Analysis Overview
SHA256
11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6
Threat Level: Known bad
The file 11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6 was found to be: Known bad.
Malicious Activity Summary
Cycbot
Cycbot family
Detects Cycbot payload
Reads user/profile data of web browsers
Adds Run key to start application
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 19:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 19:48
Reported
2024-11-22 19:51
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
138s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" | C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
"C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe"
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dynamicscriptinstaller.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bigcapitalsystems.com | udp |
| US | 8.8.8.8:53 | mobilesamsonline.com | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myhomeblog4you.com | udp |
| N/A | 127.0.0.1:61111 | tcp | |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| N/A | 127.0.0.1:61111 | tcp | |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| N/A | 127.0.0.1:61111 | tcp | |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.16.217.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:61111 | tcp | |
| N/A | 127.0.0.1:61111 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/960-1-0x0000000000400000-0x0000000000441000-memory.dmp
memory/960-2-0x0000000000400000-0x0000000000441000-memory.dmp
memory/748-12-0x0000000000400000-0x0000000000441000-memory.dmp
memory/748-13-0x0000000000400000-0x0000000000441000-memory.dmp
memory/960-14-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Roaming\C906.C7A
| MD5 | d588d65511a1615d8e1c7848d4bd152e |
| SHA1 | 0649f765d79b8ac723b803ed931396952140d1fb |
| SHA256 | 6ce461f3bd832c399d7fde90d92d395f0d1ccaa446f18cc212f9f41a1a31931a |
| SHA512 | 06cb57e6e13cb816a600f1818f8b345f1cd09f6a334a437f2d9a41d46b4b7cbdc9943135503a74a4b00d492506f9661c9989baec5cc8f1697b0749cffb3273a4 |
memory/960-77-0x0000000000400000-0x0000000000441000-memory.dmp
memory/928-80-0x0000000000400000-0x0000000000441000-memory.dmp
memory/928-79-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Roaming\C906.C7A
| MD5 | 9e879b794c1f6ed0ae16bc0526154346 |
| SHA1 | cccb9d16317093d209f7f67165626d7e224eb459 |
| SHA256 | cb52cf01728ecc8a4afee2bbcfd111b190caf3bcf32948ab1389edec48e722c4 |
| SHA512 | 4452d42d1f57a9379f18a9974a051be9c1938c5bc7341b9fbe39fb0025cd8d5c8a7a22d782ac78c7c4d7372b67fc98369778eb1cb23d58bce01d7c4214397fc1 |
C:\Users\Admin\AppData\Roaming\C906.C7A
| MD5 | 2712f6de9197dbea8423e5148df72d08 |
| SHA1 | faee491ba3c43a89c4c1bc61ecccaa1b40c75e5d |
| SHA256 | 3b99ee89077e14304d6222455facda18523e6c3659d9263e15d0e0a8cd01888b |
| SHA512 | 1e9bc65b6b8d3784d225f12a844b5541aa7f8b9a5c2e07275274ab375225c30066fb890b086ad6324a6f506b1622292c298d317b56fa0ace24e3cbd9c8b9ef31 |
memory/960-193-0x0000000000400000-0x0000000000441000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 19:48
Reported
2024-11-22 19:51
Platform
win7-20240903-en
Max time kernel
140s
Max time network
127s
Command Line
Signatures
Cycbot
Cycbot family
Detects Cycbot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" | C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
"C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe"
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe
C:\Users\Admin\AppData\Local\Temp\11ca7a96499fe12ee8f37a896ba43052bcd936775be2475db4c80469e298a0f6.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | willsglaucoma.org | udp |
| US | 157.245.184.25:80 | willsglaucoma.org | tcp |
| US | 8.8.8.8:53 | bigcapitalsystems.com | udp |
| US | 8.8.8.8:53 | mobilesamsonline.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| N/A | 127.0.0.1:63151 | tcp | |
| US | 8.8.8.8:53 | myhomeblog4you.com | udp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| GB | 172.217.16.228:80 | www.google.com | tcp |
| N/A | 127.0.0.1:63151 | tcp |
Files
memory/2572-2-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2572-1-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3028-10-0x00000000005DD000-0x00000000005F8000-memory.dmp
memory/3028-9-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3028-7-0x0000000000590000-0x0000000000690000-memory.dmp
memory/2572-15-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Roaming\C1F2.A73
| MD5 | e4c5bdd510b98ca3f451ec28bdde3f54 |
| SHA1 | c088666d6f8bc0cf2bc2d2df03e809aaa7a06b1a |
| SHA256 | adb4b7f99b189f379bab1e48f720e6856348d878e0afaa15cc2d0ddd190de457 |
| SHA512 | 1700c2001f141971415251653fb49c09d57e730caea5b09490ddbb640cfccd3342b263fd1cfed72433c5aeb8bad43f3e2797d816617fe1cef7eafaf748935999 |
memory/2572-72-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2232-74-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2232-76-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Roaming\C1F2.A73
| MD5 | 14451793e50fd7b3cd13e67cde438a27 |
| SHA1 | 2761dac695f0a0835d64b4e0b851cf2624bef2f8 |
| SHA256 | ed2116a35b72e222bb3e5b41b2d827aa3a2cd328e01bde8c8237f559ada9d586 |
| SHA512 | 3b1f3cbeb4be2b37c156f76ee2f9969b9959e1036a37193697ea9d81496aa3e3b1019afcda4bb02bf921280fac6c97e102d2ba488a60cacbb6ba9feef2b5b007 |
C:\Users\Admin\AppData\Roaming\C1F2.A73
| MD5 | 74ee61e703fd2afe8c128518817d7329 |
| SHA1 | a194d5c2e9284febb57b2bd31e96eb70851d47cb |
| SHA256 | 5bebb67e915b695d91648ed8b1e53117fca5ffb5aaa2bde9f6efc355719e9710 |
| SHA512 | df06a49807389809344a86eb3ba2e3762821ff7f5877d558ed3ca94f390d80af68fbd50088f905bc637d1934dc7bbc60b8bb6783d47033c94797a88f5ebceaf9 |
memory/2572-187-0x0000000000400000-0x0000000000441000-memory.dmp