cryptbot | 8f01777956479851c4c5dd06845ba0d4561b2a085472460447d10b46d4b89487

Analysis

max time kernel
118s
max time network
117s
platform
windows7_x64
resource
win7v20201028
submitted
16-01-2021 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vruns.exe
Size

2.1MB
MD5

1490ea3019282b9fd5825bfd6f73b1cf
SHA1

fa2c9a028db4dd83fa80fef8c90ca2bf34dc881d
SHA256

8f01777956479851c4c5dd06845ba0d4561b2a085472460447d10b46d4b89487
SHA512

bdf82235c3a3b94360c4e2507c6adb07d1731fff16b9d9038f9faed34ee55d60b70d9ca24a2f2baba7fcd4c95716d52590ed62a7802c068a8ae35d5213dfaced

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vruns.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vruns.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vruns.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

696 cmd.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

vruns.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine vruns.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

vruns.exe

pid process

2024 vruns.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
696	cmd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Wine	vruns.exe

flow	ioc
5	ip-api.com

pid	process
2024	vruns.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vruns.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vruns.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vruns.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1900 timeout.exe

pid	process
1900	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

vruns.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	vruns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	vruns.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vruns.exe

pid process

2024 vruns.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vruns.exe

pid process

2024 vruns.exe

pid	process
2024	vruns.exe

pid	process
2024	vruns.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

vruns.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 696	2024	vruns.exe	cmd.exe
PID 2024 wrote to memory of 696	2024	vruns.exe	cmd.exe
PID 2024 wrote to memory of 696	2024	vruns.exe	cmd.exe
PID 2024 wrote to memory of 696	2024	vruns.exe	cmd.exe
PID 696 wrote to memory of 1900	696	cmd.exe	timeout.exe
PID 696 wrote to memory of 1900	696	cmd.exe	timeout.exe
PID 696 wrote to memory of 1900	696	cmd.exe	timeout.exe
PID 696 wrote to memory of 1900	696	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\vruns.exe
"C:\Users\Admin\AppData\Local\Temp\vruns.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\wmngbaJERnmuU & timeout 1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\vruns.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wmngbaJERnmuU\172773~1.TXT
MD5
681e86c44d5f65b11eab4613008ac6fb

SHA1
8b404015c1281d4cf9fc5ad48bbbd6db16ccff4c

SHA256
4513bce79a3e5dd52833962e18e28021052ce284504bc201cc7efaf627342d4d

SHA512
fdfd791d3fc4150c4ed12792cabac523bfd6d1ab6483138a60fb20f8ecd87d553c37162f4f644ca3860fabc61bbaaeea4dafec0da4367175fe015c979e5d9ba0

Download Submit
C:\ProgramData\wmngbaJERnmuU\Files\Browsers\Cookies\MOZILL~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\wmngbaJERnmuU\Files\Browsers\_FILEC~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\wmngbaJERnmuU\Files\Browsers\_FILEF~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\wmngbaJERnmuU\Files\Browsers\_FILEP~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\wmngbaJERnmuU\Files\_FILEP~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\wmngbaJERnmuU\Files\_Info.txt
MD5
b2ac0b0799e97226f48c5a223921d8d8

SHA1
a550a172524e4ade7f9dd9d3d89a51488e288c42

SHA256
0a94b3f63e4af703695abc305bc1c3b7034bf5fd98db8b38664e546c847a934b

SHA512
5f97c5f462b2cb7858a8b8c7958bfd898dc2734d8e50671299247388d15cdaf6d293622b115eb807ba0a70221c44ff80a54fd23a94731eb0b5481001d6121bd1

Download Submit
C:\ProgramData\wmngbaJERnmuU\Files\_Screen.jpg
MD5
eaa51de6e1f105ac461d585b25a52e22

SHA1
7b2d42e812400c65dc69cd2aa8b939c4e0ece2dd

SHA256
a54e2d71848e932cd175b971ec079871fe645da081731bec97bdee0adc512804

SHA512
7dd85fd1e0cd56285b0708a0714c50ab2e7865fcc7b93030aa38fbfa861685c0956c1d2303708b9f83537050d61bbcd92061110245e0c6be8e8254d38d4ff505

Download Submit
C:\ProgramData\wmngbaJERnmuU\JMEXLD~1.ZIP
MD5
6beb84e5b3d761029550b45287f81792

SHA1
39f3f5b99a6349f3ca23a7eea2fe1368a0e39d0c

SHA256
35b65cf8715930d000a34ac51bd2d1dd2cb305d4c69651ac5925cac685ed32b5

SHA512
1a557768b9e46d7b2c7c92a5f31e83345b9f3d32765df3c76dc1af0a520509455bfdedca6c5a91310310dac63206066e57961e1e240f9afa4ad60068ef9a7a6a

Download Submit
C:\ProgramData\wmngbaJERnmuU\mocc.db
MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
memory/696-5-0x0000000000000000-mapping.dmp

Download
memory/1900-19-0x0000000000000000-mapping.dmp

Download
memory/2008-4-0x000007FEF63F0000-0x000007FEF666A000-memory.dmp

Filesize
2.5MB

Download
memory/2024-2-0x0000000004230000-0x0000000004241000-memory.dmp

Filesize
68KB

Download
memory/2024-3-0x0000000004640000-0x0000000004651000-memory.dmp

Filesize
68KB

Download