Overview

overview

10

Static

static

1

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 22:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    1.7MB

  • MD5

    e8ae1f3a412dd275335e8f0dc99a06f3

  • SHA1

    9dd718b9536101926ae8e41be15ed1fe629d3d59

  • SHA256

    6c8314cb40fe0f4bb65c307c8128332c62accce1581e1442ee7daac1d1847a85

  • SHA512

    27b409331795ae4ca8bd312306c3465f96eb79c2ef3d27cf283f74d81513fa18c79b81a648143da46eb3838d29aae02654daa76c32254ee5aceb95ca1d7e6824

  • SSDEEP

    49152:y2dYg2a/9AI4WJxMwmQYoiFPbfrJ8SMECXLzZtBtJ1Kvs3U:yWYg2aFASheoiZGJfJsvgU

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 3 IoCs
  • Cryptbot family
    cryptbot
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Palme.pptx
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^afFlggFLbJFsDNAfJSVgbojKkIWOZApycnsavZoodTulHqpnyHZBBqOprVZGsRLXAmVyviSKJNXDweelnbJaAHDcJifBZCQm$" Fummo.pptx
          4⤵
          • System Location Discovery: System Language Discovery
          PID:904
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
          Riaprirmi.exe.com X
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com X
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:4104
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2984
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:3664
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 30
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.pptx
    Filesize

    894KB

    MD5

    fb3eedc237bcd9e8b3dbd243fb44df97

    SHA1

    bdacf4c39747376f597540b7a945fdf3546ca1ba

    SHA256

    0ef6c6178b1e38494dac9cbdf93079f36eb3606fdb943b2764544a278de3d741

    SHA512

    a3eb1da9217ce597a6c486161f93083f7179e93fb2de9d2b71e937c67910a4b503e47b4ce3f312477e8e4a3b54248f8342779ce12125e15c70ed0d41c489873a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fummo.pptx
    Filesize

    872KB

    MD5

    eb070a58d3fa7694f2ab534c8444f14b

    SHA1

    c5b6d3035ca3e85ea8d07977cbc87731c4bd4d86

    SHA256

    6d7ebfa3caadf591892583ff214e4235c1493a002a9e284dfe9cdd3c73e6650e

    SHA512

    674b99d046feaacc6abfd44ac3a349cf9b5ac47c76e15063e7d810bee038b98507a1e6a004a3b378cafb855321f5fe881b8deb6b326e59b74cb239d9320855ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gli.pptx
    Filesize

    568KB

    MD5

    3b8fc1dc6f3ef4273165994c6816f7d8

    SHA1

    36e1a04a69d0b65320adadf726aa505131a7d22c

    SHA256

    0e633c60415e22a9a60316c8b7a731ceda98955db1fd8f3f664b7750fca74b44

    SHA512

    c4f6b2276ba0e2fcded7585eba2dee6cacf267083e9661c3a653a2c1e832a54f89ca1e2254554c47418b6ea8f3f75ee7f5a812ca91b744c96fb3e87a82d27246

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Palme.pptx
    Filesize

    353B

    MD5

    143248a4649a30656e98074c8ca159a5

    SHA1

    d6595b66a26c008df3663edda3fc107002b51796

    SHA256

    03b9bfc6d9b9afa9dc6f6e9294f78e0750f0cc3250482356942cfe8ed7f3938d

    SHA512

    fc9d4e521ae2d137c44a6ae31a5a822072fa0d6c4eeb9298bb4cd4f399abb29be5e0dfcc9ae4890f892d561ba17be38d4b336e4fc9b621061f559e2a00df75bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\UOTQNG~1.ZIP
    Filesize

    45KB

    MD5

    75042279a9436481711f302c2fc330e6

    SHA1

    98a4eadd46228d4263590cd75551d534dd8af088

    SHA256

    7c2dfd66883a36de87fca364ebea93cce4a2ecce9ca563c94754890b210b5df1

    SHA512

    cf4df7a5fb66a8bf22ff1ce38c9abb2f8713e2fca94a93d7444efdc1402b6bab15d7c9b9e6a49c57419377862e99d2078663183c0a9940bcdddfebe5c898ff3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\VJALNW~1.ZIP
    Filesize

    45KB

    MD5

    8f59927c5f49cd62438ffe3d19c7f0a4

    SHA1

    7575d322a30fe3fee53d301971ecc25028a1be01

    SHA256

    ad40291b0b551249105ea12c7bd16ef38669bbbb2fd7924bf21f64fc10f50028

    SHA512

    708b4910509bc7183db99a5da08bf34f93cd6782f0a144eaf3620605fe94e7d4a34359976ac133b7e78b868119d8ee979abbe82bd277ecdee622cd1dc85b3455

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\_Files\_INFOR~1.TXT
    Filesize

    7KB

    MD5

    3d3a30171d6955f72c411db91aee1fa8

    SHA1

    4ba41f22c3e212845f2ac384bfaa225961ebd931

    SHA256

    e23874cc14da4cdc417c696df3aa1a617a08220960d8cfb86c9ce84f3441c391

    SHA512

    3a344215463bd469ce6d220b104159c58b9f3b20e0451953e4bc20743c58876fb93a94b9aa19e276b243265486058f5f6f4d2739e0dd9404465b7f1261e0fdbd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\_Files\_Information.txt
    Filesize

    1KB

    MD5

    72b5435245768c67b67fdcf82387f989

    SHA1

    a0091b7a40f7c726aa4d8852a147ef0d63a09a55

    SHA256

    7b34eaa79aabb62b9734401846eab71bf4c0651f430a64ce350cc5116303fcee

    SHA512

    b1267277ea2bb77d073cc2e876907caa43251c2bbd814ba07144aa88fc31f1723f939ff3644906ad5726420fc51c259ee4f475b3f29976af032b230c4170851a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\_Files\_Information.txt
    Filesize

    1KB

    MD5

    5b37c54b8fbe049bd3540ec5e53f19b8

    SHA1

    6ed4cca165ec9b8f47155f2f8742e9d266a491b6

    SHA256

    63f54cb9314699c70de6d8db822c4ae900b482aedb519e5518f846d08f0486da

    SHA512

    3ab8b7661d700ce5f8c38491c4da1de1ae0b430be6b150f5086decf441922387aae386a83aef0723c54bb4ce9808eb08db326cee52a6f5e3edd5ab4db12cb95f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\_Files\_Information.txt
    Filesize

    3KB

    MD5

    1b281fb6b84349c99203234348478d45

    SHA1

    f51c4044b2aa10259d38b67f689d0a36582a989f

    SHA256

    4a32edb8823c45d8d69884ed96177e24a18fde6262f898815c6e1abfba1d4b76

    SHA512

    45a8ddadc97ec4075094a470c5383bec06d9fbc2f4b13f790aca0d7f708546844969e8c7b4723297d9911f6e83349e420b9af0809e68eff2abef23f3a7f4aac8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\_Files\_Information.txt
    Filesize

    5KB

    MD5

    f72d5ed0d5ac91f277464077d28ecb43

    SHA1

    38b3a824ef87df2bd425c1569c94d6f10737ba52

    SHA256

    1658dd2d8e1af7d2ef9e581fd1d037ba166cfb166562d49bcb1aae3bf03b4ae3

    SHA512

    fca1c7afdc2f9643e2f2cc946c0977c17e6e78b67e3c24f81862d75845f4759801a4ecc2c21f1b6d515f8524d775d1f0f61c433fbdaf1f23776da14adca43e8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\_Files\_Screen_Desktop.jpeg
    Filesize

    50KB

    MD5

    6493271da84ca0bc5b95141a0993c91b

    SHA1

    e9eed00c6cbbffaa217eedb541759a151d7025c3

    SHA256

    c019c0fa8d3dc3ade10c984ff3cf64754489d3646c268ce0c9156fbe1917d21c

    SHA512

    9abd8bf5490d4be44d9839c195b8b39b7e41d0962ca88a61f87c74c861817ee8724f8a3ab818e25b70a4bd6f2d8f277b79b33745f852c49d5d1410512ff813f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\files_\SYSTEM~1.TXT
    Filesize

    7KB

    MD5

    05009463ff26c7d5da92a186e74ca6a4

    SHA1

    fd82095bbc215fd2644dae9bf1d429653223e789

    SHA256

    148321a5125d26b107bdf331a0d6ba28de0766e08ce22bfcd517fed1b6262b9b

    SHA512

    b34f37a1a1112d32f3558368bb2a53b440f8eeb88228c5946c1eb9c23d767b771ab8100d1574479a3f4fd09fbfd91ac4051a73f57821b1ab7006a9a141a65128

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cRCrZBpaj\files_\system_info.txt
    Filesize

    4KB

    MD5

    1655b79a5254f3745ba0a4f368fd2db5

    SHA1

    66fbf9069e0aed7deaaa969d41453c715349b538

    SHA256

    fb387c4ff0f072cecc8bdb5d70eb79db1424e3d34736d19a0a726a7b7e4b5e03

    SHA512

    2dedd43fb208c43ade8b6d08acee0954d9fade8729d661a7fd160c3c91d410bf50353d5853e9b5d6113a3c333a0bbf66a1f56e5eb03a4a3ff3f93afa82c93b4c

    Download Submit

  • memory/4104-21-0x00000000044A0000-0x0000000004585000-memory.dmp

    Filesize

    916KB

    Download

  • memory/4104-26-0x00000000044A0000-0x0000000004585000-memory.dmp

    Filesize

    916KB

    Download

  • memory/4104-25-0x00000000044A0000-0x0000000004585000-memory.dmp

    Filesize

    916KB

    Download

  • memory/4104-24-0x00000000044A0000-0x0000000004585000-memory.dmp

    Filesize

    916KB

    Download

  • memory/4104-23-0x00000000044A0000-0x0000000004585000-memory.dmp

    Filesize

    916KB

    Download

  • memory/4104-22-0x00000000044A0000-0x0000000004585000-memory.dmp

    Filesize

    916KB

    Download