com | udp |
| US | 70.32.1.32:80 | zonedg.com | tcp |
| US | 70.32.1.32:80 | zonedg.com | tcp |
| US | 70.32.1.32:80 | zonedg.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.201.100:80 | www.google.com | tcp |
| US | 70.32.1.32:80 | zonedg.com | tcp |
| GB | 216.58.201.100:80 | www.google.com | tcp |
| GB | 216.58.201.100:80 | www.google.com | tcp |
| N/A | 127.0.0.1:56404 | tcp | |
| N/A | 127.0.0.1:56404 | tcp |
Files
memory/796-1-0x0000000000400000-0x0000000000445000-memory.dmp
memory/2452-9-0x000000000058B000-0x00000000005A5000-memory.dmp
memory/2452-8-0x0000000000400000-0x0000000000445000-memory.dmp
memory/796-14-0x0000000000400000-0x0000000000445000-memory.dmp
C:\Users\Admin\AppData\Roaming\7D3A.3BB
| MD5 | 738de9588f5ed21fc990279798686ba6 |
| SHA1 | ca8704a6582d41163f81463b189f942231546d1a |
| SHA256 | 8ffa5da3569c06e5882446afe53d20a83c98cef2472d1ee03bcc4b83c1471e05 |
| SHA512 | 01d3fdaf468603721de3ed11f5cda9a0aaa10428cdc06454251bf228705ef5885a805d14003169d6f59b485189f722c93189c2b2a2b63c4e55b1ddf93d1ee35e |
C:\Users\Admin\AppData\Roaming\7D3A.3BB
| MD5 | db6fb048c1f245d107142333cbf461f8 |
| SHA1 | 0d39bc4df9f4d7be8c11721c89c9837a7355c7f4 |
| SHA256 | bf547bf93c690dd65264eb1eb7b78e1e2226df6b81689b9042f1a82bfb28c085 |
| SHA512 | 71951092548a6ca52f42dbbcb38d3027f2e8321040b95335f9c227bc4f9db48a59e1c8433cf1ffd310e0ad409696443cc226d6c6c827a6d5a327d27028166a53 |
memory/3020-84-0x0000000000400000-0x0000000000445000-memory.dmp
memory/3020-83-0x0000000000400000-0x0000000000445000-memory.dmp
memory/3020-85-0x0000000000400000-0x0000000000445000-memory.dmp
memory/796-152-0x0000000000400000-0x0000000000445000-memory.dmp
C:\Users\Admin\AppData\Roaming\7D3A.3BB
| MD5 | 0ca390a8a1aacd6accfe0fcde8bc737c |
| SHA1 | 9f06e662eae14bae96e5bc8a82ae72d04ff869c7 |
| SHA256 | 21a9c9c846dc2c29bde19410fc190d0834f2c546614c31da22d4a2b07037e5fd |
| SHA512 | 5c6852c66553b7f0ca0b0092b9207e99e0534a456e6a6d4f4cdf9e0d55095b070c2f43349f5a79d88278fbd5a4f93cc58e2a7751938d296d09b3df7311efca96 |
memory/796-191-0x0000000000400000-0x0000000000445000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 22:58
Reported
2024-11-13 23:01
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe
"C:\Users\Admin\AppData\Local\Temp\6a7c6aad7b391cd371535dd4f92c883308c6e383dacae2f24e975977bf53759f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3144 -ip 3144
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |