cryptbot | 5154e8b32a016e05675f20c98d523681aa887e180c1fde2a10fc0007e3023bcc

General

Target

Pass-55551_NewFileV3.rar
Size

5.4MB
MD5

b4273a57d910afe2573782b3be8ae7d7
SHA1

37bed27da97e64e9337e21714db92f9c6ac2e222
SHA256

5154e8b32a016e05675f20c98d523681aa887e180c1fde2a10fc0007e3023bcc
SHA512

cfaa4efea16d8a9d3211821ed6de180e7e0ec86883d951e87dd427facda125b35c70f005365bd44a9da4f5e4b3f862762782809671f8166b655b35dc42c65824
SSDEEP

98304:aIssSDsYqxJ1USRnGc9b2fGAlg/o1V5Qo6+OCEFv1AlKBjDByJp3CHO:pnbYG+S1t9sGAlg/4VTnEFdAlKTul

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

http://xjuhie25.top/gate.php

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Executes dropped EXE 2 IoCs

Processes:

setupfile.exesrvtst.exe

pid process

1516 setupfile.exe
1816 srvtst.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1516	setupfile.exe
1816	srvtst.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

setupfile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	setupfile.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	setupfile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setupfile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	setupfile.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setupfile.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setupfile.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

924 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1428 timeout.exe

pid	process
924	schtasks.exe

pid	process
1428	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

setupfile.exe

pid process

1516 setupfile.exe

pid	process
1516	setupfile.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

7zG.exe7zG.exeAUDIODG.EXEsetupfile.exe

description	pid	process
Token: SeRestorePrivilege	1336	7zG.exe
Token: 35	1336	7zG.exe
Token: SeSecurityPrivilege	1336	7zG.exe
Token: SeSecurityPrivilege	1336	7zG.exe
Token: SeRestorePrivilege	392	7zG.exe
Token: 35	392	7zG.exe
Token: SeSecurityPrivilege	392	7zG.exe
Token: SeSecurityPrivilege	392	7zG.exe
Token: 33	736	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	736	AUDIODG.EXE
Token: 33	736	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	736	AUDIODG.EXE
Token: SeDebugPrivilege	1516	setupfile.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zG.exe7zG.exesetupfile.exe

pid process

1336 7zG.exe
392 7zG.exe
1516 setupfile.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

setupfile.exe

pid process

1516 setupfile.exe

pid	process
1336	7zG.exe
392	7zG.exe
1516	setupfile.exe

pid	process
1516	setupfile.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cmd.exesetupfile.execmd.exechrome.exetaskeng.execmd.exe

description	pid	process	target process
PID 936 wrote to memory of 552	936	cmd.exe	rundll32.exe
PID 936 wrote to memory of 552	936	cmd.exe	rundll32.exe
PID 936 wrote to memory of 552	936	cmd.exe	rundll32.exe
PID 1516 wrote to memory of 1208	1516	setupfile.exe	cmd.exe
PID 1516 wrote to memory of 1208	1516	setupfile.exe	cmd.exe
PID 1516 wrote to memory of 1208	1516	setupfile.exe	cmd.exe
PID 1516 wrote to memory of 1208	1516	setupfile.exe	cmd.exe
PID 1208 wrote to memory of 924	1208	cmd.exe	schtasks.exe
PID 1208 wrote to memory of 924	1208	cmd.exe	schtasks.exe
PID 1208 wrote to memory of 924	1208	cmd.exe	schtasks.exe
PID 1208 wrote to memory of 924	1208	cmd.exe	schtasks.exe
PID 1340 wrote to memory of 1444	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 1444	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 1444	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1340 wrote to memory of 392	1340	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1816	1508	taskeng.exe	srvtst.exe
PID 1508 wrote to memory of 1816	1508	taskeng.exe	srvtst.exe
PID 1508 wrote to memory of 1816	1508	taskeng.exe	srvtst.exe
PID 1508 wrote to memory of 1816	1508	taskeng.exe	srvtst.exe
PID 1516 wrote to memory of 884	1516	setupfile.exe	cmd.exe
PID 1516 wrote to memory of 884	1516	setupfile.exe	cmd.exe
PID 1516 wrote to memory of 884	1516	setupfile.exe	cmd.exe
PID 1516 wrote to memory of 884	1516	setupfile.exe	cmd.exe
PID 884 wrote to memory of 1428	884	cmd.exe	timeout.exe
PID 884 wrote to memory of 1428	884	cmd.exe	timeout.exe
PID 884 wrote to memory of 1428	884	cmd.exe	timeout.exe
PID 884 wrote to memory of 1428	884	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Pass-55551_NewFileV3.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Pass-55551_NewFileV3.rar
2⤵
- Modifies registry class
PID:552

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
PID:924

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Pass-55551_NewFileV3\" -spe -an -ai#7zMap30873:98:7zEvent19593
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1336

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Pass-55551_NewFileV3\setupfile\" -spe -an -ai#7zMap28315:118:7zEvent2221
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:392

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Users\Admin\Desktop\Pass-55551_NewFileV3\setupfile\setupfile.exe
"C:\Users\Admin\Desktop\Pass-55551_NewFileV3\setupfile\setupfile.exe"
1⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
/C schtasks /tn \Diagnostic\htudkh /create /tr """"C:\Users\Admin\AppData\Roaming\qcic\srvtst.exe""" """C:\Users\Admin\AppData\Roaming\qcic\srvtst.txt"""" /st 00:03 /f /sc once /du 9900:20 /ri 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /tn \Diagnostic\htudkh /create /tr """"C:\Users\Admin\AppData\Roaming\qcic\srvtst.exe""" """C:\Users\Admin\AppData\Roaming\qcic\srvtst.txt"""" /st 00:03 /f /sc once /du 9900:20 /ri 1
3⤵
- Creates scheduled task(s)
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\Desktop\Pass-55551_NewFileV3\setupfile\setupfile.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\timeout.exe
timeout -t 5
3⤵
- Delays execution with timeout.exe
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-crash-reporter --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --silent-launch --restore-last-session --elevated --profile-directory="Default"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef53a9758,0x7fef53a9768,0x7fef53a9778
2⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1208,i,12727963664454159652,7775877269776977898,131072 /prefetch:2
2⤵
PID:392

C:\Windows\system32\taskeng.exe
taskeng.exe {6138D60E-D53D-45FD-AB88-DE4E13EA34F9} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Roaming\qcic\srvtst.exe
C:\Users\Admin\AppData\Roaming\qcic\srvtst.exe "C:\Users\Admin\AppData\Roaming\qcic\srvtst.txt"
2⤵
- Executes dropped EXE
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57C8.tmp

Filesize
32B

MD5
502ef3f3ece4863580320144bb4def88

SHA1
c9b0633d81023b22bd1ac521797b853fc4ba1014

SHA256
5e4a980e509800ef5eba533fbfb5e7f38bd55d4b72008bb14be344a6c699a945

SHA512
28d53daf4f9c126cd639bb52254c70cca7198de167b64fd938168bfa22410ac6dcc5d34f740aad44d6a6eb76334a5dd422a65e7e4f6ab809df7ff4d110110228

Download Submit
C:\Users\Admin\AppData\Local\Temp\59AF.tmp

Filesize
71KB

MD5
7634ebd082abbba35a8e6a300ec83c51

SHA1
953666e70fbed932e4bed446f1d1e432781972b7

SHA256
792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f

SHA512
6f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e

Download Submit
C:\Users\Admin\AppData\Roaming\qcic\srvtst.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\qcic\srvtst.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\qcic\srvtst.txt

Filesize
132KB

MD5
86c8d08a436374893e2280e05aec2f26

SHA1
4c1adde16dea43f2d2d8c3990df3f7737fcc4d81

SHA256
28beb98431319514c767d415d79bed7f2e1c71a0af8e425133a5185cf66a90f5

SHA512
fd97e017fd1f2ec15bdeb2a04a9a39df8a2fd8b4a79c6cb3748f535cf5d4e540a343e7bd20b59bbdb958461078d420f81ab76238f865b82732992e6ccab19d96

Download Submit
C:\Users\Admin\Desktop\Pass-55551_NewFileV3\setupfile.rar

Filesize
5.4MB

MD5
34f2255c5b6bef0d305a9e89c0f3bd10

SHA1
1d1bf155ed5f8cfabc3384b7a5bdb2a0d1f7c4a9

SHA256
25ecb4d10bbe3e25a2dac571c283f9ae4f2f1121daf131759450f80a71134789

SHA512
22fcc7d00980fd756a362b62408f0e33d1a501baf7eaf3f53c4e38ee932821e68d3b193350d5d9f95c38c8362660350f2946972eaf8fbfef9b2713275df88f8f

Download Submit
C:\Users\Admin\Desktop\Pass-55551_NewFileV3\setupfile\setupfile.exe

Filesize
315.0MB

MD5
22fd7346da087ca433c5ee67127d12c0

SHA1
85836972ddd534431dab67c5deb93ee5e76f71c7

SHA256
c9cd4412b82e1dc956e5d7a971d8495009f204e7aef07eebb3347406c7a132ec

SHA512
4c57baf3022b0a8aab2a7fa2720da1397ff8cc3c8bcc69b19c8b881e663ac27de7a1913720dbc5d171a5cd61765dc5ce22253870bb10338fe921581f19d0bcab

Download Submit
C:\Users\Admin\Desktop\Pass-55551_NewFileV3\setupfile\setupfile.exe

Filesize
315.0MB

MD5
22fd7346da087ca433c5ee67127d12c0

SHA1
85836972ddd534431dab67c5deb93ee5e76f71c7

SHA256
c9cd4412b82e1dc956e5d7a971d8495009f204e7aef07eebb3347406c7a132ec

SHA512
4c57baf3022b0a8aab2a7fa2720da1397ff8cc3c8bcc69b19c8b881e663ac27de7a1913720dbc5d171a5cd61765dc5ce22253870bb10338fe921581f19d0bcab

Download Submit
memory/392-177-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1516-229-0x0000000014160000-0x000000001422E000-memory.dmp

Filesize
824KB

Download
memory/1516-139-0x0000000000320000-0x000000000037A000-memory.dmp

Filesize
360KB

Download
memory/1516-232-0x0000000014160000-0x000000001422E000-memory.dmp

Filesize
824KB

Download
memory/1516-140-0x0000000014160000-0x000000001422E000-memory.dmp

Filesize
824KB

Download
memory/1516-138-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads