cryptbot | bcb279b39192d656df357e8bb33bc52ebddc209d6ecdbff75ca65334af06905a

Analysis

max time kernel
149s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14/03/2023, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86a4cdd8a4ce24624f28de4d77283dbb.exe
Size

795KB
MD5

86a4cdd8a4ce24624f28de4d77283dbb
SHA1

c363e391e8a6db6b69444de2a7f1ba22f7f78eba
SHA256

bcb279b39192d656df357e8bb33bc52ebddc209d6ecdbff75ca65334af06905a
SHA512

cd6d53a7e1564117ef8c9cc277bbb3ece668b211fbabef00192ccbbd916dfec9225fcf498248347b048957b123cfc0332e059aedf84d6f945411c8eed29f10db
SSDEEP

12288:RQMHUQ8/KyJa1XNrW1kQZTTU2pJrt0EeUOf9ngj6pGJ4iHfQG+HHIisH:KMHGyZJWDZTIMJWEeUe9nVi/b+HoBH

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

http://ernlen22.top/gate.php

Attributes

payload_url
http://ovalim02.top/magpie.dat

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	magpie.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	magpie.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	magpie.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Deletes itself 1 IoCs

pid	Process
1664	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1096	magpie.exe
792	DpEditor.exe

Loads dropped DLL 2 IoCs

pid	Process
324	cmd.exe
1096	magpie.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0006000000014a50-143.dat	themida
behavioral1/files/0x0006000000014a50-142.dat	themida
behavioral1/files/0x0006000000014a50-144.dat	themida
behavioral1/memory/1096-145-0x0000000000880000-0x0000000000F64000-memory.dmp	themida
behavioral1/memory/1096-146-0x0000000000880000-0x0000000000F64000-memory.dmp	themida
behavioral1/memory/1096-147-0x0000000000880000-0x0000000000F64000-memory.dmp	themida
behavioral1/memory/1096-148-0x0000000000880000-0x0000000000F64000-memory.dmp	themida
behavioral1/memory/1096-150-0x0000000000880000-0x0000000000F64000-memory.dmp	themida
behavioral1/files/0x0006000000014b56-153.dat	themida
behavioral1/memory/1096-156-0x0000000000880000-0x0000000000F64000-memory.dmp	themida
behavioral1/files/0x0006000000014b56-157.dat	themida
behavioral1/memory/792-158-0x0000000000E40000-0x0000000001524000-memory.dmp	themida
behavioral1/memory/792-159-0x0000000000E40000-0x0000000001524000-memory.dmp	themida
behavioral1/memory/792-160-0x0000000000E40000-0x0000000001524000-memory.dmp	themida
behavioral1/memory/792-161-0x0000000000E40000-0x0000000001524000-memory.dmp	themida
behavioral1/memory/792-162-0x0000000000E40000-0x0000000001524000-memory.dmp	themida
behavioral1/memory/792-163-0x0000000000E40000-0x0000000001524000-memory.dmp	themida
behavioral1/memory/792-164-0x0000000000E40000-0x0000000001524000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	magpie.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	86a4cdd8a4ce24624f28de4d77283dbb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	86a4cdd8a4ce24624f28de4d77283dbb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1096	magpie.exe
792	DpEditor.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	86a4cdd8a4ce24624f28de4d77283dbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	86a4cdd8a4ce24624f28de4d77283dbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	86a4cdd8a4ce24624f28de4d77283dbb.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1736	timeout.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
792	DpEditor.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
940	86a4cdd8a4ce24624f28de4d77283dbb.exe
1096	magpie.exe
792	DpEditor.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 1108 wrote to memory of 940	1108	86a4cdd8a4ce24624f28de4d77283dbb.exe	28
PID 940 wrote to memory of 324	940	86a4cdd8a4ce24624f28de4d77283dbb.exe	30
PID 940 wrote to memory of 324	940	86a4cdd8a4ce24624f28de4d77283dbb.exe	30
PID 940 wrote to memory of 324	940	86a4cdd8a4ce24624f28de4d77283dbb.exe	30
PID 940 wrote to memory of 324	940	86a4cdd8a4ce24624f28de4d77283dbb.exe	30
PID 940 wrote to memory of 1664	940	86a4cdd8a4ce24624f28de4d77283dbb.exe	32
PID 940 wrote to memory of 1664	940	86a4cdd8a4ce24624f28de4d77283dbb.exe	32
PID 940 wrote to memory of 1664	940	86a4cdd8a4ce24624f28de4d77283dbb.exe	32
PID 940 wrote to memory of 1664	940	86a4cdd8a4ce24624f28de4d77283dbb.exe	32
PID 324 wrote to memory of 1096	324	cmd.exe	34
PID 324 wrote to memory of 1096	324	cmd.exe	34
PID 324 wrote to memory of 1096	324	cmd.exe	34
PID 324 wrote to memory of 1096	324	cmd.exe	34
PID 1664 wrote to memory of 1736	1664	cmd.exe	35
PID 1664 wrote to memory of 1736	1664	cmd.exe	35
PID 1664 wrote to memory of 1736	1664	cmd.exe	35
PID 1664 wrote to memory of 1736	1664	cmd.exe	35
PID 1096 wrote to memory of 792	1096	magpie.exe	36
PID 1096 wrote to memory of 792	1096	magpie.exe	36
PID 1096 wrote to memory of 792	1096	magpie.exe	36
PID 1096 wrote to memory of 792	1096	magpie.exe	36

C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe
"C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe
  "C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"
  2⤵
  - Maps connected drives based on registry
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\C7623F2CB85E31D3\magpie.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Users\Admin\AppData\Roaming\C7623F2CB85E31D3\magpie.exe
      C:\Users\Admin\AppData\Roaming\C7623F2CB85E31D3\magpie.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
        
        "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\timeout.exe
      timeout -t 5
      4⤵
      Delays execution with timeout.exe
      PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\176E.tmp

Filesize
32B

MD5
48255136fc205998b4ebbe6f72b5cdd0

SHA1
c6f2c7fdd75a999a61ddfb5b4923d6a0dad917b1

SHA256
00523df8a35803806212867d9f6ab89d17a1bfdd3aef5fbb1dc10fcd6faa114c

SHA512
c74a7e214f93d124aed393e00f720ac91ca46328f4edf710b26235145b676003261943e4779acbc52ef14667a78636968c04c1065ac5cc70ba9f54d6ab0226de

Download Submit
C:\Users\Admin\AppData\Local\Temp\182D.tmp

Filesize
71KB

MD5
6082dd13ad8102d17f9db9cd07600e97

SHA1
39becc88cea914d843b3c5521038907f2f2f4e71

SHA256
40a3f938c8c1eb929771c444d5f8887c42c7cde6281690e2071a2593ba92e48a

SHA512
b7d5c716b6339b3138492c8b0cf4c9540a8d8224f9d5e72e34ceab442bdfa9c855473bbed68a489851f019461e1b1f9d86baf067be556c67b948c930899d3c1e

Download Submit
C:\Users\Admin\AppData\Roaming\C7623F2CB85E31D3\magpie.exe

Filesize
2.6MB

MD5
7b151d5d1cc93ce12a0739aee4747551

SHA1
e0f938edcae3de4059e9022d254f3dd04ad47991

SHA256
f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad

SHA512
3481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944

Download Submit
C:\Users\Admin\AppData\Roaming\C7623F2CB85E31D3\magpie.exe

Filesize
2.6MB

MD5
7b151d5d1cc93ce12a0739aee4747551

SHA1
e0f938edcae3de4059e9022d254f3dd04ad47991

SHA256
f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad

SHA512
3481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

Filesize
2.6MB

MD5
7b151d5d1cc93ce12a0739aee4747551

SHA1
e0f938edcae3de4059e9022d254f3dd04ad47991

SHA256
f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad

SHA512
3481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944

Download Submit
\Users\Admin\AppData\Roaming\C7623F2CB85E31D3\magpie.exe

Filesize
2.6MB

MD5
7b151d5d1cc93ce12a0739aee4747551

SHA1
e0f938edcae3de4059e9022d254f3dd04ad47991

SHA256
f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad

SHA512
3481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944

Download Submit
\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

Filesize
2.6MB

MD5
7b151d5d1cc93ce12a0739aee4747551

SHA1
e0f938edcae3de4059e9022d254f3dd04ad47991

SHA256
f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad

SHA512
3481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944

Download Submit
memory/324-149-0x0000000001F50000-0x0000000002634000-memory.dmp

Filesize
6.9MB

Download
memory/792-162-0x0000000000E40000-0x0000000001524000-memory.dmp

Filesize
6.9MB

Download
memory/792-158-0x0000000000E40000-0x0000000001524000-memory.dmp

Filesize
6.9MB

Download
memory/792-159-0x0000000000E40000-0x0000000001524000-memory.dmp

Filesize
6.9MB

Download
memory/792-160-0x0000000000E40000-0x0000000001524000-memory.dmp

Filesize
6.9MB

Download
memory/792-161-0x0000000000E40000-0x0000000001524000-memory.dmp

Filesize
6.9MB

Download
memory/792-163-0x0000000000E40000-0x0000000001524000-memory.dmp

Filesize
6.9MB

Download
memory/792-164-0x0000000000E40000-0x0000000001524000-memory.dmp

Filesize
6.9MB

Download
memory/940-62-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-60-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-55-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-56-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-57-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-140-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-85-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-58-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-64-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-59-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-54-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/940-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1096-148-0x0000000000880000-0x0000000000F64000-memory.dmp

Filesize
6.9MB

Download
memory/1096-156-0x0000000000880000-0x0000000000F64000-memory.dmp

Filesize
6.9MB

Download
memory/1096-150-0x0000000000880000-0x0000000000F64000-memory.dmp

Filesize
6.9MB

Download
memory/1096-147-0x0000000000880000-0x0000000000F64000-memory.dmp

Filesize
6.9MB

Download
memory/1096-146-0x0000000000880000-0x0000000000F64000-memory.dmp

Filesize
6.9MB

Download
memory/1096-145-0x0000000000880000-0x0000000000F64000-memory.dmp

Filesize
6.9MB

Download