cryptbot | 7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9

General

Target

7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe
Size

6.4MB
MD5

fe00d6961e0dc7002c7c86bed9495c79
SHA1

b0c47152746861607720ec0b185dcd4a597926a5
SHA256

7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9
SHA512

34b1dee254eb206cea6769c7f252bb12c5d170ee07889223fb8da3cf30513cc40d60539762da23711bff9a38be7960a3b2e9621587c7c0161665a1ad137de31a
SSDEEP

98304:/cFVUyzLW9OiI+Iy5/djZQ5I8DMrq4d96dETCtOLZcWhNuRbyQ4:03U2C9K+IOFAI8Dyu01cWyRb74

Score

10^/10

cryptbot credential_access discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

thirtvf13vs.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 6 IoCs

pid	Process
60	service123.exe
1120	service123.exe
5032	service123.exe
4528	service123.exe
1412	service123.exe
3212	service123.exe

Loads dropped DLL 6 IoCs

pid	Process
60	service123.exe
1120	service123.exe
5032	service123.exe
4528	service123.exe
1412	service123.exe
3212	service123.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 60	2064	7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe	73
PID 2064 wrote to memory of 60	2064	7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe	73
PID 2064 wrote to memory of 60	2064	7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe	73
PID 2064 wrote to memory of 2804	2064	7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe	74
PID 2064 wrote to memory of 2804	2064	7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe	74
PID 2064 wrote to memory of 2804	2064	7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe	74

C:\Users\Admin\AppData\Local\Temp\7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe
"C:\Users\Admin\AppData\Local\Temp\7756efa9a5914c3141479ab8de889d6aa48f25fed3997cc165fafd4b7ab54ff9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  "C:\Users\Admin\AppData\Local\Temp\service123.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:60
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2804

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1120

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5032

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4528

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-12-0x0000000000DB0000-0x0000000000DC1000-memory.dmp

Filesize
68KB

Download
memory/60-13-0x00000000746B0000-0x00000000747EC000-memory.dmp

Filesize
1.2MB

Download
memory/1120-16-0x0000000000DB0000-0x0000000000DC1000-memory.dmp

Filesize
68KB

Download
memory/1412-61-0x0000000000DB0000-0x0000000000DC1000-memory.dmp

Filesize
68KB

Download
memory/2064-0-0x0000000000400000-0x000000000106C000-memory.dmp

Filesize
12.4MB

Download
memory/2064-1-0x0000000000400000-0x000000000106C000-memory.dmp

Filesize
12.4MB

Download
memory/2064-10-0x0000000000400000-0x000000000106C000-memory.dmp

Filesize
12.4MB

Download
memory/3212-76-0x0000000000DB0000-0x0000000000DC1000-memory.dmp

Filesize
68KB

Download
memory/4528-46-0x0000000000DB0000-0x0000000000DC1000-memory.dmp

Filesize
68KB

Download
memory/5032-31-0x0000000000DB0000-0x0000000000DC1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads