cryptbot | ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe
Size

419KB
MD5

cb36ff9db11188635b0ded3b4e063d13
SHA1

b05a796555f738079940a9c39312e6a7f14b9daf
SHA256

ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66
SHA512

fc1ac751f93df24a5ee17970c714d96f9ebb3b96c6467293769cb2c52199d22a2e4362a516058b808e2266bb8adef8fa018d2ee6c579968571527162bf85b9e8
SSDEEP

12288:QHEKqNxt0FXDFun2XNSNc6kk8v2OSSnslW:QtqNuZxQP8+OSC0W

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

veomho62.top

morizu06.top

Attributes

payload_url
http://tynmat16.top/download.php?file=roamer.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1076 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1076	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.execmd.exetimeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1972 timeout.exe

pid	process
1972	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.execmd.exe

description	pid	process	target process
PID 3040 wrote to memory of 1076	3040	ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe	cmd.exe
PID 3040 wrote to memory of 1076	3040	ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe	cmd.exe
PID 3040 wrote to memory of 1076	3040	ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe	cmd.exe
PID 3040 wrote to memory of 1076	3040	ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe	cmd.exe
PID 1076 wrote to memory of 1972	1076	cmd.exe	timeout.exe
PID 1076 wrote to memory of 1972	1076	cmd.exe	timeout.exe
PID 1076 wrote to memory of 1972	1076	cmd.exe	timeout.exe
PID 1076 wrote to memory of 1972	1076	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe
"C:\Users\Admin\AppData\Local\Temp\ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\QRlYHNQDWXsw & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ddd6c257d7dd9ca79f0bd9dc4db516e820175ee6a24fa662d7ab055bb8ba3f66.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3040-2-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/3040-1-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/3040-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3040-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3040-5-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/3040-4-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download