cryptbot | 9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
submitted
31-07-2022 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
Size

4.1MB
MD5

00f6d577255aeba6ef07654f829a945e
SHA1

6a1983afed3140a083c2417c716d427ac9649e4e
SHA256

9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4
SHA512

e1d611b76c7a1b0ca10603cccb1c3f87abd05354e4a9d3e194586f56109202693607525fcc44ca639f778538422d4bef7c91b5e1b31986a7fc01e1abf51f6655
SSDEEP

98304:wbNDO9MRv3n6wx02rPkC3St5fqiyUCQ0yUL05Rx:wZD1v3K1sSfX1iG

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

hio01.pro

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Set.exeSetup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Set.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe
Executes dropped EXE 2 IoCs

Processes:

Set.exeSetup.exe

pid process

4716 Set.exe
4384 Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Set.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

pid	process
4716	Set.exe
4384	Setup.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Set.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Set.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Set.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Set.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation Set.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	Set.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Set.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Wine	Set.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Wine	Setup.exe

Loads dropped DLL 1 IoCs

Processes:

9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe

pid process

5076 9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

69 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Set.exeSetup.exe

pid process

4716 Set.exe
4384 Setup.exe

pid	process
5076	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe

flow	ioc
69	ip-api.com

pid	process
4716	Set.exe
4384	Setup.exe

Drops file in Program Files directory 5 IoCs

Processes:

9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe

description	ioc	process
File created	C:\Program Files (x86)\Hps\Registration Order.xml	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
File created	C:\Program Files (x86)\Hps\Software News.xml	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
File created	C:\Program Files (x86)\Hps\Set.exe	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
File created	C:\Program Files (x86)\Hps\Setup.exe	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
File created	C:\Program Files (x86)\Hps\Software Update.xml	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Set.exeSetup.exe

pid process

4716 Set.exe
4716 Set.exe
4384 Setup.exe
4384 Setup.exe

pid	process
4716	Set.exe
4716	Set.exe
4384	Setup.exe
4384	Setup.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Setup.exe

pid	process
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe
4384	Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe

description	pid	process	target process
PID 5076 wrote to memory of 4716	5076	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	Set.exe
PID 5076 wrote to memory of 4716	5076	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	Set.exe
PID 5076 wrote to memory of 4716	5076	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	Set.exe
PID 5076 wrote to memory of 4384	5076	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	Setup.exe
PID 5076 wrote to memory of 4384	5076	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	Setup.exe
PID 5076 wrote to memory of 4384	5076	9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe
"C:\Users\Admin\AppData\Local\Temp\9605231b3632e8fd98ec70b4a1e1d2192689e4a4abc2df62c955c25e40bfe3e4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Program Files (x86)\Hps\Set.exe
  "C:\Program Files (x86)\Hps\Set.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files (x86)\Hps\Setup.exe
  "C:\Program Files (x86)\Hps\Setup.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Hps\Set.exe

Filesize
2.0MB

MD5
dc4dfdd359b8c6f5ba0e7a444b1dce25

SHA1
3402de0f455a075668e89614dcb74effef698b87

SHA256
80b33ef5167ed621606f36aabbe93a01b35949544b826ee12380cb0474468cfc

SHA512
3582f382d544482ee88bb3ae82e7fe2da6ea0a22becf54c45f886c272b7dbdc8a5ea393c00349ee5bce23d1607118ad0c24ccad55e33399920f11c5156090b9f

Download Submit
C:\Program Files (x86)\Hps\Setup.exe

Filesize
2.2MB

MD5
a2553f8709f3251f84f882afd04e5922

SHA1
1b6c85df29adf36a916474ba4e31482dcefeab80

SHA256
eccbaa183f83e02a7681fd3669717ecf7498b0298d0dca9d55937ca2e9097c42

SHA512
9f1d3e3520597a407f42271b8624a0d812574ecd019bb01b9b76f3d2c890038f8e3b867683b521f213838977815656d7f09809ba4faf949b907adafc512dc9fb

Download Submit
C:\Program Files (x86)\Hps\Setup.exe

Filesize
2.2MB

MD5
a2553f8709f3251f84f882afd04e5922

SHA1
1b6c85df29adf36a916474ba4e31482dcefeab80

SHA256
eccbaa183f83e02a7681fd3669717ecf7498b0298d0dca9d55937ca2e9097c42

SHA512
9f1d3e3520597a407f42271b8624a0d812574ecd019bb01b9b76f3d2c890038f8e3b867683b521f213838977815656d7f09809ba4faf949b907adafc512dc9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssA955.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/4384-148-0x0000000000890000-0x0000000000DD4000-memory.dmp

Filesize
5.3MB

Download
memory/4384-147-0x0000000077CA0000-0x0000000077E43000-memory.dmp

Filesize
1.6MB

Download
memory/4384-146-0x0000000000890000-0x0000000000DD4000-memory.dmp

Filesize
5.3MB

Download
memory/4384-145-0x0000000000890000-0x0000000000DD4000-memory.dmp

Filesize
5.3MB

Download
memory/4384-144-0x0000000077CA0000-0x0000000077E43000-memory.dmp

Filesize
1.6MB

Download
memory/4384-143-0x0000000000890000-0x0000000000DD4000-memory.dmp

Filesize
5.3MB

Download
memory/4384-140-0x0000000000000000-mapping.dmp

Download
memory/4716-134-0x0000000077CA0000-0x0000000077E43000-memory.dmp

Filesize
1.6MB

Download
memory/4716-139-0x0000000077CA0000-0x0000000077E43000-memory.dmp

Filesize
1.6MB

Download
memory/4716-138-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/4716-137-0x0000000077CA0000-0x0000000077E43000-memory.dmp

Filesize
1.6MB

Download
memory/4716-136-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/4716-135-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/4716-133-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/4716-131-0x0000000000000000-mapping.dmp

Download