cryptbot | ee46c43dc96f6ca79d60357ce58ada21c9c62fbd39c4f19ee114a1bf4743f4a6

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-en-20211014
submitted
04-12-2021 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60ed47faa0142cb826153d4aa93b51c2.exe
Size

250KB
MD5

60ed47faa0142cb826153d4aa93b51c2
SHA1

09d870a6424b76a9f5fc73646ca51b3992f410d9
SHA256

ee46c43dc96f6ca79d60357ce58ada21c9c62fbd39c4f19ee114a1bf4743f4a6
SHA512

6d54a85df350c0c47c01cec7f0370bbd0e1c7dfa31d0879fc2f33640efbd3a897c62f7c0f92ebef76d5b6c2c6e5fcb262192f0ae9a7350362cc08b9551590fae

Score

10^/10

cryptbot smokeloader backdoor spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

https://cinems.club/search.php

https://clothes.surf/search.php

rc4.i32

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

B49F.exeSmartClock.exeD4C2.exeFF5B.exeD31.exe

pid process

300 B49F.exe
1160 SmartClock.exe
1752 D4C2.exe
1964 FF5B.exe
1532 D31.exe
Deletes itself 1 IoCs

Processes:

pid process

1212
Drops startup file 1 IoCs

Processes:

B49F.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk B49F.exe
Loads dropped DLL 3 IoCs

Processes:

B49F.exe

pid process

300 B49F.exe
300 B49F.exe
300 B49F.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
300	B49F.exe
1160	SmartClock.exe
1752	D4C2.exe
1964	FF5B.exe
1532	D31.exe

pid	process
1212

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	B49F.exe

pid	process
300	B49F.exe
300	B49F.exe
300	B49F.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

D4C2.exe60ed47faa0142cb826153d4aa93b51c2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D4C2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D4C2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D4C2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	60ed47faa0142cb826153d4aa93b51c2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	60ed47faa0142cb826153d4aa93b51c2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	60ed47faa0142cb826153d4aa93b51c2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FF5B.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FF5B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FF5B.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

756 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1160 SmartClock.exe

pid	process
756	timeout.exe

pid	process
1160	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

60ed47faa0142cb826153d4aa93b51c2.exe

pid	process
1700	60ed47faa0142cb826153d4aa93b51c2.exe
1700	60ed47faa0142cb826153d4aa93b51c2.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1212
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

60ed47faa0142cb826153d4aa93b51c2.exeD4C2.exe

pid process

1700 60ed47faa0142cb826153d4aa93b51c2.exe
1752 D4C2.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1212
1212
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1212
1212
1212
1212

pid	process
1212

pid	process
1212
1212

pid	process
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

B49F.exeFF5B.execmd.exe

description	pid	process	target process
PID 1212 wrote to memory of 300	1212		B49F.exe
PID 1212 wrote to memory of 300	1212		B49F.exe
PID 1212 wrote to memory of 300	1212		B49F.exe
PID 1212 wrote to memory of 300	1212		B49F.exe
PID 300 wrote to memory of 1160	300	B49F.exe	SmartClock.exe
PID 300 wrote to memory of 1160	300	B49F.exe	SmartClock.exe
PID 300 wrote to memory of 1160	300	B49F.exe	SmartClock.exe
PID 300 wrote to memory of 1160	300	B49F.exe	SmartClock.exe
PID 1212 wrote to memory of 1752	1212		D4C2.exe
PID 1212 wrote to memory of 1752	1212		D4C2.exe
PID 1212 wrote to memory of 1752	1212		D4C2.exe
PID 1212 wrote to memory of 1752	1212		D4C2.exe
PID 1212 wrote to memory of 1964	1212		FF5B.exe
PID 1212 wrote to memory of 1964	1212		FF5B.exe
PID 1212 wrote to memory of 1964	1212		FF5B.exe
PID 1212 wrote to memory of 1964	1212		FF5B.exe
PID 1964 wrote to memory of 1824	1964	FF5B.exe	cmd.exe
PID 1964 wrote to memory of 1824	1964	FF5B.exe	cmd.exe
PID 1964 wrote to memory of 1824	1964	FF5B.exe	cmd.exe
PID 1964 wrote to memory of 1824	1964	FF5B.exe	cmd.exe
PID 1824 wrote to memory of 756	1824	cmd.exe	timeout.exe
PID 1824 wrote to memory of 756	1824	cmd.exe	timeout.exe
PID 1824 wrote to memory of 756	1824	cmd.exe	timeout.exe
PID 1824 wrote to memory of 756	1824	cmd.exe	timeout.exe
PID 1212 wrote to memory of 1532	1212		D31.exe
PID 1212 wrote to memory of 1532	1212		D31.exe
PID 1212 wrote to memory of 1532	1212		D31.exe
PID 1212 wrote to memory of 1532	1212		D31.exe

C:\Users\Admin\AppData\Local\Temp\60ed47faa0142cb826153d4aa93b51c2.exe
"C:\Users\Admin\AppData\Local\Temp\60ed47faa0142cb826153d4aa93b51c2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1700

C:\Users\Admin\AppData\Local\Temp\B49F.exe
C:\Users\Admin\AppData\Local\Temp\B49F.exe
1⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:300

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1160

C:\Users\Admin\AppData\Local\Temp\D4C2.exe
C:\Users\Admin\AppData\Local\Temp\D4C2.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1752

C:\Users\Admin\AppData\Local\Temp\FF5B.exe
C:\Users\Admin\AppData\Local\Temp\FF5B.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\HtgZPjmZQOacH & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\FF5B.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:756

C:\Users\Admin\AppData\Local\Temp\D31.exe
C:\Users\Admin\AppData\Local\Temp\D31.exe
1⤵
- Executes dropped EXE
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B49F.exe

MD5
e45e15c80a54e05d88e5c555178f0461

SHA1
01b27962875e11ca3e600ea68e7495cdb9e3fe36

SHA256
fd1fade390bacd40ae88aed2ee73318b5255bb91965cf38cddf30f4ad5527f08

SHA512
c5f0d87628cbf20cd27f733a695fd5c9511a0db53d93f5645a4b4aafbd9707f0c628302c3b38c63d282696c606618b43948fdb06d19a3252578ea3431b9fa43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B49F.exe

MD5
e45e15c80a54e05d88e5c555178f0461

SHA1
01b27962875e11ca3e600ea68e7495cdb9e3fe36

SHA256
fd1fade390bacd40ae88aed2ee73318b5255bb91965cf38cddf30f4ad5527f08

SHA512
c5f0d87628cbf20cd27f733a695fd5c9511a0db53d93f5645a4b4aafbd9707f0c628302c3b38c63d282696c606618b43948fdb06d19a3252578ea3431b9fa43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D31.exe

MD5
bc4e55222b718499920010f80faa84e6

SHA1
4dde55a4a17c80e42e0f2bba58675356015d5478

SHA256
28b87449c891c7f696fc4b86aabfb0ef119637d5267166fbac11fb369194442f

SHA512
092d7d855a0e8a5454f5492ab2bc73271b76363adb2bb1243c35f3e4bcc02ecf20a34e9cde0ff05a7cd229871775a67b0807b00bbbda34ab056aa28c152cc5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4C2.exe

MD5
8fd50e1d95e3779ad63eefc31c7ffd35

SHA1
b506a007b8d1bb7038c9b0642e6168c184d65632

SHA256
df15faa5e1f77279eb03a5836ce74f4029f889a4f16a2bec111dbd9642ce83f1

SHA512
8715c2bfe62276d13d2923c3e60d34098870e675d61cd7a99dc6fa7d579ed2b2124b395530ac23cb30a579e30510ce0ec013c6d85b69da0a0aa40638a689d8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF5B.exe

MD5
c3293b9582ddb4c4534c2d023eebbcc8

SHA1
dd6faee55a4b4156616f997282a568ca28e9635a

SHA256
cd92d6d4a9b26ed25d5bbf7d627bdd72dda168b1527957a3f87a534ba00af1bf

SHA512
e95fbefaadf9a96cb03a40024ea8f40cdb4e301fedffaa568f5c5521a9425049127e0fc28938020e45a44dfe67db1a14705a39df456731528c6eb70ae73bcd1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

MD5
2bf1d90dba78c5f0e256229916a1f883

SHA1
72e06a392cad6e056b79b7b3c263ea1d9a8f34be

SHA256
48e05bb63cc2aeee060879961e5d7990298a54b9a8980bceb0a81fea7aab872f

SHA512
91ae258e30e6bf4723ec7299650fcdfd201e208f7f890c69419a6967dd96e243878f50559d96c1b3a82e6780c2b860f1eaaea24f12c8e2724b967e4464a086bc

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
e45e15c80a54e05d88e5c555178f0461

SHA1
01b27962875e11ca3e600ea68e7495cdb9e3fe36

SHA256
fd1fade390bacd40ae88aed2ee73318b5255bb91965cf38cddf30f4ad5527f08

SHA512
c5f0d87628cbf20cd27f733a695fd5c9511a0db53d93f5645a4b4aafbd9707f0c628302c3b38c63d282696c606618b43948fdb06d19a3252578ea3431b9fa43f

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
e45e15c80a54e05d88e5c555178f0461

SHA1
01b27962875e11ca3e600ea68e7495cdb9e3fe36

SHA256
fd1fade390bacd40ae88aed2ee73318b5255bb91965cf38cddf30f4ad5527f08

SHA512
c5f0d87628cbf20cd27f733a695fd5c9511a0db53d93f5645a4b4aafbd9707f0c628302c3b38c63d282696c606618b43948fdb06d19a3252578ea3431b9fa43f

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
e45e15c80a54e05d88e5c555178f0461

SHA1
01b27962875e11ca3e600ea68e7495cdb9e3fe36

SHA256
fd1fade390bacd40ae88aed2ee73318b5255bb91965cf38cddf30f4ad5527f08

SHA512
c5f0d87628cbf20cd27f733a695fd5c9511a0db53d93f5645a4b4aafbd9707f0c628302c3b38c63d282696c606618b43948fdb06d19a3252578ea3431b9fa43f

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5
e45e15c80a54e05d88e5c555178f0461

SHA1
01b27962875e11ca3e600ea68e7495cdb9e3fe36

SHA256
fd1fade390bacd40ae88aed2ee73318b5255bb91965cf38cddf30f4ad5527f08

SHA512
c5f0d87628cbf20cd27f733a695fd5c9511a0db53d93f5645a4b4aafbd9707f0c628302c3b38c63d282696c606618b43948fdb06d19a3252578ea3431b9fa43f

Download Submit
memory/300-66-0x00000000004C0000-0x0000000000551000-memory.dmp

Filesize
580KB

Download
memory/300-67-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/300-62-0x000000000061B000-0x000000000069B000-memory.dmp

Filesize
512KB

Download
memory/300-60-0x0000000000000000-mapping.dmp

Download
memory/756-90-0x0000000000000000-mapping.dmp

Download
memory/1160-70-0x0000000000000000-mapping.dmp

Download
memory/1160-73-0x00000000006AB000-0x000000000072B000-memory.dmp

Filesize
512KB

Download
memory/1160-75-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1212-59-0x0000000002B00000-0x0000000002B16000-memory.dmp

Filesize
88KB

Download
memory/1212-82-0x0000000003CB0000-0x0000000003CC6000-memory.dmp

Filesize
88KB

Download
memory/1532-91-0x0000000000000000-mapping.dmp

Download
memory/1700-58-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1700-57-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1700-55-0x000000000061B000-0x0000000000624000-memory.dmp

Filesize
36KB

Download
memory/1700-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1752-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1752-80-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1752-78-0x00000000005BB000-0x00000000005C4000-memory.dmp

Filesize
36KB

Download
memory/1752-76-0x0000000000000000-mapping.dmp

Download
memory/1824-89-0x0000000000000000-mapping.dmp

Download
memory/1964-83-0x0000000000000000-mapping.dmp

Download
memory/1964-85-0x00000000002EB000-0x0000000000311000-memory.dmp

Filesize
152KB

Download
memory/1964-87-0x00000000001B0000-0x00000000001F7000-memory.dmp

Filesize
284KB

Download
memory/1964-88-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download