Analysis Overview
SHA256
2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca
Threat Level: Known bad
The file 2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe was found to be: Known bad.
Malicious Activity Summary
Cycbot
Detects Cycbot payload
Cycbot family
Reads user/profile data of web browsers
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 18:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 18:32
Reported
2024-11-22 18:35
Platform
win7-20240903-en
Max time kernel
140s
Max time network
119s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4videosoft.com | udp |
| US | 169.47.106.186:80 | 4videosoft.com | tcp |
| US | 8.8.8.8:53 | zonetf.com | udp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | zonere.com | udp |
| US | 8.8.8.8:53 | zonetk.com | udp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 76.223.54.146:80 | zonetf.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | offlineservermonitoring.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| N/A | 127.0.0.1:54202 | tcp | |
| N/A | 127.0.0.1:54202 | tcp |
Files
memory/1968-1-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1968-2-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1552-9-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1552-7-0x0000000000400000-0x0000000000447000-memory.dmp
memory/1552-6-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Users\Admin\AppData\Roaming\B6C6.D8A
| MD5 | faac2c355f51ac61da6b08f6b38fd21a |
| SHA1 | 3b8461cf0fdb562bdd6272741dce3b0aa6d37c34 |
| SHA256 | 09ccc6c86e7724a252aa4172060aabef5f6381a8a5c4b076ba8d0d89aefa2150 |
| SHA512 | 38e156a846238b1dbd4060ad3e7c2b94149a58bf1af63a75482a106647462384643429b0b3eb505b40dd4bf1bf38df5205a690f4a74bafb1a207e90c72d05bab |
memory/1968-19-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Users\Admin\AppData\Roaming\B6C6.D8A
| MD5 | 36cae70dfcb8a1f06e8cf5a3df5603af |
| SHA1 | c7ad1c43a116ebb620e51c6680c286ee82781481 |
| SHA256 | 0185eabb4117125be023b549b04340f84cfcc988d6f4d8665225ee855bdb7483 |
| SHA512 | c91c66ee17ee46ee5d39b76ff52bf1c46c4774d26818f88239a3fd51a2c3a78fbd22d3c88bdf29de89b788b6714da200a94a7590084185126eb71bcf6086b84a |
memory/1728-81-0x0000000000400000-0x0000000000447000-memory.dmp
C:\Users\Admin\AppData\Roaming\B6C6.D8A
| MD5 | e67c0849bb5750a1f9ff840cf7dbc553 |
| SHA1 | 1045cd041dd4aa3fddec7368ca0c460d816dd36d |
| SHA256 | ff9490debd76a054cefd498df3209590089f77242d6a416e3015b8f00d6bd7f8 |
| SHA512 | d111a0dc0871132539a93e77f4346f050f8dd1f0cd88636307e3b2c4d2d696f08bb7871b7176e5dc75a3e997d8c53bbcc230219747d43a2395ee12ad00c130f2 |
C:\Users\Admin\AppData\Roaming\B6C6.D8A
| MD5 | 896e1954c3ca786af954745a7502c716 |
| SHA1 | 1c1d02dc04eb6cfecc6f5e3a7c284b512fcbc7bf |
| SHA256 | 9fe04f31bde9b0dba2d72a0de1f8e108c1e0ec2d1f9c575b7a71c62e4dc71593 |
| SHA512 | 2e34eeb38abe1175baba95de18081e7773563ca2035f674c71b58b4f7d61332b3c8311c95cb7da1a50bbcb0a60aa3ea35f98314334712ac6d74ea8145858e6aa |
memory/1968-183-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 18:32
Reported
2024-11-22 18:35
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe
"C:\Users\Admin\AppData\Local\Temp\2c629d62fea650848c4009cafff91e33b1047181611364eeeee56430620af7ca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2668 -ip 2668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 332
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |