cryptbot | 5794e9722cdb1ec697ee0ae9fe5464fb9e85ba3157485d6ecb9cea44455cf37a

Analysis

max time kernel
123s
max time network
147s
platform
windows10_x64
resource
win10-en-20211208
submitted
22-12-2021 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6067855ac984e670b392dd61df3d362.exe
Size

2.6MB
MD5

d6067855ac984e670b392dd61df3d362
SHA1

9320204b0d517cc239a948514982540e6652bbff
SHA256

5794e9722cdb1ec697ee0ae9fe5464fb9e85ba3157485d6ecb9cea44455cf37a
SHA512

583db7379dd2f7730a2efcf25a118170f59edf6e332f9b946b63df6323317b4d6ff155f9fa4c64041efdc7880fd70714c14b053f2d6ceb330b8ded35e55a8ce9

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

⥦븁

daispg32.top

morsvo03.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d6067855ac984e670b392dd61df3d362.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d6067855ac984e670b392dd61df3d362.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d6067855ac984e670b392dd61df3d362.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2756-115-0x00000000002B0000-0x0000000000990000-memory.dmp	themida
behavioral2/memory/2756-116-0x00000000002B0000-0x0000000000990000-memory.dmp	themida
behavioral2/memory/2756-117-0x00000000002B0000-0x0000000000990000-memory.dmp	themida
behavioral2/memory/2756-118-0x00000000002B0000-0x0000000000990000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d6067855ac984e670b392dd61df3d362.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d6067855ac984e670b392dd61df3d362.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

d6067855ac984e670b392dd61df3d362.exe

pid process

2756 d6067855ac984e670b392dd61df3d362.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2756	d6067855ac984e670b392dd61df3d362.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d6067855ac984e670b392dd61df3d362.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d6067855ac984e670b392dd61df3d362.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d6067855ac984e670b392dd61df3d362.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1164 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d6067855ac984e670b392dd61df3d362.exe

pid process

2756 d6067855ac984e670b392dd61df3d362.exe
2756 d6067855ac984e670b392dd61df3d362.exe

pid	process
1164	timeout.exe

pid	process
2756	d6067855ac984e670b392dd61df3d362.exe
2756	d6067855ac984e670b392dd61df3d362.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d6067855ac984e670b392dd61df3d362.execmd.exe

description	pid	process	target process
PID 2756 wrote to memory of 3792	2756	d6067855ac984e670b392dd61df3d362.exe	cmd.exe
PID 2756 wrote to memory of 3792	2756	d6067855ac984e670b392dd61df3d362.exe	cmd.exe
PID 2756 wrote to memory of 3792	2756	d6067855ac984e670b392dd61df3d362.exe	cmd.exe
PID 3792 wrote to memory of 1164	3792	cmd.exe	timeout.exe
PID 3792 wrote to memory of 1164	3792	cmd.exe	timeout.exe
PID 3792 wrote to memory of 1164	3792	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\d6067855ac984e670b392dd61df3d362.exe
"C:\Users\Admin\AppData\Local\Temp\d6067855ac984e670b392dd61df3d362.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\xAQAlKIm & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\d6067855ac984e670b392dd61df3d362.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\FIXJCX~1.ZIP
MD5
88344a8c176b2d585508d518ebc6431f

SHA1
28508ec3a2226d92bd2ae82e08253e5c50183d98

SHA256
d405ec92c22d1948264b3d1b01ba21f3fb9229eadc4b91b6808e7c70b1fc8c2a

SHA512
931a5b68744ec555a31a954b917544a3b4db9e0b9a550d5ee6f3730240c153a7fa020faaa3f82d1b191f3865f6c0096f99908fc795dff8003fbe8d182246ac01

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\PNVMSK~1.ZIP
MD5
b2a0570ec65512fad666cff1618e6787

SHA1
4d711376bd95f1b786957ea93e810498a740b8e0

SHA256
64b56d9a70dad10939294b668d88cb1f89f5944a0db15a6b1d2f3ab49851c457

SHA512
92f69fb9124444ddf6751e12137f4ea36c475da0773793932c86283c4442cac16fe21be5b70fdfc2ea48b4de2b6f479cdce4ac59a1783ce6716a9b3a8371e5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_Chrome\DEFAUL~1.BIN
MD5
f4b8e6e7ca32ed5ab1653cc327475cc0

SHA1
e7c30740b8cc28534d398ff4036e0cc6649619ce

SHA256
34abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2

SHA512
edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_INFOR~1.TXT
MD5
e8a57e3d24e304f479b31c224c294ac8

SHA1
654ee850eabd613e1e070aa62357d3ea815367a4

SHA256
c049f603fc8d2fa280b8aa3b8328932e377b4c9fd2757afcd32dd386d2903897

SHA512
19de974974bdd89023340ac6782a79a81bb1ee6eb1787704b620ba236f7afe111e99d4f65b10206c85056b439f95136d273302847036e40073b08777f9242750

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_SCREE~1.JPE
MD5
6aa3278852e3f069f371a4f497eecc1a

SHA1
b75fae664cf7b966a1e7b0b4df1c835fcd828463

SHA256
1814a2a5865d3a3243c08b1092de3ee47c24436bb74dffb2aab9595131457f0c

SHA512
bf385c0b36ec7490277243701c0e6fcfbcc8a43ddc8f73279d4b1ee4ae10e516af996b4c4ac802600d8287e699482f99c9c99ae1be642a82104f096c9c5d445c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\SCREEN~1.JPG
MD5
6aa3278852e3f069f371a4f497eecc1a

SHA1
b75fae664cf7b966a1e7b0b4df1c835fcd828463

SHA256
1814a2a5865d3a3243c08b1092de3ee47c24436bb74dffb2aab9595131457f0c

SHA512
bf385c0b36ec7490277243701c0e6fcfbcc8a43ddc8f73279d4b1ee4ae10e516af996b4c4ac802600d8287e699482f99c9c99ae1be642a82104f096c9c5d445c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\SYSTEM~1.TXT
MD5
e8a57e3d24e304f479b31c224c294ac8

SHA1
654ee850eabd613e1e070aa62357d3ea815367a4

SHA256
c049f603fc8d2fa280b8aa3b8328932e377b4c9fd2757afcd32dd386d2903897

SHA512
19de974974bdd89023340ac6782a79a81bb1ee6eb1787704b620ba236f7afe111e99d4f65b10206c85056b439f95136d273302847036e40073b08777f9242750

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\_Chrome\DEFAUL~1.BIN
MD5
f4b8e6e7ca32ed5ab1653cc327475cc0

SHA1
e7c30740b8cc28534d398ff4036e0cc6649619ce

SHA256
34abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2

SHA512
edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\_Chrome\DEFAUL~1.DB
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\_Chrome\DEFAUL~2.DB
MD5
055c8c5c47424f3c2e7a6fc2ee904032

SHA1
5952781d22cff35d94861fac25d89a39af6d0a87

SHA256
531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

SHA512
c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\_Chrome\DEFAUL~3.DB
MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
memory/1164-135-0x0000000000000000-mapping.dmp

Download
memory/2756-115-0x00000000002B0000-0x0000000000990000-memory.dmp

Filesize
6.9MB

Download
memory/2756-119-0x0000000077140000-0x00000000772CE000-memory.dmp

Filesize
1.6MB

Download
memory/2756-118-0x00000000002B0000-0x0000000000990000-memory.dmp

Filesize
6.9MB

Download
memory/2756-117-0x00000000002B0000-0x0000000000990000-memory.dmp

Filesize
6.9MB

Download
memory/2756-116-0x00000000002B0000-0x0000000000990000-memory.dmp

Filesize
6.9MB

Download
memory/3792-120-0x0000000000000000-mapping.dmp

Download