cryptbot | 9c409df92867a210bba9c3de29296c54222a9342e7e992392f75456e4a86e7a5

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca07dd5bfa53eea811b2e4608792be0c.exe
Size

667KB
MD5

ca07dd5bfa53eea811b2e4608792be0c
SHA1

49a7a0a73f7b5af40af30c8107833035567e2a76
SHA256

9c409df92867a210bba9c3de29296c54222a9342e7e992392f75456e4a86e7a5
SHA512

096d2974c3263c38463e9f7cbc1158afa13f41ed26ae00f8f155470dddd03b485e30f2839621e74fe146778adf8cbb0f3d3e41beeb6e1cd9dffba8135ed0f290
SSDEEP

12288:o1sHawM5GW8l91jP6xQMf4hbcpWfGE1VKuK6xtKXEbkRXgN3f0zkqlTxK3V1ec:oOawMkW8lHjy6Mf45cpMKu/aXEbkpY0+

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

bunmud42.top

morluw04.top

Attributes

payload_url
http://tobepw05.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 23 IoCs

pid	pid_target	Process	procid_target
3396	2280	WerFault.exe	86
4272	2280	WerFault.exe	86
756	2280	WerFault.exe	86
2428	2280	WerFault.exe	86
4072	2280	WerFault.exe	86
2988	2280	WerFault.exe	86
3644	2280	WerFault.exe	86
2828	2280	WerFault.exe	86
4488	2280	WerFault.exe	86
4476	2280	WerFault.exe	86
4484	2280	WerFault.exe	86
948	2280	WerFault.exe	86
3196	2280	WerFault.exe	86
2592	2280	WerFault.exe	86
1472	2280	WerFault.exe	86
4784	2280	WerFault.exe	86
836	2280	WerFault.exe	86
2428	2280	WerFault.exe	86
1380	2280	WerFault.exe	86
2248	2280	WerFault.exe	86
4824	2280	WerFault.exe	86
1684	2280	WerFault.exe	86
2180	2280	WerFault.exe	86

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ca07dd5bfa53eea811b2e4608792be0c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ca07dd5bfa53eea811b2e4608792be0c.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2280	ca07dd5bfa53eea811b2e4608792be0c.exe
2280	ca07dd5bfa53eea811b2e4608792be0c.exe

C:\Users\Admin\AppData\Local\Temp\ca07dd5bfa53eea811b2e4608792be0c.exe
"C:\Users\Admin\AppData\Local\Temp\ca07dd5bfa53eea811b2e4608792be0c.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 588
  2⤵
  - Program crash
  PID:3396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 644
  2⤵
  - Program crash
  PID:4272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 756
  2⤵
  - Program crash
  PID:756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 840
  2⤵
  - Program crash
  PID:2428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 912
  2⤵
  - Program crash
  PID:4072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 920
  2⤵
  - Program crash
  PID:2988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 940
  2⤵
  - Program crash
  PID:3644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 992
  2⤵
  - Program crash
  PID:2828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1196
  2⤵
  - Program crash
  PID:4488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1244
  2⤵
  - Program crash
  PID:4476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1268
  2⤵
  - Program crash
  PID:4484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1336
  2⤵
  - Program crash
  PID:948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1088
  2⤵
  - Program crash
  PID:3196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1072
  2⤵
  - Program crash
  PID:2592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1688
  2⤵
  - Program crash
  PID:1472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1088
  2⤵
  - Program crash
  PID:4784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1244
  2⤵
  - Program crash
  PID:836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 932
  2⤵
  - Program crash
  PID:2428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1820
  2⤵
  - Program crash
  PID:1380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1696
  2⤵
  - Program crash
  PID:2248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 900
  2⤵
  - Program crash
  PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1792
  2⤵
  - Program crash
  PID:1684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 544
  2⤵
  - Program crash
  PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2280 -ip 2280
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2280 -ip 2280
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2280 -ip 2280
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2280 -ip 2280
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2280 -ip 2280
1⤵
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2280 -ip 2280
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2280 -ip 2280
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2280 -ip 2280
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2280 -ip 2280
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2280 -ip 2280
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2280 -ip 2280
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2280 -ip 2280
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2280 -ip 2280
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2280 -ip 2280
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2280 -ip 2280
1⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2280 -ip 2280
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2280 -ip 2280
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2280 -ip 2280
1⤵
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2280 -ip 2280
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2280 -ip 2280
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2280 -ip 2280
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2280 -ip 2280
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2280 -ip 2280
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gxlSEBBglfPe\LYxFlxhQgfVS.zip

Filesize
1.7MB

MD5
0c9e4b919d34cd1b5afd8877282bf117

SHA1
44fff382b894927d2eece659b5ec9da8c193064a

SHA256
1151d6cc0c450dfe4478c7e59bcf468a968e97de526ce73d346c47bc729d29a7

SHA512
fe080b6c22770186409943fca0b6b81e4b6776f1f2ea39805fe8ba2e8e657e4437304595b2244f8b4cf6d104b249d797a4904b270c3978d7c1a56d4903db01b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxlSEBBglfPe\_Files\_Files\BlockEnable.txt

Filesize
916KB

MD5
4003c06d149bf532e1402592c95e5330

SHA1
1bf259dc32bcd7e16b087b676a114f570041f306

SHA256
bcfae1074ea6812ecd22cae92ba54fe7385719e29f2a493f5c00c5df9c7ffb00

SHA512
24ad8afd74a8f9d76de3c07d3259595db694e5d64cda83c82d715b0d2c267e4b0eff5f304eee0183b5f474e8f2f9f3e8ccb5bcad9dc03936a841f5535349baca

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxlSEBBglfPe\_Files\_Files\CloseSave.txt

Filesize
752KB

MD5
9cf7ae0dfba8cfd8ad632dc6abdb1807

SHA1
8374ff380f43f629c875afdad01f3a2cf1cc9319

SHA256
a43d0a9d90c3c9dc73ac47ac8b41b736ceb209eb4b53daf0230abfa1c51c91f0

SHA512
763dc9ee84c60a1b08534b06dbc78293c90cb1fc53b498fcd6e9c9b7012aed67bd8370adffddf2df91519d0183c1b55e6c9ed004dddfd768fa595947577b0c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxlSEBBglfPe\_Files\_Information.txt

Filesize
1KB

MD5
0343048abb1189985999900ec8770801

SHA1
a1faed67de5f2ec4eb81ff2b29db37305ad4bc51

SHA256
7b980b6e397292169fb6b7ac1d9e01fac306ff808370656ae6864104fb805f02

SHA512
41dc3508fb99cabfd5b1b3edaadfa47f8da0f0712df827755fcce316e726ff2f3a4ed4781fdc534b42456d0221d4391ce19ffe6ee8d49333d0f7c08a4b297055

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxlSEBBglfPe\_Files\_Information.txt

Filesize
4KB

MD5
17c9537bf5541928e3006fa438774440

SHA1
cc61e658af576dc168c9341864efe1152c03c833

SHA256
21d990f447955cbadf49c93370518c5115fcfd7f7cf5160326a9accc2fd6c4ed

SHA512
b0373f8a0ba36cf650ea6c8235c4311223f153e9bc353016f0e7fd0e4783a163b0adb0953984e0731ee42b785ccd5283b6508f9f1b39e23dcd29806eb1c3964f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxlSEBBglfPe\files_\screenshot.jpg

Filesize
57KB

MD5
c6df26409a48f3c813e2e5a4a9341ef1

SHA1
65efb614b6d85a4044303f90bdf5b25c681f8885

SHA256
5c07bcb54241e2706316165a07ad816e15a1c3cb6f92c1c3309d7823b9a6f98c

SHA512
f194ec49a01ce35bef256fe4d0fb2b794d7444eef320c9b8ab2ce175bdb8ee290494c23778fd5906362fbe8d4fdf6016e8bbef340383c7c8005edce3132d14bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxlSEBBglfPe\files_\system_info.txt

Filesize
718B

MD5
bcd41926cfcd60a0c188bb3eeccbc1df

SHA1
b6ad27c956d945cfa32283c5af2872202e40da1f

SHA256
4549013c276fbb27383d1539464d6b0b1c3baa048790bcb6e955a35d4ed1ab54

SHA512
7181607b93b71a6b127f50378e8a39c56e92e46d6aea4531033bea073f95162893ac36de8dd0eff31dbdc540a25d3fe56a346f4fe3d2616afc22614759352579

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxlSEBBglfPe\files_\system_info.txt

Filesize
7KB

MD5
c27a765acc5d8e98f8ec1e8df5f2cf34

SHA1
c1bb6afb68940d888fd80db625a0a093fae3226d

SHA256
d1482444a2cdcf5411ad0c0cdc76463b9c1baa758cdf3ebcb9846a525a1416c9

SHA512
24bb89977f18c99e182279e166a833ea0dddbfa0d84560ded84237d0b3ba2d383957290c77fedd91104ea156df0d0825140c9d4352f542936f66dd6db5f058b0

Download Submit
memory/2280-8-0x00000000049C0000-0x0000000004A48000-memory.dmp

Filesize
544KB

Download
memory/2280-10-0x0000000000400000-0x0000000002D36000-memory.dmp

Filesize
41.2MB

Download
memory/2280-9-0x0000000004A50000-0x0000000004B3B000-memory.dmp

Filesize
940KB

Download
memory/2280-1-0x00000000049C0000-0x0000000004A48000-memory.dmp

Filesize
544KB

Download
memory/2280-210-0x0000000000400000-0x0000000002D36000-memory.dmp

Filesize
41.2MB

Download
memory/2280-6-0x0000000000400000-0x0000000002D36000-memory.dmp

Filesize
41.2MB

Download
memory/2280-3-0x0000000000400000-0x0000000002D36000-memory.dmp

Filesize
41.2MB

Download
memory/2280-2-0x0000000004A50000-0x0000000004B3B000-memory.dmp

Filesize
940KB

Download