Overview

overview

10

Static

static

3

2239fcbdac...18.exe

windows7-x64

10

2239fcbdac...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Setupres.exe

windows7-x64

9

Setupres.exe

windows10-2004-x64

9

ipras.vbs

windows7-x64

8

ipras.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 23:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    2.2MB

  • MD5

    41af7998ebb519e0a0ca9635a865be5d

  • SHA1

    68a7613a8d4483efb67f3794c245420e0daf2f95

  • SHA256

    f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189

  • SHA512

    31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb

  • SSDEEP

    49152:OULOXCsxeOrcY1kC2Palwy7FoSzWXxplecp6Qqst5J:hqyszw0kC2zyFkX4cp6ct3

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

cede04.info

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\TRXMSOgoVJX & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        3⤵
        • Delays execution with timeout.exe
        PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\TRXMSOgoVJX\47283761.txt
    Filesize

    156B

    MD5

    b5089e0c5a3d5377e9bd19c0557ef04e

    SHA1

    9402e326be3d240e234c06892b15c24e93c93eb8

    SHA256

    d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

    SHA512

    942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

    Download Submit
  • C:\ProgramData\TRXMSOgoVJX\Files\_Info.txt
    Filesize

    8KB

    MD5

    f0058b7f84a0c29b341a250e69cc5491

    SHA1

    fae5de612b89e635ef7b8e5eb455f8dfaf080d84

    SHA256

    a8879dff30df36e86100468a8597e490530e917954a5a2ba123a815e95ed3e42

    SHA512

    3e3a03f104e6f3a5066f2a58c5ad41a70459759031340d2e6e449d11ba16c72bdefeea2f30984363d96faa13fbedb81ad59657a51f0a069e5954de099ae70d27

    Download Submit
  • C:\ProgramData\TRXMSOgoVJX\Files\_Screen.jpg
    Filesize

    52KB

    MD5

    7b4afa39e1e811fb9dd0462625dbf25f

    SHA1

    efd84f1c6df97aaf3305fc23412cce00f4904ba3

    SHA256

    633403de62c8a07dcff1d9c92e0b0d714bab564f8e36da84c9e728f414543646

    SHA512

    2ce526a20ef7971b1fe1bd005c64be3881f7e484649cc6e7f2c3dcad7813e0508f0271218bdb118ee1c5341970cec95716047e9a1244bb6b53623b34109986e5

    Download Submit
  • C:\ProgramData\TRXMSOgoVJX\JLqbaGgbF2bU5.zip
    Filesize

    47KB

    MD5

    ab260fc88421460b26ed2b5899510261

    SHA1

    d894289c47ce2e6ca08bd66b58ba3e7189460437

    SHA256

    fb2250b6b8e57b2b0dc278bd35e5e68fef2604bed8a5b42ce318a504b11324fa

    SHA512

    97d09f6f003abd8ca0cdf5d10a3db163feda55403a8f99ffe597639780863b7f9d75c68b3052fe8f64ffff3ce22dc46593f1d911e7de650c89d1993d6765cfc9

    Download Submit
  • C:\ProgramData\TRXMSOgoVJX\MOZ_CO~1.DB
    Filesize

    96KB

    MD5

    40f3eb83cc9d4cdb0ad82bd5ff2fb824

    SHA1

    d6582ba879235049134fa9a351ca8f0f785d8835

    SHA256

    cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

    SHA512

    cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

    Download Submit
  • memory/4704-156-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-162-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-16-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-17-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-20-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-9-0x0000000005470000-0x0000000005471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4704-13-0x0000000000A61000-0x0000000000AC0000-memory.dmp
    Filesize

    380KB

    Download
  • memory/4704-145-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-152-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-153-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-11-0x0000000005410000-0x0000000005411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4704-0-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-157-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-158-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-160-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-8-0x0000000005450000-0x0000000005451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4704-165-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-168-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-171-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-174-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-177-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-180-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-182-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-185-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-188-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-191-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-194-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-196-0x0000000000A60000-0x0000000000F7B000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4704-10-0x0000000005480000-0x0000000005481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4704-1-0x00000000774E4000-0x00000000774E6000-memory.dmp
    Filesize

    8KB

    Download