cryptbot | 00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
Size

3.8MB
MD5

4ecd0ac0f9b8d6115f76077b6838340c
SHA1

bb108e7eff22db0dc2010e70718cbaf034d076e5
SHA256

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc
SHA512

fd0251043ede3bc9f25eec724992362dd55efe6be00520c4baa330409e666bb104047556461ce5258a9d8a7e6fb79c70555f8e429741334c5146a7b446cf7009
SSDEEP

98304:k+mwYjViFrjl6wcODej0cNMynr+HKXMZeNLC8:2w2wlj20cN3rwKwk

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

vetiir14.top

moriiikk04.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3972-230-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-236-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-240-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-281-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-318-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-322-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-326-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-330-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-334-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-337-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-341-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-347-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-351-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot
behavioral2/memory/3972-355-0x00000000008A0000-0x0000000000D87000-memory.dmp	family_cryptbot

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3972-230-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-236-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-240-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-281-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-318-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-322-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-326-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-330-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-334-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-337-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-341-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-347-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-351-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/3972-355-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3972-230-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-236-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-240-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-281-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-318-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-322-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-326-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-330-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-334-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-337-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-341-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-347-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-351-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3972-355-0x00000000008A0000-0x0000000000D87000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exescaukimwrsk.exengadtodc.exeewbniytugi.exeSmartClock.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	scaukimwrsk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ngadtodc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ewbniytugi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SmartClock.exe

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

21 3080 WScript.exe
23 3080 WScript.exe
25 3080 WScript.exe
Downloads MZ/PE file

flow	pid	process
21	3080	WScript.exe
23	3080	WScript.exe
25	3080	WScript.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exescaukimwrsk.exengadtodc.exeewbniytugi.exeSmartClock.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	scaukimwrsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ngadtodc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ewbniytugi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	scaukimwrsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ngadtodc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ewbniytugi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.execmd.exengadtodc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	ngadtodc.exe

Drops startup file 1 IoCs

Processes:

ewbniytugi.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk ewbniytugi.exe
Executes dropped EXE 4 IoCs

Processes:

scaukimwrsk.exengadtodc.exeewbniytugi.exeSmartClock.exe

pid process

3972 scaukimwrsk.exe
216 ngadtodc.exe
2952 ewbniytugi.exe
3940 SmartClock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	ewbniytugi.exe

pid	process
3972	scaukimwrsk.exe
216	ngadtodc.exe
2952	ewbniytugi.exe
3940	SmartClock.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exescaukimwrsk.exengadtodc.exeewbniytugi.exeSmartClock.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	scaukimwrsk.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	ngadtodc.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	ewbniytugi.exe
Key opened	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Wine	SmartClock.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

20 iplogger.org
21 iplogger.org
50 bitbucket.org
51 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exescaukimwrsk.exengadtodc.exeewbniytugi.exeSmartClock.exe

pid process

2928 00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
3972 scaukimwrsk.exe
216 ngadtodc.exe
2952 ewbniytugi.exe
3940 SmartClock.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
20	iplogger.org
21	iplogger.org
50	bitbucket.org
51	bitbucket.org

flow	ioc
48	ip-api.com

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exescaukimwrsk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	scaukimwrsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	scaukimwrsk.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4268 timeout.exe
4452 timeout.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3940 SmartClock.exe

pid	process
4268	timeout.exe
4452	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	cmd.exe

pid	process
3940	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exescaukimwrsk.exengadtodc.exeewbniytugi.exeSmartClock.exe

pid	process
2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
3972	scaukimwrsk.exe
3972	scaukimwrsk.exe
216	ngadtodc.exe
216	ngadtodc.exe
2952	ewbniytugi.exe
2952	ewbniytugi.exe
3940	SmartClock.exe
3940	SmartClock.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

scaukimwrsk.exe

pid process

3972 scaukimwrsk.exe
3972 scaukimwrsk.exe

pid	process
3972	scaukimwrsk.exe
3972	scaukimwrsk.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.execmd.execmd.execmd.execmd.exeewbniytugi.exengadtodc.execmd.execmd.exe

description	pid	process	target process
PID 2928 wrote to memory of 3716	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 2928 wrote to memory of 3716	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 2928 wrote to memory of 3716	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 3716 wrote to memory of 3080	3716	cmd.exe	WScript.exe
PID 3716 wrote to memory of 3080	3716	cmd.exe	WScript.exe
PID 3716 wrote to memory of 3080	3716	cmd.exe	WScript.exe
PID 2928 wrote to memory of 5016	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 2928 wrote to memory of 5016	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 2928 wrote to memory of 5016	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 5016 wrote to memory of 3972	5016	cmd.exe	scaukimwrsk.exe
PID 5016 wrote to memory of 3972	5016	cmd.exe	scaukimwrsk.exe
PID 5016 wrote to memory of 3972	5016	cmd.exe	scaukimwrsk.exe
PID 2928 wrote to memory of 2164	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 2928 wrote to memory of 2164	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 2928 wrote to memory of 2164	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 2164 wrote to memory of 216	2164	cmd.exe	ngadtodc.exe
PID 2164 wrote to memory of 216	2164	cmd.exe	ngadtodc.exe
PID 2164 wrote to memory of 216	2164	cmd.exe	ngadtodc.exe
PID 2928 wrote to memory of 948	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 2928 wrote to memory of 948	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 2928 wrote to memory of 948	2928	00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe	cmd.exe
PID 948 wrote to memory of 2952	948	cmd.exe	ewbniytugi.exe
PID 948 wrote to memory of 2952	948	cmd.exe	ewbniytugi.exe
PID 948 wrote to memory of 2952	948	cmd.exe	ewbniytugi.exe
PID 2952 wrote to memory of 3940	2952	ewbniytugi.exe	SmartClock.exe
PID 2952 wrote to memory of 3940	2952	ewbniytugi.exe	SmartClock.exe
PID 2952 wrote to memory of 3940	2952	ewbniytugi.exe	SmartClock.exe
PID 216 wrote to memory of 868	216	ngadtodc.exe	cmd.exe
PID 216 wrote to memory of 868	216	ngadtodc.exe	cmd.exe
PID 216 wrote to memory of 868	216	ngadtodc.exe	cmd.exe
PID 868 wrote to memory of 4268	868	cmd.exe	timeout.exe
PID 868 wrote to memory of 4268	868	cmd.exe	timeout.exe
PID 868 wrote to memory of 4268	868	cmd.exe	timeout.exe
PID 216 wrote to memory of 2444	216	ngadtodc.exe	cmd.exe
PID 216 wrote to memory of 2444	216	ngadtodc.exe	cmd.exe
PID 216 wrote to memory of 2444	216	ngadtodc.exe	cmd.exe
PID 2444 wrote to memory of 4452	2444	cmd.exe	timeout.exe
PID 2444 wrote to memory of 4452	2444	cmd.exe	timeout.exe
PID 2444 wrote to memory of 4452	2444	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe
"C:\Users\Admin\AppData\Local\Temp\00aa5baecab9124a3797677028217f04878d7e865ffa1bddd10fea145598e5fc.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\isfaoyw.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\isfaoyw.vbs"
3⤵
- Blocklisted process makes network request
PID:3080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\scaukimwrsk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\scaukimwrsk.exe
"C:\Users\Admin\AppData\Local\Temp\scaukimwrsk.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ngadtodc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\ngadtodc.exe
"C:\Users\Admin\AppData\Local\Temp\ngadtodc.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\mlyuwewnufpj & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ngadtodc.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\mlyuwewnufpj & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ngadtodc.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ewbniytugi.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\ewbniytugi.exe
"C:\Users\Admin\AppData\Local\Temp\ewbniytugi.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3940

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mlyuwewnufpj\46173476.txt
Filesize
44B

MD5
ff92d5770b2a507eb0159324c401cd0c

SHA1
0723fe0917f5fa03c1f85f510a4be3e006651954

SHA256
4d773085b6fb0f9e37a7a07aba0739157b65dc3aa178e117acb36e82e1be4660

SHA512
90ef9ea102e1e1c093ce82f6152580d33a1eed5e851288fc9b8c54568d167736ece4f1c77524b58d86fe39f9d3ddf464d251ee09faee5b0997c9f087cab0443d

Download Submit
C:\ProgramData\mlyuwewnufpj\8372422.txt
Filesize
156B

MD5
c12be1e7b6541de7746a7e6f7c722027

SHA1
c637002a9c8aa73dc4dbccc2908aef8ea15819cc

SHA256
0f974cdba262cc57a0a57aac5fc2ab5516ff2dd953247cf817690425dca401fd

SHA512
f7472f853b360639007a307ab6db31ba4287c117bbacc2c0081904e47afdca6f4c236dab438bb387740166cc5bacc184a0752b69d0d7cea92315bac9b5dbd5c5

Download Submit
C:\ProgramData\mlyuwewnufpj\Files\_INFOR~1.TXT
Filesize
111B

MD5
d3bbaa4afdad75d773c23e63b21dd5c6

SHA1
dccb27a55138d329b007eb738f0ce66bb02bb14f

SHA256
52c218ec0607cf7ae18a707f3ce53e33606b365fcb6ecd8f8943e4d8ed6d85a0

SHA512
208705c38aa667360e04e13a84cc98e484a5484ca70eb2c48d1ee2478559e4f2223285bf3028805cab12e5954ddaf93f28e07b44a571b3e529375235e5684b04

Download Submit
C:\ProgramData\mlyuwewnufpj\GB_202~1.ZIP
Filesize
258B

MD5
150ff37428fb5a44692cd711919e3ecf

SHA1
b4c0860c309567de578aff86ebe6738b80e6d755

SHA256
ff64116cb3019ace7bc0b9108e596494d4b5119899a687555c3beec1ad4c2722

SHA512
16e1e219fda7f5742e5c9d4ad35366d440ee272f8b8f7efb79f63152b4e59aaed3b302973601e89c7093645fe5cc2ddd0b9ac0f49e5047898c976923f96f2e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eepf7QTr2wi\KBrfFcLfh.zip
Filesize
1KB

MD5
50690d841a8b1f82437794a3d2f4742a

SHA1
04d58bd37585d4b0fd06242b2a3d3530a733f029

SHA256
db0b0f309c39b1a7c8a2771a8a75b646bfd4db1f100e57ab2c1a81dd377f6e44

SHA512
0631c95cea05eff119b463bd4b27dddd90778342b75f871b36ef940942c45d63574501fbfb607be1655814685d15fa00bcc2426d29bb2dbafcefa7b485934a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eepf7QTr2wi\_Files\_Information.txt
Filesize
494B

MD5
ae1571115e6ce1721c85db44a8a7f7b5

SHA1
02cd343aa266765153096c52c0ec65a0b1023c50

SHA256
f6c9623dd1c294bedb91676cb43369198ede768c6833ebc1cbbe5f12e85c3c10

SHA512
ab82acc7b8cdadb10183e9e18bfcc1975e2e7afe9d779acc6745e52f3fe29a0a63af77afd240f9f7a0d30cab3a666a2127d868a789afcbeabf4e8b1126efd46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eepf7QTr2wi\_Files\_Information.txt
Filesize
1KB

MD5
f76dfc60802f62f008269bfa300e6321

SHA1
4d18e9172b5b87782fcc37065a9a8e50e9340d20

SHA256
6a68c2ab16da15a96458b26d83b2b4c6ef92022eaa3005b63e3d9f7be51d9c82

SHA512
6ff9e61c28037207b7711da3a5112d892fe11e66882aca3603fdfa7154e42059f1c6299b96abd0b7ac4e19bbb6ed2ee2a159ad5414ed6a32fbcee5c192c6346b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eepf7QTr2wi\_Files\_Information.txt
Filesize
1KB

MD5
6451828d6cce715ed3fab9fa1074e354

SHA1
f0a7199032f71e67e2ed2c516fc2fa0c1be12b6f

SHA256
3c1f7d100339a28e1a39dbc714eed43e604c25ace92ad9e1657da1aa49b25ca8

SHA512
a6c3945d10a9dbbaf6891e5637cadeb6d947f8ffbf3aac55e9871e0b53e7c1bf100420e67f1a25abe36f2fe8c648cd1366d99fce8f7d01e611bc67bc0165020c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eepf7QTr2wi\_Files\_Information.txt
Filesize
4KB

MD5
339d7c5cea3b2d6a209502c0b5947cb6

SHA1
99cac0fb36fbfae6d7c5c9038f4a8f911ddd98a0

SHA256
39bb10d3fb5e0c929c23322f6128018fbbaf70b6a79f08570be4fb1df65c15a7

SHA512
e2f6c7e713e6634e9bfc9f8dc2edad0c6b7a9f0dc5413453e2c0da373f9bab2c9aef6a38455b3819c78c492662c7018635c2ce5a5ae6157806e07e65d5248e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eepf7QTr2wi\a6PWTAzypO.zip
Filesize
1KB

MD5
9d8b66debea596c7bbffc3ee34de3cce

SHA1
b0b3b19ae516b67874d70e0110cb4421ad03ad3d

SHA256
01564c7868e4808f28304dd51498577e67311bbc1c64ba1f11f5cb66a4485a10

SHA512
9838610ce084d4ba1c17fe6942d49026be7a5401743ee3d986802418a0d9b071e053137de297d0462a0e83154888818e8acb654ec4c22c657aa291219b38fcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eepf7QTr2wi\files_\system_info.txt
Filesize
676B

MD5
499197373da752317d930d2427386866

SHA1
9694f301067e05e9233ee60326dee677c9df0450

SHA256
57b8bd5d7791a7c516cd08a60d8ba5fa0f6323441ef99956c2f62be704d96db4

SHA512
c10a205d8540e4f41c9670b09909de85ce395693414f63851e7e42cd41d605723ec569094659b4dd07fd4989a05b6eed98c0bd735ea19d393b17b38a1b7f1397

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eepf7QTr2wi\files_\system_info.txt
Filesize
6KB

MD5
714c511ab8c2100f4de446e2da444246

SHA1
ae9d0a8e9cb19c8177ee98a975208dfde64ab085

SHA256
3243eda1de7e34189be054d7c07e95c21d0439ef714adc62dd4469288a72d49a

SHA512
23888f720baa0b799d46d837b7b13b96139a065204fcb60510487a29b1afd12752bea30c71df0346fb301ff98c0a077a7118e14620b11a1bb8443168bc2185fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewbniytugi.exe
Filesize
1.8MB

MD5
d5fbff7f6a1e6ca5fb76fc490afea193

SHA1
4602d43717f2f40b416adf1f59bc221dc95c8452

SHA256
3bac838df625a34c49b8428853f3484ee25d1c3e51072acf3cc50456148f432c

SHA512
bf8fabdba030b25a90f85f13686c136f8d2c40f89badb87ef7046b980fe61ee8fd3debe78e2aba5842afe6b19c2d98cd54d13abf73ffdd335e26c593741306dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\isfaoyw.vbs
Filesize
133B

MD5
47361140e1e1a31e824bdb377363afa7

SHA1
385467b70b7ee8305aef67e0766dc224d42c7583

SHA256
ced66dd2a7ed5a7298a22aff064fc8dadd15484ac6441b4cc390b37a65261f61

SHA512
1be9db531d3caa5016b614625b5ba637bbcd178aaf617090ee0aa28cfde7a0e99976e243f20faa74233bf83c78c8cd1806154d8b4dd773a592914eef52d966bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngadtodc.exe
Filesize
2.1MB

MD5
cbecd190ee87125b965fcf316cdc83d8

SHA1
a15216498786ddc954dfcac6a6588624dcd14fba

SHA256
62527ffa0a47fb684c74eebc3a1ba9bcd41b56ecaefb893dd55825a038bba57e

SHA512
f30852972aeab35c3908e9ec1013573c33eae7d00890f60f234b706320e62185bf3e6e53e567c8617d5a0e29c931c901b944039370ad7e5f6b9e10ed3d7b7f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\scaukimwrsk.exe
Filesize
2.0MB

MD5
d95dc2626be6a7521e25cb6827efde0e

SHA1
9694fee4cdc7d23ce1603aa8efdb075cda75efcb

SHA256
1f416d24d370b052f130404ecc949e4e6f629a76743b99706af1e0ee2ee009c6

SHA512
12a29a8a29bcc5feae65da3be489d9de842739bf5eb514f29e893a80724b67a0e0adc40398491ff0ca2808f4d74785888c473a8f191d3d82a8130c9f3b358bde

Download Submit
memory/216-269-0x0000000000280000-0x000000000075E000-memory.dmp

Filesize
4.9MB

Download
memory/216-316-0x0000000000280000-0x000000000075E000-memory.dmp

Filesize
4.9MB

Download
memory/2928-5-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2928-267-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2928-228-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2928-237-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2928-239-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2928-233-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2928-3-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2928-235-0x00000000006D1000-0x00000000008F4000-memory.dmp

Filesize
2.1MB

Download
memory/2928-232-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2928-276-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2928-277-0x00000000006D1000-0x00000000008F4000-memory.dmp

Filesize
2.1MB

Download
memory/2928-2-0x00000000006D1000-0x00000000008F4000-memory.dmp

Filesize
2.1MB

Download
memory/2928-1-0x0000000077364000-0x0000000077366000-memory.dmp

Filesize
8KB

Download
memory/2928-0-0x00000000006D0000-0x0000000000D4F000-memory.dmp

Filesize
6.5MB

Download
memory/2952-282-0x00000000008F0000-0x0000000000D7A000-memory.dmp

Filesize
4.5MB

Download
memory/2952-290-0x00000000008F0000-0x0000000000D7A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-331-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-356-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-352-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-348-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-345-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-292-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-320-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-339-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-324-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-335-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3940-327-0x0000000000100000-0x000000000058A000-memory.dmp

Filesize
4.5MB

Download
memory/3972-318-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-230-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-334-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-326-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-337-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-322-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-341-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-330-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-236-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-347-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-12-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-351-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-240-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-355-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download
memory/3972-281-0x00000000008A0000-0x0000000000D87000-memory.dmp

Filesize
4.9MB

Download