Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/11/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe
Resource
win7-20240903-en
General
-
Target
43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe
-
Size
4.0MB
-
MD5
d382233f2487e3a80ce6fe3947790698
-
SHA1
e0432fb62e612bfde6c4a177207c96e0f98a3036
-
SHA256
43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f
-
SHA512
26ef09c884d7e10d2acbc9c774d16cedad26e1f8e9c5a08b9f09b79baa001e06af7e4d28c87e0c4a091b936dea7ae482d2a730d72390f8b56dd8410929ef2c9a
-
SSDEEP
98304:TOevFArh176FXP44VgUhkB6cIvQeKuYz5mh3J5:TdFAN1anFhk4yeKuYOJ5
Malware Config
Extracted
cryptbot
briybc32.top
Signatures
-
Cryptbot family
-
Deletes itself 1 IoCs
pid Process 1536 cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2792 43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2632 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2792 43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2792 wrote to memory of 1536 2792 43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe 30 PID 2792 wrote to memory of 1536 2792 43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe 30 PID 2792 wrote to memory of 1536 2792 43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe 30 PID 2792 wrote to memory of 1536 2792 43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe 30 PID 1536 wrote to memory of 2632 1536 cmd.exe 32 PID 1536 wrote to memory of 2632 1536 cmd.exe 32 PID 1536 wrote to memory of 2632 1536 cmd.exe 32 PID 1536 wrote to memory of 2632 1536 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe"C:\Users\Admin\AppData\Local\Temp\43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\YlrUTitt & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\43d43cae0a7432a80a3ea1f12b6d134ee9814a46dbe8d5d7556f6d50f0a1506f.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2632
-
-