cryptbot | bcb279b39192d656df357e8bb33bc52ebddc209d6ecdbff75ca65334af06905a

Analysis

max time kernel
144s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86a4cdd8a4ce24624f28de4d77283dbb.exe
Size

795KB
MD5

86a4cdd8a4ce24624f28de4d77283dbb
SHA1

c363e391e8a6db6b69444de2a7f1ba22f7f78eba
SHA256

bcb279b39192d656df357e8bb33bc52ebddc209d6ecdbff75ca65334af06905a
SHA512

cd6d53a7e1564117ef8c9cc277bbb3ece668b211fbabef00192ccbbd916dfec9225fcf498248347b048957b123cfc0332e059aedf84d6f945411c8eed29f10db
SSDEEP

12288:RQMHUQ8/KyJa1XNrW1kQZTTU2pJrt0EeUOf9ngj6pGJ4iHfQG+HHIisH:KMHGyZJWDZTIMJWEeUe9nVi/b+HoBH

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

http://ernlen22.top/gate.php

Attributes

payload_url
http://ovalim02.top/magpie.dat

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

magpie.exeDpEditor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	magpie.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DpEditor.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

magpie.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	magpie.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	magpie.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DpEditor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DpEditor.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

86a4cdd8a4ce24624f28de4d77283dbb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	86a4cdd8a4ce24624f28de4d77283dbb.exe

Executes dropped EXE 2 IoCs

Processes:

magpie.exeDpEditor.exe

pid process

3772 magpie.exe
4444 DpEditor.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3772	magpie.exe
4444	DpEditor.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe	themida
C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe	themida
behavioral2/memory/3772-239-0x00000000002A0000-0x0000000000984000-memory.dmp	themida
behavioral2/memory/3772-240-0x00000000002A0000-0x0000000000984000-memory.dmp	themida
behavioral2/memory/3772-241-0x00000000002A0000-0x0000000000984000-memory.dmp	themida
behavioral2/memory/3772-242-0x00000000002A0000-0x0000000000984000-memory.dmp	themida
behavioral2/memory/3772-243-0x00000000002A0000-0x0000000000984000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral2/memory/3772-246-0x00000000002A0000-0x0000000000984000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe	themida
behavioral2/memory/4444-249-0x0000000000F70000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/4444-250-0x0000000000F70000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/4444-251-0x0000000000F70000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/4444-252-0x0000000000F70000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/4444-253-0x0000000000F70000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/4444-254-0x0000000000F70000-0x0000000001654000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

magpie.exeDpEditor.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	magpie.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DpEditor.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

86a4cdd8a4ce24624f28de4d77283dbb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	86a4cdd8a4ce24624f28de4d77283dbb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	86a4cdd8a4ce24624f28de4d77283dbb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

magpie.exeDpEditor.exe

pid process

3772 magpie.exe
4444 DpEditor.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

86a4cdd8a4ce24624f28de4d77283dbb.exe

description pid process target process

PID 2128 set thread context of 688 2128 86a4cdd8a4ce24624f28de4d77283dbb.exe 86a4cdd8a4ce24624f28de4d77283dbb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3772	magpie.exe
4444	DpEditor.exe

description	pid	process	target process
PID 2128 set thread context of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

86a4cdd8a4ce24624f28de4d77283dbb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	86a4cdd8a4ce24624f28de4d77283dbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	86a4cdd8a4ce24624f28de4d77283dbb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	86a4cdd8a4ce24624f28de4d77283dbb.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2920 timeout.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

4444 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

86a4cdd8a4ce24624f28de4d77283dbb.exemagpie.exeDpEditor.exe

pid process

688 86a4cdd8a4ce24624f28de4d77283dbb.exe
688 86a4cdd8a4ce24624f28de4d77283dbb.exe
3772 magpie.exe
3772 magpie.exe
4444 DpEditor.exe
4444 DpEditor.exe

pid	process
2920	timeout.exe

pid	process
4444	DpEditor.exe

pid	process
688	86a4cdd8a4ce24624f28de4d77283dbb.exe
688	86a4cdd8a4ce24624f28de4d77283dbb.exe
3772	magpie.exe
3772	magpie.exe
4444	DpEditor.exe
4444	DpEditor.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

86a4cdd8a4ce24624f28de4d77283dbb.exe86a4cdd8a4ce24624f28de4d77283dbb.execmd.execmd.exemagpie.exe

description	pid	process	target process
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 2128 wrote to memory of 688	2128	86a4cdd8a4ce24624f28de4d77283dbb.exe	86a4cdd8a4ce24624f28de4d77283dbb.exe
PID 688 wrote to memory of 4880	688	86a4cdd8a4ce24624f28de4d77283dbb.exe	cmd.exe
PID 688 wrote to memory of 4880	688	86a4cdd8a4ce24624f28de4d77283dbb.exe	cmd.exe
PID 688 wrote to memory of 4880	688	86a4cdd8a4ce24624f28de4d77283dbb.exe	cmd.exe
PID 688 wrote to memory of 3340	688	86a4cdd8a4ce24624f28de4d77283dbb.exe	cmd.exe
PID 688 wrote to memory of 3340	688	86a4cdd8a4ce24624f28de4d77283dbb.exe	cmd.exe
PID 688 wrote to memory of 3340	688	86a4cdd8a4ce24624f28de4d77283dbb.exe	cmd.exe
PID 4880 wrote to memory of 3772	4880	cmd.exe	magpie.exe
PID 4880 wrote to memory of 3772	4880	cmd.exe	magpie.exe
PID 4880 wrote to memory of 3772	4880	cmd.exe	magpie.exe
PID 3340 wrote to memory of 2920	3340	cmd.exe	timeout.exe
PID 3340 wrote to memory of 2920	3340	cmd.exe	timeout.exe
PID 3340 wrote to memory of 2920	3340	cmd.exe	timeout.exe
PID 3772 wrote to memory of 4444	3772	magpie.exe	DpEditor.exe
PID 3772 wrote to memory of 4444	3772	magpie.exe	DpEditor.exe
PID 3772 wrote to memory of 4444	3772	magpie.exe	DpEditor.exe

C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe
"C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe
"C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"
2⤵
- Checks computer location settings
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe
C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\86a4cdd8a4ce24624f28de4d77283dbb.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\timeout.exe
timeout -t 5
4⤵
- Delays execution with timeout.exe
PID:2920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C6E5.tmp
Filesize
32B

MD5
6c99c51d3621703961bde7b5fd85ec77

SHA1
475ed624240c8a2dc0efc8fdacddf835ac30dc57

SHA256
abddf52ee2be0061ff49a15e681ee212fa054043cba80aa8a7064b71020f13ef

SHA512
e29df0d87187a86dd5c54ff84d925af85d9355d67ff8b8bdd7ba72305c1fd1e34551aafafa4295566a9ad1715c736ceedbe9f066e0d400fd33f82f537d4bcec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9C7.tmp
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D387.tmp
Filesize
2KB

MD5
77e31b1123e94ce5720ceb729a425798

SHA1
2b65c95f27d8dca23864a3ed4f78490039ae27bf

SHA256
68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85

SHA512
9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Download Submit
C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe
Filesize
2.6MB

MD5
7b151d5d1cc93ce12a0739aee4747551

SHA1
e0f938edcae3de4059e9022d254f3dd04ad47991

SHA256
f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad

SHA512
3481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944

Download Submit
C:\Users\Admin\AppData\Roaming\836CD7B6B5819B61\magpie.exe
Filesize
2.6MB

MD5
7b151d5d1cc93ce12a0739aee4747551

SHA1
e0f938edcae3de4059e9022d254f3dd04ad47991

SHA256
f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad

SHA512
3481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
Filesize
2.6MB

MD5
7b151d5d1cc93ce12a0739aee4747551

SHA1
e0f938edcae3de4059e9022d254f3dd04ad47991

SHA256
f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad

SHA512
3481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
Filesize
2.6MB

MD5
7b151d5d1cc93ce12a0739aee4747551

SHA1
e0f938edcae3de4059e9022d254f3dd04ad47991

SHA256
f1de8d1de91170b9f7e715575c51c5846370233c33c50831b909c5cc8207a0ad

SHA512
3481b855ba1d6f96058d187730edd2816cd64a6670b27699355e89f2cf1ccde67c0656979e15a9891b46369a46ae7483ff645e5cc2820888f5b696976a9cd944

Download Submit
memory/688-133-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/688-134-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/688-135-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/688-136-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/688-236-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3772-241-0x00000000002A0000-0x0000000000984000-memory.dmp

Filesize
6.9MB

Download
memory/3772-242-0x00000000002A0000-0x0000000000984000-memory.dmp

Filesize
6.9MB

Download
memory/3772-243-0x00000000002A0000-0x0000000000984000-memory.dmp

Filesize
6.9MB

Download
memory/3772-240-0x00000000002A0000-0x0000000000984000-memory.dmp

Filesize
6.9MB

Download
memory/3772-246-0x00000000002A0000-0x0000000000984000-memory.dmp

Filesize
6.9MB

Download
memory/3772-239-0x00000000002A0000-0x0000000000984000-memory.dmp

Filesize
6.9MB

Download
memory/4444-249-0x0000000000F70000-0x0000000001654000-memory.dmp

Filesize
6.9MB

Download
memory/4444-250-0x0000000000F70000-0x0000000001654000-memory.dmp

Filesize
6.9MB

Download
memory/4444-251-0x0000000000F70000-0x0000000001654000-memory.dmp

Filesize
6.9MB

Download
memory/4444-252-0x0000000000F70000-0x0000000001654000-memory.dmp

Filesize
6.9MB

Download
memory/4444-253-0x0000000000F70000-0x0000000001654000-memory.dmp

Filesize
6.9MB

Download
memory/4444-254-0x0000000000F70000-0x0000000001654000-memory.dmp

Filesize
6.9MB

Download