cryptbot | d9f01436c890d26da55d5caa1999e73ef71fab82310ee65ea7d038a7e9ad5374

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Size

4.3MB
MD5

328ebad3b9024940b56a758598dd9811
SHA1

915ad091b5d250ff94aa2aec146dc5214558b0d8
SHA256

d9f01436c890d26da55d5caa1999e73ef71fab82310ee65ea7d038a7e9ad5374
SHA512

2975063ec08f72a5d8747c84cb32efba335263f35f21daa137839262f82197b79658b450dec676a3a6887c229929210823fedc56630cea2137e2b9728bb405a1
SSDEEP

98304:F8FVXoBFq2fxnpNjMuSEO+RHh2qnRCZAgB1z2:0XBipxSI8IRczTz2

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

rifat05.info

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Piqqu.exe
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exe

flow pid process

9 2560 WScript.exe
11 2560 WScript.exe
13 2560 WScript.exe
16 2560 WScript.exe
18 2560 WScript.exe
20 2560 WScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Piqqu.exe

flow	pid	process
9	2560	WScript.exe
11	2560	WScript.exe
13	2560	WScript.exe
16	2560	WScript.exe
18	2560	WScript.exe
20	2560	WScript.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Piqqu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Piqqu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

Piqqu.exe

pid process

2868 Piqqu.exe

pid	process
2868	Piqqu.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	Piqqu.exe

Loads dropped DLL 1 IoCs

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

pid process

1044 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

8 iplogger.org
9 iplogger.org
23 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

pid process

1044 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2868 Piqqu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

flow	ioc
8	iplogger.org
9	iplogger.org
23	iplogger.org

flow	ioc
3	ip-api.com

pid	process
1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2868	Piqqu.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Piqqu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Piqqu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Piqqu.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

pid process

1044 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2868 Piqqu.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Piqqu.exe

pid process

2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe
2868 Piqqu.exe

pid	process
1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2868	Piqqu.exe

pid	process
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe
2868	Piqqu.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

description	pid	process	target process
PID 1044 wrote to memory of 2868	1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	Piqqu.exe
PID 1044 wrote to memory of 2868	1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	Piqqu.exe
PID 1044 wrote to memory of 2868	1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	Piqqu.exe
PID 1044 wrote to memory of 2868	1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	Piqqu.exe
PID 1044 wrote to memory of 2560	1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	WScript.exe
PID 1044 wrote to memory of 2560	1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	WScript.exe
PID 1044 wrote to memory of 2560	1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	WScript.exe
PID 1044 wrote to memory of 2560	1044	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044

C:\ProgramData\Imagine\Piqqu.exe
C:\ProgramData\Imagine\Piqqu.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ipras.vbs"
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\M1i11KxxRpTZP\172773668.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\M1i11KxxRpTZP\Files\Browsers\_FilePasswords.txt
Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\M1i11KxxRpTZP\Files\_Info.txt
Filesize
1KB

MD5
c526cf1ba8811d31d8e9a6414bf1b702

SHA1
c55f9e23f44051f6a9570fb71770d60687359315

SHA256
e024d853e13c18d82422948cb188900e14f4f944d8a0846bd076e07d4138bc7a

SHA512
4b3662fe1bfcd513ac1ed27083d8ea9446d1f19644eceb4b4daa96cd82a3ef4a5e97252af02e5837d82fe694226365493c9f01ce3f61a8a013e521a2dc69cfc5

Download Submit
C:\ProgramData\M1i11KxxRpTZP\FsohRZkr7siMb1.zip
Filesize
39KB

MD5
93efdfee8545c9f35be5c093b12e0940

SHA1
237753796b8cda2ddfad04a054c9a8b28f8993aa

SHA256
44523bfbe19c98aced2beedd20ee78465595bdbdbaf84c737ad16e61ebd2687a

SHA512
12bdaa86ec063f45c64ee3df1d9640c484add694825b6ef1935cf489d9325e72f51dbabc68f02d839a4bea5976553e35877b7e10f8fac9f3213ac69174df1707

Download Submit
C:\ProgramData\ipras.vbs
Filesize
126B

MD5
c6362e3c5585f24a9e9a2712c00c52ff

SHA1
9259b9609313386f004328d2c306820eae01a587

SHA256
184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208

SHA512
59ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
3040136a78b1cce9d4e351db39522066

SHA1
2f171886343deaf914d1f4134bef9c33044e5868

SHA256
67b19176b6a90535c97afefb73c9d32b33b9768bb7949ae2de52072a02340b98

SHA512
a4bd5fa85add169b76d96f3c1dddcf6cc6f7a54782540d003f088b1e52b822013bca32edb80805c3fe80ffaf13c14c22404863a01a7588ff0f0ed50378876d80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
b3cdd500b9528d34c15b79556e3c6dff

SHA1
bd41be84943baac741c646d09c3da51b202ed195

SHA256
c09e6870e781e8ed2c2529986ea0bb6466cee9d036905837f33af88126cb92fe

SHA512
2a35b74a1362112fde0342acaebcbeb1aa96fa9b387c20e8eb0fe7037f86e19187885fc16286c0504ee71b843b5a6db30389d852bac415dae0c6327fc6827d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7371f354335a3206d8ff111a3a9b2c96

SHA1
23002162714b910c05efee16ad4358c636f4e341

SHA256
3d703a00d3d4ef91ddd7634dacc8e2b2597c6c81aecaac1700e9f188454a8c78

SHA512
abf83d8eea8bbb1bef4eca072b4a045a32d42d64f1bbc38f909164c84552e8f7dc1637b63bef0164fe9763a7584651d9d1e86e479f7f94f421d94204a1c2b67d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5f6c4d0c7474cc71cf816957cec79878

SHA1
90181ae7685a91a514a036f5fec5d8e14d03e99a

SHA256
23be8c92b15265556e566e057c28194a5c8e6690fc850bf71b1adfe2868f03be

SHA512
ccee093ea79b3264be162877a1cc32daa51fd964c3482a864851ed8c33c2f6a52acaf6555bd255ea6e3e3909e9778e027f379e3464f8e39e3f220a28b3a22adf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
28190d634d82970edd10503eaf4fe233

SHA1
a76672f0ac4256e06fa9b481e0c5c4ddb6e6ecb1

SHA256
f6f1426f675e8e4acef49a96e7e54b08199760c5c3c5eeac746c208a9bd5ddd7

SHA512
439fb6a1a476c5cd1020a73f28777f2295964df89d0a7290564e2bf441c6f52b2c1e7ca846e1c3e8721743b0123fb1a699c0af640ef325a0d688714ecb724387

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4BB5.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\ProgramData\Imagine\Piqqu.exe
Filesize
2.2MB

MD5
f3717401099468a51ea49a7b2dda9011

SHA1
8a356d95eaf6a168890486d6061a231280eba547

SHA256
81db3923268165f06426206501bd2a243069c073b20bd197a7ae5641ad8f0873

SHA512
446690a2685317c052d8de8ec58fd392dca55c89c189d5c231e864b05f2adf58e1845ad063fce32072890857c42e58469051642ca7e900bf1e93b07c996bd03c

Download Submit
memory/1044-21-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-12-0x0000000009750000-0x0000000009751000-memory.dmp

Filesize
4KB

Download
memory/1044-18-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-20-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-0-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-22-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-15-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-27-0x0000000009F10000-0x000000000A45C000-memory.dmp

Filesize
5.3MB

Download
memory/1044-377-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-28-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-16-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-374-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-371-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-100-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-103-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-367-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-14-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-126-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-364-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-2-0x0000000009790000-0x0000000009791000-memory.dmp

Filesize
4KB

Download
memory/1044-139-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-3-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1044-4-0x00000000097C0000-0x00000000097C1000-memory.dmp

Filesize
4KB

Download
memory/1044-5-0x00000000097D0000-0x00000000097D1000-memory.dmp

Filesize
4KB

Download
memory/1044-6-0x0000000009740000-0x0000000009741000-memory.dmp

Filesize
4KB

Download
memory/1044-7-0x0000000009780000-0x0000000009781000-memory.dmp

Filesize
4KB

Download
memory/1044-8-0x00000000097A0000-0x00000000097A2000-memory.dmp

Filesize
8KB

Download
memory/1044-264-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-266-0x0000000009F10000-0x000000000A45C000-memory.dmp

Filesize
5.3MB

Download
memory/1044-361-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-9-0x0000000009730000-0x0000000009731000-memory.dmp

Filesize
4KB

Download
memory/1044-10-0x0000000009720000-0x0000000009721000-memory.dmp

Filesize
4KB

Download
memory/1044-11-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1044-17-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-13-0x0000000000401000-0x000000000045D000-memory.dmp

Filesize
368KB

Download
memory/1044-357-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-354-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-351-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-338-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-348-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/1044-1-0x0000000077980000-0x0000000077982000-memory.dmp

Filesize
8KB

Download
memory/1044-345-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2868-359-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-378-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-343-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-339-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-349-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-352-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-340-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-337-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-355-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-362-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-346-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-342-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-336-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-127-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-365-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-368-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-104-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-99-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-372-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-375-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-95-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-29-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download
memory/2868-265-0x0000000000340000-0x000000000088C000-memory.dmp

Filesize
5.3MB

Download