Overview

overview

10

Static

static

3

641665ec1e...18.exe

windows7-x64

10

641665ec1e...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

1_1.exe

windows7-x64

10

1_1.exe

windows10-2004-x64

10

file.exe

windows7-x64

9

file.exe

windows10-2004-x64

9

file.vbs

windows7-x64

8

file.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1_1.exe

  • Size

    2.1MB

  • MD5

    5a2a75f58899cde4c6f0db01e76ec957

  • SHA1

    687a13b27fc71c0f5b13bbec024a7355d68e9366

  • SHA256

    5f542d4b44d1cfad8c47508393fe2695a6165faa0010db45c6a83345e06981d6

  • SHA512

    1beed060bf19b93ee6928141e53d8957bb7a06054a38f18f4a03cdd04d8bcff20f6b388c128c04b8ddb337f05730b877b8f44b9b7a1ed4473df6c4e35e229abd

  • SSDEEP

    49152:1RQHZCG6lEfw7FclTsIvv1+91BrweH6m71CL5eHYRW:1v7lYw5Ivv89vT71CdeHYE

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

otteppp05.top

doorres02.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 20 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1_1.exe
    "C:\Users\Admin\AppData\Local\Temp\1_1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\I0kSu835nXDi.zip
    Filesize

    469KB

    MD5

    43b81f6c585e06f614e887333c30ed77

    SHA1

    4eed8a96d51546499d72eee13a7b2af3b54d106d

    SHA256

    64693c1d687a2d6ce3a2cfe4477f803ab0d62e47482df2f484ad8aa3840d4c54

    SHA512

    bb4af7b39ca0d09952aaaff0100426d58c638922b47f47347caed8fbea956a955987515c5389e3bf1fc935a7e7ff54df2cc92b1bfc332b64fc433f7aae2d472e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Files\UnblockGrant.txt
    Filesize

    436KB

    MD5

    6232cef8fa9abf01256de35b54d780b4

    SHA1

    0771379b715b9963a1b104ab2e531149025e8f34

    SHA256

    f4dda69bb00512727f53a42ba0812ad9ed61e5465ae207d7922dec21fb389394

    SHA512

    49ebec8deb5ce93218079e0ff5f8ef336d107f420aa2cf0e26a8b3f72396d4be19198bcab3852d739eefad6db068b401348c8383ab0118d64b63878ae857b535

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txt
    Filesize

    8KB

    MD5

    462e9860eee3c95b6ba29ebbd2b48af4

    SHA1

    a68280aaffdfed90fea9b451bc79079fdc888c03

    SHA256

    a564ba38a28c7e39aa4f062f75817fb827b0740bec79c89f1d0e65b946eb83a9

    SHA512

    1330a37ddd5f63ff6b15a8b82dd00a614aa3c434a3dacef50432d56e20f3b0006fb8370e05a2860573f027674a6ec55e7e9f40446237731c084e1af7b283fd0b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Screen_Desktop.jpeg
    Filesize

    40KB

    MD5

    e5d3e82f897cba7dad66cb730233f24b

    SHA1

    19e4e0a4a74e072cf6f9da3013d5cea6385f025f

    SHA256

    060e641c847b185d9550d7e2d77c080720124330081d697230ff31c0cf4bb739

    SHA512

    2f3216d22ae68140e4862ac801b101323bab47c10aaa1a1e4318dc4e9562685e3d149cdbe9f35a880a5747c323ec4f1ce5f1cd7e982ed55a3c7cf448e6cf6bd6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txt
    Filesize

    8KB

    MD5

    d9bf1a34212ab5bdd28bd5b7c6f82454

    SHA1

    8da7c4f524eb9527106af84bf9241d2faee542ea

    SHA256

    5b9a9b63cfea9a2d649d939bd19c0976454b5c8679503e5057393c2c6757040f

    SHA512

    f0d08fb5f704896c0ef614617f064cf8ac22ee42351eb7b1d9762b738eef6f0a7580853660d9405a0694d0b5ce2718e66052c28a7dd2f8d538e6bf0dfacd0c16

    Download Submit
  • memory/2012-235-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-237-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-7-0x00000000012F1000-0x000000000134C000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2012-8-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-9-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-5-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2012-122-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-4-0x00000000010E0000-0x00000000010E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2012-3-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2012-2-0x0000000000A80000-0x0000000000A82000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2012-233-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-0-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-236-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-6-0x0000000000A10000-0x0000000000A11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2012-1-0x00000000770B0000-0x00000000770B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2012-239-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-240-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-243-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-245-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-247-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-250-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-252-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-254-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-256-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-259-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-261-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-263-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2012-266-0x00000000012F0000-0x00000000017EE000-memory.dmp
    Filesize

    5.0MB

    Download