Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 14:08

General

  • Target

    3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe

  • Size

    2.5MB

  • MD5

    71af238fbf3c5a3a2c2c3594f1ba8a32

  • SHA1

    b9f49782704b14572985ca13b10842d3aa836ad0

  • SHA256

    3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8

  • SHA512

    fb12811297a22a71ead742dcde54357cf712c04ad690ed6103287f903592999fcde804357488e062fb8783a24394cc0ff23fa1ffbb9d15941e38873a75f59d7f

  • SSDEEP

    49152:CfOvZRdfTgXdzaoRCK5btOmZy7pbHjaONrPIZ:CfWG+/abzZy7dHjaOaZ

Malware Config

Extracted

Family

cryptbot

C2

kotehj62.top

Attributes
  • payload_url

    http://okadoc09.top/download.php?file=makeyr.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • Cryptbot family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe
    "C:\Users\Admin\AppData\Local\Temp\3c320ddeb57b9d6240cbaab26104e906dfa04a10115a773355a2157013e991a8.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:3508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\jBZVkynNZIJt\EApCaMjIChbj.zip

    Filesize

    57KB

    MD5

    3d1ecb7f0f4a949a3c7ce386f58f0d71

    SHA1

    26b5f5a7d1fe26c6d25c0e5b56d56ed2e288eb93

    SHA256

    a0624683895229ea3348c09e495e0948cdf98c7d703dc55018ee2320afb32d1c

    SHA512

    5f4ce3ac88248c29fc1469c21b09f1d9de27753cceea8b82b1e5511542e263c35b9dadf5030798741b6a5d8c89120d27d6c5baf4de2bfa9bbc81ca09b9c5e4d7

  • C:\Users\Admin\AppData\Local\Temp\jBZVkynNZIJt\_Files\_Information.txt

    Filesize

    1KB

    MD5

    2edd8fcf663e4b65d3fee2a0c6d9485f

    SHA1

    bbdebf462176f2307af3b954513e432de6dd81f8

    SHA256

    e3676d2a895eb48546b1501b962717898d09683307b1d883b372fbd666828bf4

    SHA512

    5d7a0185414ab2be328c5238d55d5d857459548db90da3bd693112f24c2347a5912d944af1d0771b26c1992756667ba6f9bdec7bc96d4b2bb062a3650b13f873

  • C:\Users\Admin\AppData\Local\Temp\jBZVkynNZIJt\_Files\_Information.txt

    Filesize

    7KB

    MD5

    f92d84404da905f79a9a711f1bbbe0bf

    SHA1

    b64309f96dce6bcbd1d465de26612c410583ca72

    SHA256

    f20f4278cb0772ef5b4038e28bcf4fa0a57fb94fd87c1e6e89b7fc39a9ef8062

    SHA512

    218e54e336a34fbdaf169ce746eab8607789d82a967a8e91c2499a523c076ea8dcbcb5c87661d21f066313df5a8632258b50dec3d6392751a3847281ccd0292a

  • C:\Users\Admin\AppData\Local\Temp\jBZVkynNZIJt\_Files\_Screen_Desktop.jpeg

    Filesize

    54KB

    MD5

    0ee966bd72f0ee37d9f07ba57c8b03cb

    SHA1

    a58fbf4bd4595e431671ec34ec639d0f090a206c

    SHA256

    d5153fba3c1f82e3a88c6d5232e98fad1e92c770225b98e058eb4c922704786c

    SHA512

    dc87e3f49b0a64ae33f451d6c9789f3897352aafa60dc7d702b9370d28e53de8385a3db0957479bbdcef4cbc096cfbab9e412b490754e54b2138b8755078e317

  • memory/3508-166-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-139-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-0-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-5-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-3-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-131-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-132-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-172-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-2-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-145-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-141-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-4-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-148-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-151-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-154-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-158-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-160-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-163-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-1-0x0000000077814000-0x0000000077816000-memory.dmp

    Filesize

    8KB

  • memory/3508-169-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB

  • memory/3508-135-0x0000000000E50000-0x00000000014E2000-memory.dmp

    Filesize

    6.6MB