Overview

overview

10

Static

static

3

28fc393e1c...18.exe

windows7-x64

10

28fc393e1c...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

SetupX.exe

windows7-x64

9

SetupX.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    2.2MB

  • MD5

    3e2939633756d5eafd71201a32b971ed

  • SHA1

    1c9b05c647de8ba96ede7cd9054b13e8b6be7725

  • SHA256

    c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a

  • SHA512

    96e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954

  • SSDEEP

    49152:KyERVZNeoFBz0ArW+Y9mXyWCYP7ZRPPjQvpo4ay/:KysxlFV0ArWj9mXYcZlrQvpo4ay/

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bube01.info

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\vYCz3ZmCF88ha & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:452
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        3⤵
        • Delays execution with timeout.exe
        PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\vYCz3ZmCF88ha\47283761.txt
    Filesize

    156B

    MD5

    b5089e0c5a3d5377e9bd19c0557ef04e

    SHA1

    9402e326be3d240e234c06892b15c24e93c93eb8

    SHA256

    d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

    SHA512

    942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

    Download Submit
  • C:\ProgramData\vYCz3ZmCF88ha\Files\_Info.txt
    Filesize

    1KB

    MD5

    6da72f57ab6ce3bc4028ed446a995f27

    SHA1

    c319c89a2f7914f30847fa2d916aa6e8ef6dedb8

    SHA256

    d691cb57a92d3343707e16fb4fc435e2f93a6f3f067cc3695cf7357e50259ba9

    SHA512

    9ad50f0f451cb3faface9044c1bb70acdbd9f68244ddb708abbedd38fd74bcd9def9f5afa8abcbcddbc7fc344c9aadd9660f40f2ead2b7dd14524d66617d22eb

    Download Submit
  • C:\ProgramData\vYCz3ZmCF88ha\Files\_Info.txt
    Filesize

    8KB

    MD5

    9e7116d483a92a1f67d8d065f7b97e65

    SHA1

    3d1cd3d1809afa0a47fce601d0ec29acb280a2a8

    SHA256

    975656e730c0fa1cb5968544be562ebef2302dad5c5ed9875a5ee9d001ab2d59

    SHA512

    34ad7f134ae40e3041a8c63cb1b0245579ec98e8c2adcbe0742987e22709edf334e8ac92e450aa76c4861872124941efa8a15bc196a5e0ddaca74b637be873c7

    Download Submit
  • C:\ProgramData\vYCz3ZmCF88ha\Files\_Screen.jpg
    Filesize

    52KB

    MD5

    15e2a38b94cac0b34f3f55a37908f677

    SHA1

    97682fa9c2b8b24c5bc585c69520d7017c6e5a7e

    SHA256

    00020d338602c4df57eb51df883c7cf277153680d395cf57cc9814992ee315f2

    SHA512

    92af88bb7874eb11693332cb952412f0feb290c8f25e8c0d8f902bb290494072b7e4b9533b83216f42ba34d8d01e9a9a91db96fc2f53065a535013a522ee3339

    Download Submit
  • C:\ProgramData\vYCz3ZmCF88ha\MOZ_CO~1.DB
    Filesize

    96KB

    MD5

    d367ddfda80fdcf578726bc3b0bc3e3c

    SHA1

    23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

    SHA256

    0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

    SHA512

    40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

    Download Submit
  • C:\ProgramData\vYCz3ZmCF88ha\TyKhQ58FlLv6Yxgh.zip
    Filesize

    47KB

    MD5

    b1e17d0a88c901112f2af0f4ed309747

    SHA1

    ffe0f6e6774b6f34d238265e32ab318e9bdf46ae

    SHA256

    db22288b354186d8e0347a7097f1836004aa528b9fd45bc475649d59352a771e

    SHA512

    8e1de99c10189422acfb0d24563e53add64d7625415dd507debecaf11dd9324e2be5623f368db52f2f83980e71d91f47727759a9efc0a534dc88061442ff2588

    Download Submit
  • memory/432-17-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-164-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-0-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-20-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-6-0x00000000050F0000-0x00000000050F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/432-7-0x0000000005110000-0x0000000005111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/432-8-0x00000000050B0000-0x00000000050B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/432-146-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-152-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-154-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-14-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-156-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-157-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-159-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-161-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-5-0x00000000050E0000-0x00000000050E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/432-167-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-170-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-173-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-176-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-179-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-182-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-185-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-187-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-190-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-193-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-195-0x0000000000490000-0x00000000009D8000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/432-10-0x0000000000491000-0x00000000004F0000-memory.dmp
    Filesize

    380KB

    Download
  • memory/432-1-0x0000000077CC4000-0x0000000077CC6000-memory.dmp
    Filesize

    8KB

    Download