cryptbot | 23ae7c16bd46eb8cb7a8c34e6d903c0bb613628245a9471db6f31fd27b12e06d

General

Target

6f6df17ecbcbdce8c857e85a368801a9.exe
Size

383KB
MD5

6f6df17ecbcbdce8c857e85a368801a9
SHA1

03491534e6c3fc9627899be5f9d7b053da57dfab
SHA256

23ae7c16bd46eb8cb7a8c34e6d903c0bb613628245a9471db6f31fd27b12e06d
SHA512

57efc2bbaf4ff80022bd7bae17371ff894c6f73482e9c7d2f6c25b548a922f225396bce441348c06a8723e9922cb99e1628e7c5b98de22f8e50446af548403de

Score

10^/10

cryptbot spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

sezdne62.top

morgwa06.top

Attributes

payload_url
http://ekuwac17.top/download.php?file=boulle.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1096 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1096	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6f6df17ecbcbdce8c857e85a368801a9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6f6df17ecbcbdce8c857e85a368801a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6f6df17ecbcbdce8c857e85a368801a9.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

584 timeout.exe

pid	process
584	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6f6df17ecbcbdce8c857e85a368801a9.execmd.exe

description	pid	process	target process
PID 1796 wrote to memory of 1096	1796	6f6df17ecbcbdce8c857e85a368801a9.exe	cmd.exe
PID 1796 wrote to memory of 1096	1796	6f6df17ecbcbdce8c857e85a368801a9.exe	cmd.exe
PID 1796 wrote to memory of 1096	1796	6f6df17ecbcbdce8c857e85a368801a9.exe	cmd.exe
PID 1796 wrote to memory of 1096	1796	6f6df17ecbcbdce8c857e85a368801a9.exe	cmd.exe
PID 1096 wrote to memory of 584	1096	cmd.exe	timeout.exe
PID 1096 wrote to memory of 584	1096	cmd.exe	timeout.exe
PID 1096 wrote to memory of 584	1096	cmd.exe	timeout.exe
PID 1096 wrote to memory of 584	1096	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\6f6df17ecbcbdce8c857e85a368801a9.exe
"C:\Users\Admin\AppData\Local\Temp\6f6df17ecbcbdce8c857e85a368801a9.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ErbOqyJKV & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6f6df17ecbcbdce8c857e85a368801a9.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-59-0x0000000000000000-mapping.dmp

Download
memory/1096-58-0x0000000000000000-mapping.dmp

Download
memory/1796-54-0x000000000024B000-0x0000000000271000-memory.dmp

Filesize
152KB

Download
memory/1796-55-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download
memory/1796-57-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/1796-56-0x00000000003A0000-0x00000000003E5000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing