cryptbot | 574afcec719331221014fefc45e623e57ff81468b21fcbc186fa7f448be48a40

General

Target

113.exe
Size

585KB
MD5

9a75a6d3afd26306f563d96dc2517225
SHA1

fadb011bcecdd3919242b4019d0746772ac48ce6
SHA256

574afcec719331221014fefc45e623e57ff81468b21fcbc186fa7f448be48a40
SHA512

3ee3787329425f3e71b507d58b84797df54f82e535e23b146a3185e892c93628daec0e9fe6fd3d64bef50ec4e1f378e93c45fd38ae3e11aafd6c4f8bfff56782
SSDEEP

1536:6aRU9m4HYvSIX0u+7+j71iMs5gU5OuTcjCNON9PApdpihLNafpo:kOhX0N7+f1iV5bcj0wWduLIho

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

http://bluejackover.com/gate.php

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	putdemovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	putdemovl.exe

Executes dropped EXE 2 IoCs

pid	Process
3488	putdemovl.exe
904	putdemovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	113.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	putdemovl.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	putdemovl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 904	3488	putdemovl.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	putdemovl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	putdemovl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	putdemovl.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2000	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1748	powershell.exe
1748	powershell.exe
904	putdemovl.exe
904	putdemovl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	putdemovl.exe
Token: SeDebugPrivilege	1748	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 3488	1176	113.exe	83
PID 1176 wrote to memory of 3488	1176	113.exe	83
PID 1176 wrote to memory of 3488	1176	113.exe	83
PID 3488 wrote to memory of 1748	3488	putdemovl.exe	91
PID 3488 wrote to memory of 1748	3488	putdemovl.exe	91
PID 3488 wrote to memory of 1748	3488	putdemovl.exe	91
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 3488 wrote to memory of 904	3488	putdemovl.exe	93
PID 904 wrote to memory of 3816	904	putdemovl.exe	94
PID 904 wrote to memory of 3816	904	putdemovl.exe	94
PID 904 wrote to memory of 3816	904	putdemovl.exe	94
PID 3816 wrote to memory of 2000	3816	cmd.exe	96
PID 3816 wrote to memory of 2000	3816	cmd.exe	96
PID 3816 wrote to memory of 2000	3816	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\113.exe
"C:\Users\Admin\AppData\Local\Temp\113.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout -t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D037.tmp

Filesize
32B

MD5
30b13d77deed1641dd87896b3fa0afd9

SHA1
466d549e6855c627e2901601e87b05bbc0f2c8fa

SHA256
1c359e1bda712f001a46a9044a202219838ee31cd29cc7551090a2db0913399a

SHA512
bfe239b285f044b3a01c938deb809bdd65ed3adb572c4ff909c25bcf5e036a6453ee1595b0d7b7c89334391e7128358e9d187f90e39c7dafbd58ccd928d7098e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE06.tmp

Filesize
71KB

MD5
fb2e05653c3115d89013daa5132f08e0

SHA1
8ad3d1f4c1652c1e173d3201faf9fdd22b229351

SHA256
895ce9cfa9bd4ce960723e7adf0aba7eefff4c8cd5e46cad13cb791a39665077

SHA512
ca9b7fac566026fa87872d3fdfa32a5a571613b8d9cd4364e1b05d0682d52844c9d1a28c292d6d129d506a627a6cef2a0e6329f8c2ab28cd4388789f48399238

Download Submit
C:\Users\Admin\AppData\Local\Temp\F264.tmp

Filesize
2KB

MD5
1d65ace99a200cf0ac042936baf39f68

SHA1
acd9cd136a2b583c7d89dcbeffad15316921b145

SHA256
59f9c188335405db46c008bcd919293d3ea2e549db72d9f0f83ef34195809bc6

SHA512
bfc0c01bdca82c7d5ff2210d59049a65930500eaf40b26c2aa6d6149b971b5db63edc12ee5a0ee0ccd8a33bcfcb1063eb1bcf1bbc63788976baee47224bdf486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe

Filesize
351.0MB

MD5
a0255d2458d8a8089b444120e94c0057

SHA1
78a82cb307b5b9e82e26a36f6bba3d79464746fc

SHA256
234c8b8c391d17d2bb64f12db5ac50b2bfaf81e57f1b233daeb3f0e4429ababa

SHA512
40ae6484c161535c21a87e05d94e04ead1fc4054256051f092654bdfaddc25c58a612da8c23ecc959ecbc31d450cad4500da12d23be2c203de6e28ad157051f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe

Filesize
351.0MB

MD5
a0255d2458d8a8089b444120e94c0057

SHA1
78a82cb307b5b9e82e26a36f6bba3d79464746fc

SHA256
234c8b8c391d17d2bb64f12db5ac50b2bfaf81e57f1b233daeb3f0e4429ababa

SHA512
40ae6484c161535c21a87e05d94e04ead1fc4054256051f092654bdfaddc25c58a612da8c23ecc959ecbc31d450cad4500da12d23be2c203de6e28ad157051f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\putdemovl.exe

Filesize
351.0MB

MD5
a0255d2458d8a8089b444120e94c0057

SHA1
78a82cb307b5b9e82e26a36f6bba3d79464746fc

SHA256
234c8b8c391d17d2bb64f12db5ac50b2bfaf81e57f1b233daeb3f0e4429ababa

SHA512
40ae6484c161535c21a87e05d94e04ead1fc4054256051f092654bdfaddc25c58a612da8c23ecc959ecbc31d450cad4500da12d23be2c203de6e28ad157051f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ayd4qwys.keg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/904-273-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/904-215-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/904-167-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/904-172-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/904-171-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/904-170-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1748-144-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/1748-141-0x0000000002890000-0x00000000028C6000-memory.dmp

Filesize
216KB

Download
memory/1748-159-0x00000000077F0000-0x0000000007E6A000-memory.dmp

Filesize
6.5MB

Download
memory/1748-160-0x00000000066B0000-0x00000000066CA000-memory.dmp

Filesize
104KB

Download
memory/1748-161-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/1748-162-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/1748-163-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/1748-157-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/1748-147-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/1748-158-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/1748-146-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/1748-143-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/1748-142-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/3488-145-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3488-140-0x00000000061C0000-0x00000000061E2000-memory.dmp

Filesize
136KB

Download
memory/3488-139-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/3488-138-0x00000000008C0000-0x00000000008D4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads