cryptbot | 9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4

Analysis

max time kernel
147s
max time network
156s
platform
windows7_x64
resource
win7-20220715-en
submitted
31-07-2022 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
Size

4.1MB
MD5

00f6d577255aeba6ef07654f829a945e
SHA1

6a1983afed3140a083c2417c716d427ac9649e4e
SHA256

9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4
SHA512

e1d611b76c7a1b0ca10603cccb1c3f87abd05354e4a9d3e194586f56109202693607525fcc44ca639f778538422d4bef7c91b5e1b31986a7fc01e1abf51f6655
SSDEEP

98304:wbNDO9MRv3n6wx02rPkC3St5fqiyUCQ0yUL05Rx:wZD1v3K1sSfX1iG

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

hio01.pro

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Set.exe

Executes dropped EXE 2 IoCs

pid	Process
2036	Set.exe
1120	Setup.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Set.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Set.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Wine	Set.exe
Key opened	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Wine	Setup.exe

Loads dropped DLL 7 IoCs

pid	Process
912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
2036	Set.exe
2036	Set.exe
912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
1120	Setup.exe
1120	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2036	Set.exe
1120	Setup.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Hps\Set.exe	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
File created	C:\Program Files (x86)\Hps\Setup.exe	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
File created	C:\Program Files (x86)\Hps\Software Update.xml	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
File created	C:\Program Files (x86)\Hps\Registration Order.xml	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
File created	C:\Program Files (x86)\Hps\Software News.xml	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Set.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Set.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	Set.exe
1120	Setup.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe
1120	Setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 2036	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	27
PID 912 wrote to memory of 2036	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	27
PID 912 wrote to memory of 2036	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	27
PID 912 wrote to memory of 2036	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	27
PID 912 wrote to memory of 2036	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	27
PID 912 wrote to memory of 2036	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	27
PID 912 wrote to memory of 2036	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	27
PID 912 wrote to memory of 1120	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	30
PID 912 wrote to memory of 1120	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	30
PID 912 wrote to memory of 1120	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	30
PID 912 wrote to memory of 1120	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	30
PID 912 wrote to memory of 1120	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	30
PID 912 wrote to memory of 1120	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	30
PID 912 wrote to memory of 1120	912	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	30

C:\Users\Admin\AppData\Local\Temp\9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
"C:\Users\Admin\AppData\Local\Temp\9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:912
- C:\Program Files (x86)\Hps\Set.exe
  "C:\Program Files (x86)\Hps\Set.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Program Files (x86)\Hps\Setup.exe
  "C:\Program Files (x86)\Hps\Setup.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Hps\Set.exe

Filesize
2.0MB

MD5
dc4dfdd359b8c6f5ba0e7a444b1dce25

SHA1
3402de0f455a075668e89614dcb74effef698b87

SHA256
80b33ef5167ed621606f36aabbe93a01b35949544b826ee12380cb0474468cfc

SHA512
3582f382d544482ee88bb3ae82e7fe2da6ea0a22becf54c45f886c272b7dbdc8a5ea393c00349ee5bce23d1607118ad0c24ccad55e33399920f11c5156090b9f

Download Submit
C:\Program Files (x86)\Hps\Set.exe

Filesize
2.0MB

MD5
dc4dfdd359b8c6f5ba0e7a444b1dce25

SHA1
3402de0f455a075668e89614dcb74effef698b87

SHA256
80b33ef5167ed621606f36aabbe93a01b35949544b826ee12380cb0474468cfc

SHA512
3582f382d544482ee88bb3ae82e7fe2da6ea0a22becf54c45f886c272b7dbdc8a5ea393c00349ee5bce23d1607118ad0c24ccad55e33399920f11c5156090b9f

Download Submit
C:\Program Files (x86)\Hps\Setup.exe

Filesize
2.2MB

MD5
a2553f8709f3251f84f882afd04e5922

SHA1
1b6c85df29adf36a916474ba4e31482dcefeab80

SHA256
eccbaa183f83e02a7681fd3669717ecf7498b0298d0dca9d55937ca2e9097c42

SHA512
9f1d3e3520597a407f42271b8624a0d812574ecd019bb01b9b76f3d2c890038f8e3b867683b521f213838977815656d7f09809ba4faf949b907adafc512dc9fb

Download Submit
C:\Program Files (x86)\Hps\Setup.exe

Filesize
2.2MB

MD5
a2553f8709f3251f84f882afd04e5922

SHA1
1b6c85df29adf36a916474ba4e31482dcefeab80

SHA256
eccbaa183f83e02a7681fd3669717ecf7498b0298d0dca9d55937ca2e9097c42

SHA512
9f1d3e3520597a407f42271b8624a0d812574ecd019bb01b9b76f3d2c890038f8e3b867683b521f213838977815656d7f09809ba4faf949b907adafc512dc9fb

Download Submit
\Program Files (x86)\Hps\Set.exe

Filesize
2.0MB

MD5
dc4dfdd359b8c6f5ba0e7a444b1dce25

SHA1
3402de0f455a075668e89614dcb74effef698b87

SHA256
80b33ef5167ed621606f36aabbe93a01b35949544b826ee12380cb0474468cfc

SHA512
3582f382d544482ee88bb3ae82e7fe2da6ea0a22becf54c45f886c272b7dbdc8a5ea393c00349ee5bce23d1607118ad0c24ccad55e33399920f11c5156090b9f

Download Submit
\Program Files (x86)\Hps\Set.exe

Filesize
2.0MB

MD5
dc4dfdd359b8c6f5ba0e7a444b1dce25

SHA1
3402de0f455a075668e89614dcb74effef698b87

SHA256
80b33ef5167ed621606f36aabbe93a01b35949544b826ee12380cb0474468cfc

SHA512
3582f382d544482ee88bb3ae82e7fe2da6ea0a22becf54c45f886c272b7dbdc8a5ea393c00349ee5bce23d1607118ad0c24ccad55e33399920f11c5156090b9f

Download Submit
\Program Files (x86)\Hps\Set.exe

Filesize
2.0MB

MD5
dc4dfdd359b8c6f5ba0e7a444b1dce25

SHA1
3402de0f455a075668e89614dcb74effef698b87

SHA256
80b33ef5167ed621606f36aabbe93a01b35949544b826ee12380cb0474468cfc

SHA512
3582f382d544482ee88bb3ae82e7fe2da6ea0a22becf54c45f886c272b7dbdc8a5ea393c00349ee5bce23d1607118ad0c24ccad55e33399920f11c5156090b9f

Download Submit
\Program Files (x86)\Hps\Setup.exe

Filesize
2.2MB

MD5
a2553f8709f3251f84f882afd04e5922

SHA1
1b6c85df29adf36a916474ba4e31482dcefeab80

SHA256
eccbaa183f83e02a7681fd3669717ecf7498b0298d0dca9d55937ca2e9097c42

SHA512
9f1d3e3520597a407f42271b8624a0d812574ecd019bb01b9b76f3d2c890038f8e3b867683b521f213838977815656d7f09809ba4faf949b907adafc512dc9fb

Download Submit
\Program Files (x86)\Hps\Setup.exe

Filesize
2.2MB

MD5
a2553f8709f3251f84f882afd04e5922

SHA1
1b6c85df29adf36a916474ba4e31482dcefeab80

SHA256
eccbaa183f83e02a7681fd3669717ecf7498b0298d0dca9d55937ca2e9097c42

SHA512
9f1d3e3520597a407f42271b8624a0d812574ecd019bb01b9b76f3d2c890038f8e3b867683b521f213838977815656d7f09809ba4faf949b907adafc512dc9fb

Download Submit
\Program Files (x86)\Hps\Setup.exe

Filesize
2.2MB

MD5
a2553f8709f3251f84f882afd04e5922

SHA1
1b6c85df29adf36a916474ba4e31482dcefeab80

SHA256
eccbaa183f83e02a7681fd3669717ecf7498b0298d0dca9d55937ca2e9097c42

SHA512
9f1d3e3520597a407f42271b8624a0d812574ecd019bb01b9b76f3d2c890038f8e3b867683b521f213838977815656d7f09809ba4faf949b907adafc512dc9fb

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFC89.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/912-82-0x0000000002740000-0x0000000002C84000-memory.dmp

Filesize
5.3MB

Download
memory/912-54-0x0000000074DB1000-0x0000000074DB3000-memory.dmp

Filesize
8KB

Download
memory/912-99-0x0000000002740000-0x0000000002C84000-memory.dmp

Filesize
5.3MB

Download
memory/912-58-0x0000000002740000-0x0000000002C50000-memory.dmp

Filesize
5.1MB

Download
memory/1120-100-0x0000000000940000-0x0000000000E84000-memory.dmp

Filesize
5.3MB

Download
memory/1120-87-0x0000000000940000-0x0000000000E84000-memory.dmp

Filesize
5.3MB

Download
memory/1120-86-0x0000000000FC0000-0x0000000001504000-memory.dmp

Filesize
5.3MB

Download
memory/1120-85-0x0000000073B01000-0x0000000073B03000-memory.dmp

Filesize
8KB

Download
memory/1120-83-0x0000000000940000-0x0000000000E84000-memory.dmp

Filesize
5.3MB

Download
memory/1120-88-0x0000000073901000-0x0000000073903000-memory.dmp

Filesize
8KB

Download
memory/1120-98-0x00000000737A1000-0x00000000737A3000-memory.dmp

Filesize
8KB

Download
memory/1120-84-0x0000000000FC0000-0x0000000001504000-memory.dmp

Filesize
5.3MB

Download
memory/1120-101-0x0000000000FC0000-0x0000000001504000-memory.dmp

Filesize
5.3MB

Download
memory/1120-102-0x0000000000FC0000-0x0000000001504000-memory.dmp

Filesize
5.3MB

Download
memory/1120-103-0x0000000000940000-0x0000000000E84000-memory.dmp

Filesize
5.3MB

Download
memory/2036-64-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/2036-74-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2036-73-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/2036-72-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/2036-71-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2036-70-0x00000000013B0000-0x00000000018C0000-memory.dmp

Filesize
5.1MB

Download
memory/2036-69-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/2036-68-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/2036-67-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2036-66-0x00000000013B0000-0x00000000018C0000-memory.dmp

Filesize
5.1MB

Download
memory/2036-65-0x00000000013B0000-0x00000000018C0000-memory.dmp

Filesize
5.1MB

Download