cryptbot | f90eb82d70118fb18f44f8ecb33682baf047ef857210c57a7016b8794e2a94cd

General

Target

59181336c7ed4b4152b83793f7ea9eae.exe
Size

735KB
MD5

59181336c7ed4b4152b83793f7ea9eae
SHA1

5d91e0530c6ca8fbb7a35bed48c9865a599d1838
SHA256

f90eb82d70118fb18f44f8ecb33682baf047ef857210c57a7016b8794e2a94cd
SHA512

a8c32e5d520698b8519310393501ed9bceb4ecb5cd4bec8d0aa2743cc425cbcb52d62730d46906c4c79294a9b4ef5ec64872fd95fdb24f5eb313f89ce0bac585

Score

10^/10

cryptbot spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

bridmz52.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1444 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1444	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

59181336c7ed4b4152b83793f7ea9eae.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	59181336c7ed4b4152b83793f7ea9eae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	59181336c7ed4b4152b83793f7ea9eae.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2008 timeout.exe

pid	process
2008	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

59181336c7ed4b4152b83793f7ea9eae.execmd.exe

description	pid	process	target process
PID 1532 wrote to memory of 1444	1532	59181336c7ed4b4152b83793f7ea9eae.exe	cmd.exe
PID 1532 wrote to memory of 1444	1532	59181336c7ed4b4152b83793f7ea9eae.exe	cmd.exe
PID 1532 wrote to memory of 1444	1532	59181336c7ed4b4152b83793f7ea9eae.exe	cmd.exe
PID 1532 wrote to memory of 1444	1532	59181336c7ed4b4152b83793f7ea9eae.exe	cmd.exe
PID 1444 wrote to memory of 2008	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 2008	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 2008	1444	cmd.exe	timeout.exe
PID 1444 wrote to memory of 2008	1444	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\59181336c7ed4b4152b83793f7ea9eae.exe
"C:\Users\Admin\AppData\Local\Temp\59181336c7ed4b4152b83793f7ea9eae.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\CIvlbMrPWY & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\59181336c7ed4b4152b83793f7ea9eae.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:2008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-55-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/1532-57-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1532-56-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1532-59-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1532-58-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1532-60-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1532-61-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1532-63-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1532-62-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1532-64-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1532-65-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/1532-67-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1532-66-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1532-68-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1532-70-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1532-69-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1532-71-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1532-73-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1532-72-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1532-74-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1532-75-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1532-76-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1532-77-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1532-78-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1532-79-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1532-80-0x0000000003350000-0x0000000003397000-memory.dmp

Filesize
284KB

Download
memory/1532-86-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/1532-87-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1532-88-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1532-89-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1532-91-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1532-90-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1532-93-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1532-92-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1532-94-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1532-95-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/1532-96-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/1532-98-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/1532-97-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/1532-99-0x0000000003351000-0x0000000003385000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing