cryptbot | 43607d4de290ff5e25187bf75d511cc6aaab51727c9a8aedbe59fa7b16393da1

Analysis

max time kernel
121s
max time network
313s
platform
windows10_x64
resource
win10-en-20210920
submitted
22-10-2021 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

428KB
MD5

f05d925a72dc47eef4bdf4c48ce12217
SHA1

1c6a724e4c517ee84aa7c62d0cc60013396a4b5b
SHA256

43607d4de290ff5e25187bf75d511cc6aaab51727c9a8aedbe59fa7b16393da1
SHA512

dfa4661a779508e15907266cf298a093cf7961309637c2ca17b599a5c515ce7e8ae177d1439f390d242dcb85fd5ac99d2f244e881da5666c80e44e62efca817b

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

veogmc52.top

mornoi05.top

Attributes

payload_url
http://tynwyl15.top/download.php?file=penwa.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Downloads MZ/PE file
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exeFile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	File.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	File.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4308 timeout.exe
752 timeout.exe

pid	process
4308	timeout.exe
752	timeout.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

file.execmd.exeFile.execmd.exe

description	pid	process	target process
PID 3576 wrote to memory of 760	3576	file.exe	File.exe
PID 3576 wrote to memory of 760	3576	file.exe	File.exe
PID 3576 wrote to memory of 760	3576	file.exe	File.exe
PID 3576 wrote to memory of 2292	3576	file.exe	cmd.exe
PID 3576 wrote to memory of 2292	3576	file.exe	cmd.exe
PID 3576 wrote to memory of 2292	3576	file.exe	cmd.exe
PID 2292 wrote to memory of 4308	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 4308	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 4308	2292	cmd.exe	timeout.exe
PID 760 wrote to memory of 508	760	File.exe	cmd.exe
PID 760 wrote to memory of 508	760	File.exe	cmd.exe
PID 760 wrote to memory of 508	760	File.exe	cmd.exe
PID 508 wrote to memory of 752	508	cmd.exe	timeout.exe
PID 508 wrote to memory of 752	508	cmd.exe	timeout.exe
PID 508 wrote to memory of 752	508	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ZdOAdSyv & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\File.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\timeout.exe
timeout 4
4⤵
- Delays execution with timeout.exe
PID:752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\PNXQLW~1.ZIP
MD5
12dd02ed5d788f3385bba1ab2a1306ac

SHA1
f6a136b159a66f31c192d6e0cd05fbfc313916c2

SHA256
48714787276dfa532f34cfbcf3689ce5a01e191037945eb4bfafedac5bc792f6

SHA512
50485aa10f86c6d6667e0c56221df6ad32af4df5a1130e4f7933dcb7fa01b5214122d5bceff9eedd514e527c8ff1e39c1eb7cdbbaf15e12081bdecd2eb3bd7db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\TOKXDK~1.ZIP
MD5
b50b0f2bc9c9e32f0cd1f8d67c0e58cf

SHA1
abe6d6eaf3f9dca94280f4740fe8bd0152d54e25

SHA256
4e34dd17494fe8069acf6201f8195d08842a9765aa2062944c7b67ec5da6b045

SHA512
ea7d77bb2fcc0c8859fc965a8f246cd918a2ad809fcb95bef29469ccc4ddb28a9fc79042dc3783ddb694e3b806a9906ff3e9f0a6524b770fd059ae21398ffa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\_Files\_Chrome\DEFAUL~1.BIN
MD5
dc2f254b5562f0d42df820a0c3d577f9

SHA1
16109f6ddd0ce94200daed7323617f43b604f42a

SHA256
19afe2b33cc988fb44548cc87f1b467d37a20e74f53b4d71c7c4050c2527f178

SHA512
ac0ab6311eefc114412ccfbb4895e19aae0a129171ae7ffeb85a37c5a99a6b89ce795b58681162fc48931306f67c0b1004049665d0171a2c1e6a0ceaca1023d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\_Files\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\_Files\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\_Files\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\_Files\_INFOR~1.TXT
MD5
e03e994dc75760e75e5d2f065cc0705a

SHA1
10ba6f4fa9d418d22bc6384bfa7a77edb73bf245

SHA256
81f426dbeb95d946407b207ce3e77408b77b62d11e85f273d935463d278e67d4

SHA512
75459553a8bc9388fa377ec96ea5255a47a797d1724f44902ec22256b5a7b77261bc150d3dba862bb52980071098c2b92b169b9844116488d2bfaeb938d1a5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\_Files\_SCREE~1.JPE
MD5
010b06b1a526d375ae4cecee9819dc7e

SHA1
ef635f8ad9105488849fe3434e9f3f23f7292fe4

SHA256
635b7beeb646163ae7a5385e179d8ee80c032a6b49f36f8fbfe684a51346e9c8

SHA512
ecf97e03fa0fe417b6a5f185ec7e9c0a946aee03517367d47ca3b324f180f15fcba812f9df2f6de3f2a490d2e2f634e030c85acaf600efd3b17e56421bb5bc80

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\files_\SCREEN~1.JPG
MD5
010b06b1a526d375ae4cecee9819dc7e

SHA1
ef635f8ad9105488849fe3434e9f3f23f7292fe4

SHA256
635b7beeb646163ae7a5385e179d8ee80c032a6b49f36f8fbfe684a51346e9c8

SHA512
ecf97e03fa0fe417b6a5f185ec7e9c0a946aee03517367d47ca3b324f180f15fcba812f9df2f6de3f2a490d2e2f634e030c85acaf600efd3b17e56421bb5bc80

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\files_\SYSTEM~1.TXT
MD5
e03e994dc75760e75e5d2f065cc0705a

SHA1
10ba6f4fa9d418d22bc6384bfa7a77edb73bf245

SHA256
81f426dbeb95d946407b207ce3e77408b77b62d11e85f273d935463d278e67d4

SHA512
75459553a8bc9388fa377ec96ea5255a47a797d1724f44902ec22256b5a7b77261bc150d3dba862bb52980071098c2b92b169b9844116488d2bfaeb938d1a5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\files_\_Chrome\DEFAUL~1.BIN
MD5
dc2f254b5562f0d42df820a0c3d577f9

SHA1
16109f6ddd0ce94200daed7323617f43b604f42a

SHA256
19afe2b33cc988fb44548cc87f1b467d37a20e74f53b4d71c7c4050c2527f178

SHA512
ac0ab6311eefc114412ccfbb4895e19aae0a129171ae7ffeb85a37c5a99a6b89ce795b58681162fc48931306f67c0b1004049665d0171a2c1e6a0ceaca1023d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\files_\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\files_\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbvGJQIprY\files_\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
memory/508-137-0x0000000000000000-mapping.dmp

Download
memory/752-138-0x0000000000000000-mapping.dmp

Download
memory/760-118-0x0000000000000000-mapping.dmp

Download
memory/760-121-0x0000000000C68000-0x0000000000C8D000-memory.dmp

Filesize
148KB

Download
memory/760-136-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/2292-119-0x0000000000000000-mapping.dmp

Download
memory/3576-117-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/3576-116-0x00000000009F0000-0x0000000000A35000-memory.dmp

Filesize
276KB

Download
memory/3576-115-0x0000000000A56000-0x0000000000A7B000-memory.dmp

Filesize
148KB

Download
memory/4308-135-0x0000000000000000-mapping.dmp

Download