cryptbot | 4e0cbe9c0d9d6734b69aa74e0494f5f4d24094dafa15985e0bd1d81c9a29b55e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install (17).exe
Size

1.8MB
MD5

961ed865e49001eab634e7f1d49d4865
SHA1

ac28f77d1b75703518ebf6df8cdafa77da9a08aa
SHA256

00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1
SHA512

8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a
SSDEEP

24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

resource	yara_rule
behavioral18/memory/2872-24-0x0000000004BF0000-0x0000000004CD5000-memory.dmp	family_cryptbot
behavioral18/memory/2872-25-0x0000000004BF0000-0x0000000004CD5000-memory.dmp	family_cryptbot
behavioral18/memory/2872-26-0x0000000004BF0000-0x0000000004CD5000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	setup_x86_x64_install (17).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Pensieroso.exe.com

Executes dropped EXE 2 IoCs

pid	Process
4740	Pensieroso.exe.com
2872	Pensieroso.exe.com

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_x86_x64_install (17).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pensieroso.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pensieroso.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4564	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Pensieroso.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Pensieroso.exe.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2980	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4564	PING.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2872	Pensieroso.exe.com
2872	Pensieroso.exe.com

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 64	3764	setup_x86_x64_install (17).exe	82
PID 3764 wrote to memory of 64	3764	setup_x86_x64_install (17).exe	82
PID 3764 wrote to memory of 64	3764	setup_x86_x64_install (17).exe	82
PID 64 wrote to memory of 4396	64	cmd.exe	84
PID 64 wrote to memory of 4396	64	cmd.exe	84
PID 64 wrote to memory of 4396	64	cmd.exe	84
PID 4396 wrote to memory of 3416	4396	cmd.exe	85
PID 4396 wrote to memory of 3416	4396	cmd.exe	85
PID 4396 wrote to memory of 3416	4396	cmd.exe	85
PID 4396 wrote to memory of 4740	4396	cmd.exe	86
PID 4396 wrote to memory of 4740	4396	cmd.exe	86
PID 4396 wrote to memory of 4740	4396	cmd.exe	86
PID 4396 wrote to memory of 4564	4396	cmd.exe	87
PID 4396 wrote to memory of 4564	4396	cmd.exe	87
PID 4396 wrote to memory of 4564	4396	cmd.exe	87
PID 4740 wrote to memory of 2872	4740	Pensieroso.exe.com	88
PID 4740 wrote to memory of 2872	4740	Pensieroso.exe.com	88
PID 4740 wrote to memory of 2872	4740	Pensieroso.exe.com	88
PID 2872 wrote to memory of 452	2872	Pensieroso.exe.com	97
PID 2872 wrote to memory of 452	2872	Pensieroso.exe.com	97
PID 2872 wrote to memory of 452	2872	Pensieroso.exe.com	97
PID 452 wrote to memory of 2980	452	cmd.exe	99
PID 452 wrote to memory of 2980	452	cmd.exe	99
PID 452 wrote to memory of 2980	452	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (17).exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (17).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt
      4⤵
      System Location Discovery: System Language Discovery
      PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
      Pensieroso.exe.com N
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:2872
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\POcYOfiAdEm & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2980
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.ppt

Filesize
872KB

MD5
2caf8e89e6a05bb30057c7c470fdf260

SHA1
edb048d2d92046e97b2f991e9dbec16247ee5d8c

SHA256
492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8

SHA512
4f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.ppt

Filesize
663KB

MD5
9fef53ec7afd145869f53138338e189f

SHA1
17d26e52ca0cb3de7083b5737f7b2a84a483b462

SHA256
e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09

SHA512
b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Isola.ppt

Filesize
894KB

MD5
0d1cb8e6cc1623b8a86ecabd84613e0e

SHA1
353b60c29f0fb219f6b1f49b112038912ec040c8

SHA256
05ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4

SHA512
0af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sommesso.ppt

Filesize
325B

MD5
1b4d94eb8f5923f889afcbe5caddd449

SHA1
c613c7cfe6db911b07760a7767492de829cd37e7

SHA256
812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885

SHA512
6b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\POcYOfiAdEm\KHDKRC~1.ZIP

Filesize
46KB

MD5
f65f05c7fc676b976dcf1653231452c4

SHA1
829d4abdb840ffcd1d795622775a917961124818

SHA256
ce95ebe51f0991d1b69ae9374fdbea7c37ed862624e600ed0233d7e3573f0e85

SHA512
9650f222c22266d079c3fd5a2471132e521f18dabe761d21547f6289bf09c768a371c6ac011ac6e30f064247ac9bb2f6d535feb3a005adbb9f0e1164a51956c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\POcYOfiAdEm\PLTTTX~1.ZIP

Filesize
46KB

MD5
630cf7cc365db91ce04a57a253e7691b

SHA1
5e32b1c68451f929b183f54eeb6d0f21477174e3

SHA256
045de978d2b9eea961bda2b60d830cf497b9360d7ba38f0d9c8185c256869c9a

SHA512
9a31800b1d6cafbae6245244a4a5487c1d2422f60972906a4f74fbe715ccdeb1d0f243613a4acc00045647755376b719ce4e12f0ed246e1a96e464f137be5357

Download Submit
C:\Users\Admin\AppData\Local\Temp\POcYOfiAdEm\_Files\_INFOR~1.TXT

Filesize
7KB

MD5
57deb8d3e03dd32c2a523639a3fcc56c

SHA1
5f5a620f4556458b521d24ca4a25fa7d4516daae

SHA256
74bca0c85491e55bd4ab5cc5a92721bceefa34755d020e2300e85279fd4e8596

SHA512
5f57b9068f07a4ced0408eed1571e1e18196aea323855ece0ec739f4114adeded3731ba5f4b00a4cc3051f855a6e604eeb8667285ae36cad327f499bb3e73723

Download Submit
C:\Users\Admin\AppData\Local\Temp\POcYOfiAdEm\_Files\_Information.txt

Filesize
4KB

MD5
d332104faaace95e9332815ef41c3508

SHA1
3ea5fe510e83c6c5b15e99aa3ca084e2d980a91f

SHA256
e5648079124f427d735f5230aa369c906000291607630f2482ff9f48e32800cd

SHA512
8e03004ca906627bf2eeade1c5258eb25a441969660d610fba2d97c975248951259fd71efa93e75f4ad8e076b228138126271739c616b23858f3a563df7371fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\POcYOfiAdEm\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
5f70a92aa6e72e8fe6f8e05544154702

SHA1
a5a0a01eac8162ea36cb920fbe5614e8f8741377

SHA256
b01a994313088820aaed97988f9522085dd44cec052c9f23343c4e70fa046c0f

SHA512
dc8fcd4067c4ecdb552533fc2d916e12384db6094200e05496125b7c9571fb1c07ea7e8465322bc5b7d6160303f5d59518c96e23372a43526e075c720f2a35b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\POcYOfiAdEm\files_\system_info.txt

Filesize
7KB

MD5
146cfadf4d5a017c21161be7ba9f9680

SHA1
5abb71c87a2078cba3ea916e38aa7b4108ca2ba4

SHA256
82c967ac3d4ce361940dd3021fb7e6c8f104a097cba0c328e5962abb1cca0eb0

SHA512
fb81212d17d255cf1e751dcdcda261aeee3cf21b5bb1523e61467fe5e07aa9d0bde120677de423c187c1851b28e006e8ac8c678d18043d9a07ddc6fd66ba14c8

Download Submit
memory/2872-26-0x0000000004BF0000-0x0000000004CD5000-memory.dmp

Filesize
916KB

Download
memory/2872-25-0x0000000004BF0000-0x0000000004CD5000-memory.dmp

Filesize
916KB

Download
memory/2872-24-0x0000000004BF0000-0x0000000004CD5000-memory.dmp

Filesize
916KB

Download
memory/2872-23-0x0000000004BF0000-0x0000000004CD5000-memory.dmp

Filesize
916KB

Download
memory/2872-22-0x0000000004BF0000-0x0000000004CD5000-memory.dmp

Filesize
916KB

Download
memory/2872-21-0x0000000004BF0000-0x0000000004CD5000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads