Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-12-2024 02:01
General
-
Target
b308cb2b9e0c87edfca66e3b337f4efbecefbd2ece7a52f8a0708da0934322fc.exe
-
Size
4.7MB
-
MD5
aec88dc0fce9bab66fc9c31b30af950d
-
SHA1
476e270fd4e4c7df0d0d3d744b8440d4b7bc2641
-
SHA256
b308cb2b9e0c87edfca66e3b337f4efbecefbd2ece7a52f8a0708da0934322fc
-
SHA512
235702f1077e47cbeca8373340fd1291bca84d2c34c99eee5f39f331eaaab29bc0b7f91797ba70528f155fa8366562b21c776d3c2ef8085947a6a026915f55e7
-
SSDEEP
98304:3nhRkDypHFpvQLVth6GNvYPFOAzHQidMy/aujLhjCBUl0GO1s:mAHF6JOGNwPFOUHcXuXAlB1s
Malware Config
Signatures
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
CryptBot payload 13 IoCs
-
Cryptbot family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b308cb2b9e0c87edfca66e3b337f4efbecefbd2ece7a52f8a0708da0934322fc.exe"C:\Users\Admin\AppData\Local\Temp\b308cb2b9e0c87edfca66e3b337f4efbecefbd2ece7a52f8a0708da0934322fc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\xnnxousmud.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xnnxousmud.vbs"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\whoxhtgqi.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\whoxhtgqi.exe"C:\Users\Admin\AppData\Local\Temp\whoxhtgqi.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\rprnhdcrvyyp.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rprnhdcrvyyp.exe"C:\Users\Admin\AppData\Local\Temp\rprnhdcrvyyp.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\sjddivmjrmgpw & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\rprnhdcrvyyp.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\sjddivmjrmgpw & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\rprnhdcrvyyp.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\uoudmiyela.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uoudmiyela.exe"C:\Users\Admin\AppData\Local\Temp\uoudmiyela.exe"3⤵
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43B
MD52ab8c4598de4ea45e2fcfdec44631763
SHA12e82e3391be4a3ae55d718d129f909a92275f731
SHA2565fb6977f7e42ba6bb7a7ef290927969988e051302631a6e12d12eaa13a8e1305
SHA51212ae54efd6daaef091dea7ead734c59e4fa5923e788b580bf1036592a640fbdeaf4a5e60f8b5587cf837af1a2bc98065862c177b84f3223006fed79b8ad437be
-
Filesize
150B
MD5cadc7176449b1ef7d75c247c7d248b41
SHA13262d7ebfe5735d499e092504c41d39fb51ade31
SHA256edd1379685f9c0c83b7f870591d940432648d231a666d934dd22ea1a6c690f36
SHA51267321a6d375c18a26a433051980bd868c17cef922473b43e219ec3bb94e22b05c622d3f272150252b4cb8a5d1470b5302a200d08c4d675eaec5581421a9c72cf
-
Filesize
111B
MD555720c5889a254089f07acf5ec8b361f
SHA17d636646413c73f0f11a55acb98ff648c9fa1d97
SHA256fced2edf48441cf9fd17b4361cf4f8d8e81cbb11f3374d7bba3614f0c5788de6
SHA512bd7d06f12c79b2b78afbdfa8afbed581ead6583456b4ec53651238a90e14b3332f7ee4a028617c832293211c14cb291165f9f61d43ea69b6bd53467a7653b71c
-
Filesize
258B
MD5738ba2cdedb1afc7ba9a59eb022e5bf6
SHA140c0d68bdca49b91eebec73b547379e5f9e4e8ad
SHA25614198d6be7010ed1f6710001cd0c107d1f4adcd08ad9121e4fd489b65dccad69
SHA512a288b11cc07f7458741e9cabd8d4d522ca4c321ef18b71e5caeaa4854559ad6f6ba7100006af86be8f5b8094e0123a6c86d2487ee3d1d4f43ac8900f7be7b064
-
Filesize
1.8MB
MD50b4ed39c36bea4bc90d57db7556425bf
SHA1840599a34fc5d8325549b10923c8f77c75fc1705
SHA2563944226b949ca639f50db91bd17cab82ade458e842c25ea40e01b5745a09da0c
SHA5120b916e0915b48c05184f4ab52ef4d7cd8f47fe4efcf8020c03595cd0286206fdeac74cae3050275b70eb0b030c5864d67548bee7b2180cd3ff95c3e356b4b72e
-
Filesize
2.7MB
MD5c73890713ed117b033c37367c32b90ab
SHA189c73459c9d885cc2664a7a47032773665cc667c
SHA25604901e185e151e3d7205d0aab5e4239c8bead0fb1ec7c866b00d00964bd33d1f
SHA512b1bc799f1fa4687e1fd10c46c634325fc6a250c9668c7b92f4a9546e81a7fc14f7fd919a61643c1155798c5d4c25dc1d9e08245007838fb3b9f8659030a943e5
-
Filesize
2.8MB
MD5a5a71f1b721751b117fceea0839fe78e
SHA1494e98026b7224c6352ca29708264cb90b7f60cb
SHA25693a2e7fcea1289778ced81ff9c61f317c3be87e468a187e89cba9dbdb6a1e5a2
SHA5120898128bab8faf756461262101529642ea67aa8a5330bd6ec50364067fa8350e9a7ef4a9bb83f44e2f976863e6a705d9780eb405ffd123abe0f18c6d11e6e5fa
-
Filesize
139B
MD5e6f087b28821998311d2046c082154e6
SHA1083277612d7ad03290437128dd1717902ee67382
SHA2565bebf5fd1ec929a659eee3292e1eb8ab679123ffec2b5fd294687c6faf7289f3
SHA512d740e65ec67bef9fbf28d388c40b55dac6e8c7e035a14e3cbaf9063e62d8c614e21d9cbc826115da3c7f2d0bf60b3e9df67d16e16aa7fbf9e8ffe1a2ad630507
-
Filesize
41KB
MD575f5ab6f468d7fd34fe85e081abdbfe2
SHA134ff2da2596bdf56b9708232f9e95e12ac0cbf3b
SHA25623e46954af366748ef0e54589d856319b6508bff323331828395c8c0eea6d605
SHA5120ecff3f33d5f22f576d31afff5d1a81c5f961c4e28b2d620d05b8e4254c40ef4d1ec2a158db03d0f5356e402f79d27590cfa6c6536167271e15fe566891745ff
-
Filesize
650B
MD59a07271b1cf3132d124a9abdcd7f24b5
SHA180be78b4361bd1a6a8ffce5550b9d58dcb9a4797
SHA256351487d77cfb9c89f29f30f3f49ca1fa5cdeeb3233a97f08f7cadf68d7ff219d
SHA5129d74890014bc7da96848f875ea9e4e362d9694b3b2a973eb076064a0cf720b4f201f7e0062f3b88290ec677170e15c5b5184b879c64a66d4fc6856c23a102226
-
Filesize
1KB
MD5db50d32fd272ba27ef92e495ff7fc62c
SHA1bae88b4d8110c0d4c8579cc2dcd51714b991c3f5
SHA256dfe1d3874e3d90486f5602aabfd761ac48f903ba6c6be5447fa37868f38736a9
SHA5122405d5a1e50b706522a4264500d569084e8f7cf605fbc612999c0ba8b33144e7058ff496df133a9e65fba9ba5f1358a3aba66037b72e5ccf23eede850e3dd650
-
Filesize
4KB
MD5b2cc97ff945192b16870b00a704008fa
SHA17901541cbcba0dab02b39773f30c9290bf0168a8
SHA256b6968137590b31c715d1f412086cfbde486e2ea343e12a581e28074e5ad63ff7
SHA5123b338b9333dfae4e02e5ac34288f23fb7b45ef4e2ef2bf759e0036dcafbbe5dbe55324b50a4861a48042d03dc25c633a6bedbbd1ec34668a4a284e0b652d1bbc
-
Filesize
47KB
MD5c6771e2dab4d78c3e0d77f7ef3b6d2b4
SHA1771c60afb33317766a7729e5ae4c6a0d40ae833f
SHA25650b044a1be069c88838f143f236cc73d276baa0457f9bb7d2cc7cfede5716c70
SHA51232fe206b67688b1060eb8496be46a291d224d0cbff0a064e03aca6793f0ad9b87e335e7668e2da276026b7108a8183df0e3acf5ca58d9af2f91da4da2461dc1f
-
Filesize
7KB
MD589dc6b002929467253c7c4bddef1eb8d
SHA152ac7f20a708144521e826c1e8653f0b57175b6b
SHA25660be8c15566edca59ae3c723f459133a78f9e32c2d88fd8c4e0c52c787ec71d5
SHA512e8c05446a61b44f6d65c7872bf8dbcdc1ac14f5d191cc34e8c1af88c6d3e6abf2fd7f6a0a307f8c2ec7b82554346846e96e4210f9a7470d2c699fd0f3e0c477a
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
3.0MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
