Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2024 14:08
Behavioral task
behavioral1
Sample
3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe
Resource
win7-20241010-en
General
-
Target
3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe
-
Size
2.5MB
-
MD5
71af238fbf3c5a3a2c2c3594f1ba8a32
-
SHA1
b9f49782704b14572985ca13b10842d3aa836ad0
-
SHA256
3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8
-
SHA512
fb12811297a22a71ead742dcde54357cf712c04ad690ed6103287f903592999fcde804357488e062fb8783a24394cc0ff23fa1ffbb9d15941e38873a75f59d7f
-
SSDEEP
49152:CfOvZRdfTgXdzaoRCK5btOmZy7pbHjaONrPIZ:CfWG+/abzZy7dHjaOaZ
Malware Config
Extracted
cryptbot
kotehj62.top
-
payload_url
http://okadoc09.top/download.php?file=makeyr.exe
Signatures
-
Cryptbot family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3508-0-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-2-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-3-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-5-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-4-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-131-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-132-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-135-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-139-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-141-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-145-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-148-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-151-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-154-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-158-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-160-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-163-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-166-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-169-0x0000000000E50000-0x00000000014E2000-memory.dmp themida behavioral2/memory/3508-172-0x0000000000E50000-0x00000000014E2000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3508 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3508 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe 3508 3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe"C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3508
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD53d1ecb7f0f4a949a3c7ce386f58f0d71
SHA126b5f5a7d1fe26c6d25c0e5b56d56ed2e288eb93
SHA256a0624683895229ea3348c09e495e0948cdf98c7d703dc55018ee2320afb32d1c
SHA5125f4ce3ac88248c29fc1469c21b09f1d9de27753cceea8b82b1e5511542e263c35b9dadf5030798741b6a5d8c89120d27d6c5baf4de2bfa9bbc81ca09b9c5e4d7
-
Filesize
1KB
MD52edd8fcf663e4b65d3fee2a0c6d9485f
SHA1bbdebf462176f2307af3b954513e432de6dd81f8
SHA256e3676d2a895eb48546b1501b962717898d09683307b1d883b372fbd666828bf4
SHA5125d7a0185414ab2be328c5238d55d5d857459548db90da3bd693112f24c2347a5912d944af1d0771b26c1992756667ba6f9bdec7bc96d4b2bb062a3650b13f873
-
Filesize
7KB
MD5f92d84404da905f79a9a711f1bbbe0bf
SHA1b64309f96dce6bcbd1d465de26612c410583ca72
SHA256f20f4278cb0772ef5b4038e28bcf4fa0a57fb94fd87c1e6e89b7fc39a9ef8062
SHA512218e54e336a34fbdaf169ce746eab8607789d82a967a8e91c2499a523c076ea8dcbcb5c87661d21f066313df5a8632258b50dec3d6392751a3847281ccd0292a
-
Filesize
54KB
MD50ee966bd72f0ee37d9f07ba57c8b03cb
SHA1a58fbf4bd4595e431671ec34ec639d0f090a206c
SHA256d5153fba3c1f82e3a88c6d5232e98fad1e92c770225b98e058eb4c922704786c
SHA512dc87e3f49b0a64ae33f451d6c9789f3897352aafa60dc7d702b9370d28e53de8385a3db0957479bbdcef4cbc096cfbab9e412b490754e54b2138b8755078e317