Malware Analysis Report

2024-12-07 03:13

Sample ID 241122-w6tvfswkfw
Target 2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
SHA256 2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca
Tags
cycbot backdoor discovery rat spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca

Threat Level: Known bad

The file 2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe was found to be: Known bad.

Malicious Activity Summary

cycbot backdoor discovery rat spyware stealer upx

Cycbot

Detects Cycbot payload

Cycbot family

Reads user/profile data of web browsers

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 18:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 18:32

Reported

2024-11-22 18:35

Platform

win7-20240903-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"

Signatures

Cycbot

backdoor rat cycbot

Cycbot family

cycbot

Detects Cycbot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 1968 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 1968 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 1968 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 1968 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
PID 1968 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming

Network

Country Destination Domain Proto
US 8.8.8.8:53 4videosoft.com udp
US 169.47.106.186:80 4videosoft.com tcp
US 8.8.8.8:53 zonetf.com udp
US 76.223.54.146:80 zonetf.com tcp
US 8.8.8.8:53 zonere.com udp
US 8.8.8.8:53 zonetk.com udp
US 76.223.54.146:80 zonetf.com tcp
US 76.223.54.146:80 zonetf.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:80 www.google.com tcp
US 8.8.8.8:53 offlineservermonitoring.com udp
GB 172.217.16.228:80 www.google.com tcp
GB 172.217.16.228:80 www.google.com tcp
N/A 127.0.0.1:54202 tcp
N/A 127.0.0.1:54202 tcp

Files

memory/1968-1-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1968-2-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1552-9-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1552-7-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1552-6-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Users\Admin\AppData\Roaming\B6C6.D8A

MD5 faac2c355f51ac61da6b08f6b38fd21a
SHA1 3b8461cf0fdb562bdd6272741dce3b0aa6d37c34
SHA256 09ccc6c86e7724a252aa4172060aabef5f6381a8a5c4b076ba8d0d89aefa2150
SHA512 38e156a846238b1dbd4060ad3e7c2b94149a58bf1af63a75482a106647462384643429b0b3eb505b40dd4bf1bf38df5205a690f4a74bafb1a207e90c72d05bab

memory/1968-19-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Users\Admin\AppData\Roaming\B6C6.D8A

MD5 36cae70dfcb8a1f06e8cf5a3df5603af
SHA1 c7ad1c43a116ebb620e51c6680c286ee82781481
SHA256 0185eabb4117125be023b549b04340f84cfcc988d6f4d8665225ee855bdb7483
SHA512 c91c66ee17ee46ee5d39b76ff52bf1c46c4774d26818f88239a3fd51a2c3a78fbd22d3c88bdf29de89b788b6714da200a94a7590084185126eb71bcf6086b84a

memory/1728-81-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Users\Admin\AppData\Roaming\B6C6.D8A

MD5 e67c0849bb5750a1f9ff840cf7dbc553
SHA1 1045cd041dd4aa3fddec7368ca0c460d816dd36d
SHA256 ff9490debd76a054cefd498df3209590089f77242d6a416e3015b8f00d6bd7f8
SHA512 d111a0dc0871132539a93e77f4346f050f8dd1f0cd88636307e3b2c4d2d696f08bb7871b7176e5dc75a3e997d8c53bbcc230219747d43a2395ee12ad00c130f2

C:\Users\Admin\AppData\Roaming\B6C6.D8A

MD5 896e1954c3ca786af954745a7502c716
SHA1 1c1d02dc04eb6cfecc6f5e3a7c284b512fcbc7bf
SHA256 9fe04f31bde9b0dba2d72a0de1f8e108c1e0ec2d1f9c575b7a71c62e4dc71593
SHA512 2e34eeb38abe1175baba95de18081e7773563ca2035f674c71b58b4f7d61332b3c8311c95cb7da1a50bbcb0a60aa3ea35f98314334712ac6d74ea8145858e6aa

memory/1968-183-0x0000000000400000-0x0000000000447000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 18:32

Reported

2024-11-22 18:35

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe

"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2668 -ip 2668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 332

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A