Overview

overview

10

Static

static

3

88f8f695e6...18.exe

windows7-x64

10

88f8f695e6...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

DowloadX.exe

windows7-x64

9

DowloadX.exe

windows10-2004-x64

9

Download.exe

windows7-x64

10

Download.exe

windows10-2004-x64

10

ipras.vbs

windows7-x64

8

ipras.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Download.exe

  • Size

    2.1MB

  • MD5

    b8312084a400862a2c19797691c6f0a6

  • SHA1

    d675f4ed00508ff0208f75fd6851d14348c9bed4

  • SHA256

    9f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b

  • SHA512

    beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce

  • SSDEEP

    49152:fP3lms2TDH5VBPPRmZ6riTIWQhL1iNVcKs3UqVobLeuufeoyKk0lIeDe/:X4s25VBPPRbGYL16qltSbLNm/yKk0lIP

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

cede01.info

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Download.exe
    "C:\Users\Admin\AppData\Local\Temp\Download.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ZZzoj5r5rbrtm & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Download.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3628
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        3⤵
        • Delays execution with timeout.exe
        PID:2204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ZZzoj5r5rbrtm\47283761.txt
    Filesize

    156B

    MD5

    b5089e0c5a3d5377e9bd19c0557ef04e

    SHA1

    9402e326be3d240e234c06892b15c24e93c93eb8

    SHA256

    d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

    SHA512

    942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

    Download Submit
  • C:\ProgramData\ZZzoj5r5rbrtm\DlPCLv1UNzcnAE.zip
    Filesize

    48KB

    MD5

    1c79a904a11653e823cdccae8efa4ad2

    SHA1

    baa005b6dce05b7cbd22e107fff9488de54b0690

    SHA256

    68d051a070540f7771eb92006754698612ac146dcfb4a536efba4408f7a83325

    SHA512

    0f0f19fab2f90fc79ea407918f2cf610481a2c73875ba628dc824bf511556f6b8ef0bc899e071941e8ecf1667402c8fa862b544ab62342d57ea854b657b8369a

    Download Submit
  • C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txt
    Filesize

    8KB

    MD5

    cf51a25babfe7232984e3d5d46a6d24e

    SHA1

    da4946073c81f3b8ca9e6ca1e53649c06f8af72d

    SHA256

    b6feb8688266e859fb1e1e4461e5dbd21747d0190a05aeb2b8becb9bb6cf6b6b

    SHA512

    bdc102e86881cd22ac6f66cd98687648e2fd5ef17d46e1bbbe8150adfad2134f33fc93741dc0c1f401dd83b3a957de7051d0d8ee1403547c211a797350394062

    Download Submit
  • C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txt
    Filesize

    2KB

    MD5

    5f5c9bc5b65880b427b35c476e88da07

    SHA1

    4fb9d869cb4bfea0542946274f6cf571278fb722

    SHA256

    93af33600f06efa33d955524b2575a21541c6e19c63f729fe60f6ec26403c00d

    SHA512

    e112180e2538972938efe860acfc94900300743969836c6103e1292d7cf0b00c64e38185df3ebe6398517b5d650ffd46ff799e6bfa2d49f03e1085c9e2a985da

    Download Submit
  • C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txt
    Filesize

    3KB

    MD5

    b6ca71892239475dd6ff9d924f72a13b

    SHA1

    9a29774ed501d4a0f89575946af857674da29fbe

    SHA256

    bf15fd1f9930045fe6737dc6c412f63025ac91277ef1324bf00eed0149a8d17e

    SHA512

    23f6e1c0fae70d91f2ab80a2584257009ffa0a9e69908a9485beab1618ff7e26a9af420936a8fa3dd2a20d1cd30ade2b545d2dd27773fea56d7bbb12f5cd172a

    Download Submit
  • C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txt
    Filesize

    4KB

    MD5

    08abdec5ead91638d3080b967a4dd1cc

    SHA1

    3aeb93e3a76df28fdff303cac8047ffc2ab8ea5a

    SHA256

    4574fd59eb454bfe609ea0fa2b82bcd10bddd1f6f70155fa026a91330a10ff46

    SHA512

    22fd8f6d628680a66a3aa65250cd5fe6fcc8b32aaee644fe97c061981457a419e9e722f101f9af47a1b977dab3a273f800c9845684b5484935ed34c7cc88a77e

    Download Submit
  • C:\ProgramData\ZZzoj5r5rbrtm\Files\_Screen.jpg
    Filesize

    53KB

    MD5

    2c740811d20829980a58abef865a33fb

    SHA1

    396167d87ae99b7ac3a528ee7c2050a81f559f62

    SHA256

    4da81fc0f2e34ef6215df2e71cdc852b93b80123a56d8213ccce07094bd9bedd

    SHA512

    4c192a255d525350a1a6045306c0a67c450c290b04d0e097dde4785f7ffd6304af94491a2ee80cc4f89e00568676c60713867ed583e1aaf0009a6f792b49e214

    Download Submit
  • C:\ProgramData\ZZzoj5r5rbrtm\MOZ_CO~1.DB
    Filesize

    96KB

    MD5

    d367ddfda80fdcf578726bc3b0bc3e3c

    SHA1

    23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

    SHA256

    0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

    SHA512

    40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

    Download Submit
  • memory/4168-156-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-163-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-21-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-4-0x00000000052B0000-0x00000000052B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4168-17-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-14-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-5-0x00000000052D0000-0x00000000052D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4168-152-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-154-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-6-0x00000000052E0000-0x00000000052E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4168-0-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-157-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-160-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-18-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-165-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-168-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-171-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-174-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-177-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-180-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-183-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-186-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-189-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-191-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-194-0x0000000000830000-0x0000000000D5C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4168-7-0x0000000005270000-0x0000000005271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4168-10-0x0000000000831000-0x0000000000890000-memory.dmp
    Filesize

    380KB

    Download
  • memory/4168-1-0x00000000776B4000-0x00000000776B6000-memory.dmp
    Filesize

    8KB

    Download