cryptbot | d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109

General

Target

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Size

2.3MB
MD5

968e9faa49c57145eb9aa1d88147980a
SHA1

6f5824fac218092bdd0d2215b9e59615fdb4ddc3
SHA256

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109
SHA512

9330d072ce4689299a38fc3897a78b6d23abb4463c6bc771e2a45a23812c44dab3e344d121bc4833d5545579e5371f56fb939898197296adf3d4a4e8e589d6d6

Score

10^/10

cryptbot discovery spyware stealer suricata vmprotect

Malware Config

Extracted

Family

cryptbot

C2

vetiir04.top

moriiikk02.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2772-139-0x00000000009A0000-0x0000000000C4C000-memory.dmp	family_cryptbot

suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

6 4684 WScript.exe
7 4684 WScript.exe
9 4684 WScript.exe
Executes dropped EXE 1 IoCs

Processes:

mookweyx.exe

pid process

2772 mookweyx.exe

flow	pid	process
6	4684	WScript.exe
7	4684	WScript.exe
9	4684	WScript.exe

pid	process
2772	mookweyx.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1876-130-0x0000000000210000-0x000000000066E000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\mookweyx.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\mookweyx.exe	vmprotect
behavioral2/memory/2772-139-0x00000000009A0000-0x0000000000C4C000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
29	ip-api.com

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exemookweyx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mookweyx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mookweyx.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

mookweyx.exe

pid process

2772 mookweyx.exe
2772 mookweyx.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	cmd.exe

pid	process
2772	mookweyx.exe
2772	mookweyx.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.execmd.execmd.exe

description	pid	process	target process
PID 1876 wrote to memory of 3644	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 3644	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 3644	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 3756	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 3756	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 3756	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 3756 wrote to memory of 2772	3756	cmd.exe	mookweyx.exe
PID 3756 wrote to memory of 2772	3756	cmd.exe	mookweyx.exe
PID 3756 wrote to memory of 2772	3756	cmd.exe	mookweyx.exe
PID 3644 wrote to memory of 4684	3644	cmd.exe	WScript.exe
PID 3644 wrote to memory of 4684	3644	cmd.exe	WScript.exe
PID 3644 wrote to memory of 4684	3644	cmd.exe	WScript.exe
PID 1876 wrote to memory of 5060	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 5060	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 5060	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 2640	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 2640	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 2640	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 3044	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 3044	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe
PID 1876 wrote to memory of 3044	1876	d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe
"C:\Users\Admin\AppData\Local\Temp\d6ecaf0c5f9d44b10b34a49732070af60bb5ae4947e3e4f8d5ece7c1bc61f109.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\wogyeapcor.vbs"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wogyeapcor.vbs"
3⤵
- Blocklisted process makes network request
PID:4684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\mookweyx.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\mookweyx.exe
"C:\Users\Admin\AppData\Local\Temp\mookweyx.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\fvnnghnuj.exe"
2⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ttsanyinxu.exe"
2⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\mewrnfof.exe"
2⤵
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
913993507c8ae30d8d97b3d760850141

SHA1
1fc4f2681d2a6afba07f8127a49efbb49dcf2fc4

SHA256
c7f001836bbeece1ecaf438455ba1323fa10db89c5db97c55fa2b4b7bc627052

SHA512
65dedf34b7cd8203559803a559b2886d75e2bc92ccccf454408f67dcd6260d6323ab34b6a182b3553b3c2076a6633abbbbd91f78157da1b82f86877b4ad52469

Download Submit
C:\Users\Admin\AppData\Local\Temp\mookweyx.exe
Filesize
1.3MB

MD5
6f34430da8bf5550b4d894cede4e78e0

SHA1
9fe5dba145b0f7aa95cfe0076c4bf953398a8d39

SHA256
6acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7

SHA512
5eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383

Download Submit
C:\Users\Admin\AppData\Local\Temp\mookweyx.exe
Filesize
1.3MB

MD5
6f34430da8bf5550b4d894cede4e78e0

SHA1
9fe5dba145b0f7aa95cfe0076c4bf953398a8d39

SHA256
6acd10ab5757aa36c9f79b9348af3ae32cb02f26f420cbb673b2be7d6596cbb7

SHA512
5eacdb05d48cad5aeb3f6ed813c29ad2f996093fbe4bdf1cb92edbbe4b55f07e59f17ba65657e509d6e4b411695202f4a2262ba54392f3c9fccd57f82d69d383

Download Submit
C:\Users\Admin\AppData\Local\Temp\wogyeapcor.vbs
Filesize
139B

MD5
28e6eb79e07cae5f1ebd46ead32f3b90

SHA1
e231976c0fec9e073d06670b1b20d3d7e0c18ff6

SHA256
2241fb9ee02d0bdb04df5b0bc4d2e65553823cda99e14cef315bada33ed9b5be

SHA512
79f2911c49871e227b2f954c3ea5167ef4498abfde6f020425101042c9017e3f7fccd149660dac9149cd24c103beae59fc9bbcb84548ada5242b08777b7f04e2

Download Submit
memory/1876-130-0x0000000000210000-0x000000000066E000-memory.dmp

Filesize
4.4MB

Download
memory/2640-144-0x0000000000000000-mapping.dmp

Download
memory/2772-135-0x0000000000000000-mapping.dmp

Download
memory/2772-139-0x00000000009A0000-0x0000000000C4C000-memory.dmp

Filesize
2.7MB

Download
memory/3044-145-0x0000000000000000-mapping.dmp

Download
memory/3644-132-0x0000000000000000-mapping.dmp

Download
memory/3756-133-0x0000000000000000-mapping.dmp

Download
memory/4684-138-0x0000000000000000-mapping.dmp

Download
memory/5060-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads