Overview

overview

10

Static

static

3

setup_x86_...1).exe

windows7-x64

10

setup_x86_...1).exe

windows10-2004-x64

10

setup_x86_...0).exe

windows7-x64

10

setup_x86_...0).exe

windows10-2004-x64

10

setup_x86_...1).exe

windows7-x64

10

setup_x86_...1).exe

windows10-2004-x64

10

setup_x86_...2).exe

windows7-x64

10

setup_x86_...2).exe

windows10-2004-x64

10

setup_x86_...3).exe

windows7-x64

10

setup_x86_...3).exe

windows10-2004-x64

10

setup_x86_...4).exe

windows7-x64

10

setup_x86_...4).exe

windows10-2004-x64

10

setup_x86_...5).exe

windows7-x64

10

setup_x86_...5).exe

windows10-2004-x64

10

setup_x86_...6).exe

windows7-x64

10

setup_x86_...6).exe

windows10-2004-x64

10

setup_x86_...7).exe

windows7-x64

10

setup_x86_...7).exe

windows10-2004-x64

10

setup_x86_...8).exe

windows7-x64

10

setup_x86_...8).exe

windows10-2004-x64

10

setup_x86_...9).exe

windows7-x64

10

setup_x86_...9).exe

windows10-2004-x64

10

setup_x86_...2).exe

windows7-x64

10

setup_x86_...2).exe

windows10-2004-x64

10

setup_x86_...0).exe

windows7-x64

10

setup_x86_...0).exe

windows10-2004-x64

10

setup_x86_...1).exe

windows7-x64

10

setup_x86_...1).exe

windows10-2004-x64

10

setup_x86_...2).exe

windows7-x64

10

setup_x86_...2).exe

windows10-2004-x64

10

setup_x86_...3).exe

windows7-x64

10

setup_x86_...3).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install (18).exe

  • Size

    1.8MB

  • MD5

    961ed865e49001eab634e7f1d49d4865

  • SHA1

    ac28f77d1b75703518ebf6df8cdafa77da9a08aa

  • SHA256

    00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1

  • SHA512

    8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a

  • SSDEEP

    24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 3 IoCs
  • Cryptbot family
    cryptbot
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (18).exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (18).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2716
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
          Pensieroso.exe.com N
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4400
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:3128
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\rsdqfvJV & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1572
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:3608
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 30
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.ppt
    Filesize

    872KB

    MD5

    2caf8e89e6a05bb30057c7c470fdf260

    SHA1

    edb048d2d92046e97b2f991e9dbec16247ee5d8c

    SHA256

    492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8

    SHA512

    4f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.ppt
    Filesize

    663KB

    MD5

    9fef53ec7afd145869f53138338e189f

    SHA1

    17d26e52ca0cb3de7083b5737f7b2a84a483b462

    SHA256

    e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09

    SHA512

    b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Isola.ppt
    Filesize

    894KB

    MD5

    0d1cb8e6cc1623b8a86ecabd84613e0e

    SHA1

    353b60c29f0fb219f6b1f49b112038912ec040c8

    SHA256

    05ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4

    SHA512

    0af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sommesso.ppt
    Filesize

    325B

    MD5

    1b4d94eb8f5923f889afcbe5caddd449

    SHA1

    c613c7cfe6db911b07760a7767492de829cd37e7

    SHA256

    812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885

    SHA512

    6b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsdqfvJV\TRNFTT~1.ZIP
    Filesize

    38KB

    MD5

    a65649bb1c91fb429b488e59adf679bd

    SHA1

    43749ccabdb6b65780ccc386cf2790b865c25b7d

    SHA256

    b1bd7037b85ad2710849ef190b1872508bfee41ffbd9347d6fc6d6c3885bbfda

    SHA512

    0d4f670de358f9b9339471ad761cf6a059aafe385e80c5105d0964b863268af7432ab1332a90437f9a15dd9ef9adcd8594d9dc14ce10d050cb4f39ce7319009d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsdqfvJV\WLWCBR~1.ZIP
    Filesize

    38KB

    MD5

    3465c0b6c0fd15fa84396845b5a1f999

    SHA1

    7de59a8b954abe93076016db14daa5f16bbbd0ce

    SHA256

    7eddbe37fa6b516892c02bfca267ad08468b18ed4e8a5001f5e491b5e29f4fe9

    SHA512

    5badd27bcf78542761910b31f2ee0051b0c98323a17b5960baec5b52f0c17d79005956e548434b34d2c460e88c966f9fb7b06b57437952a6911cb0445d55d741

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsdqfvJV\_Files\_INFOR~1.TXT
    Filesize

    7KB

    MD5

    6447f9d9118fe1e4ab99bd333ae503b7

    SHA1

    47806a5b8a2e82f740f4f815e79b3e3440956ab2

    SHA256

    d6978f0bd304572d31d85f7e1c4e8820f68311ce29a4f68e4649fe82b8717dfa

    SHA512

    169a7a8d46941946afdff39fc06d7d34c2fff99ecf49144d536df3a755a1bca39d49140a9e9f6ae31b9413bdcc268ed6aaf3c5efaafd3fd5b1e42421e19b23ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsdqfvJV\_Files\_Information.txt
    Filesize

    2KB

    MD5

    47a9d2f9c5d393ac746c4db2d070ec6d

    SHA1

    806c4751584d66e1290dc3ac997f4fe30758115c

    SHA256

    eb97aac22caa892a89b0e73b473479157cb7fca95fde9d14153159f158112d0a

    SHA512

    7d06bc813f146ca492cdeed565ab08b39dc8f83b60d308107f58152431777a34c30b38f608c417ce24c30bd1866c0966526853e4a403c52a590f2dce6e89188a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsdqfvJV\_Files\_Information.txt
    Filesize

    3KB

    MD5

    622eabaa07672065e80f1e562b14a3c1

    SHA1

    cd19338cc8f604c0b2542143db6e9237c7249984

    SHA256

    608f65c571c265da3a0d5174e4aa6104b376f0ffb116e1b0c6f1e3bc64ec07cf

    SHA512

    1512c15c0aa9d1878951c98463f1382471fe3de3d1072a57ad5bb112b2cd7b7d51f0ef0bb87a036eaf7e077042503f76adcbfed068e7a256f0a32bd709946432

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsdqfvJV\_Files\_Information.txt
    Filesize

    6KB

    MD5

    d86d06af3a8dcf7624059ecfd7b5a75a

    SHA1

    c6b7bdfea17cbb1618f52905f230bacc65b56af2

    SHA256

    6a2e3051c58fdcb280a3501228b2edc1552806e878e77426e9887055c11b0e05

    SHA512

    df39d217f6b0338ec7b3779da4596c1d7896fc5ff7511aeb77d7ff7b99bb50d8c2b537769fd7b69a394285ee0e64305ed93c197d829336eb1584c799fee5f8e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsdqfvJV\_Files\_Screen_Desktop.jpeg
    Filesize

    44KB

    MD5

    600652ee8ab6227e63774c8630e99a88

    SHA1

    809dc8f0e2e86782ec04fbbc95a0bcc213504c5e

    SHA256

    c5fc8c046064a06c24797ad0dd56942cfe79ef222b5b604c294d790917cd15a5

    SHA512

    71cae8018cff25e639dfa6d6bdcec59df51a9ef13f167ff77c819b0834b52fc9a3a0879997c83ef940d81c8756aa45dba69ccb1e6504f648d6a307ff6e5d36ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsdqfvJV\files_\system_info.txt
    Filesize

    706B

    MD5

    d28c9ee3d8b492a20218a6d897b48a3c

    SHA1

    85eefaf19f937f8461ee407879d68ae889485abe

    SHA256

    8b9ec3991a302ce5eb3effc5af92885b1bb75d53634b57f571b8cff0c4856df7

    SHA512

    54fc9dbeb0ad09b028166af4a321b779621909f5ddc576d8689cc4ad18dc8decc40eb766fd0337c5b0604505af65a013e637afe0cfc458273d1ff69def8679e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rsdqfvJV\files_\system_info.txt
    Filesize

    7KB

    MD5

    b5c0eb4f118f3ac19ced7b0397132d72

    SHA1

    c834211dc1d7b6508213d9b8d8d72ebb4f969157

    SHA256

    df34b2b3201b4829068ea2eec1352fbbfbb3a6fec8b41267422b635cb3fc1d08

    SHA512

    db2b47938b8baa99e66d7f9c8225b645a940989cab590b08083736e4b35f84043e8787c25db1fc8fee4f2fa4e7c3b49201e3466d8cf7acdf33cb130bb4bb27d3

    Download Submit

  • memory/3128-21-0x00000000046C0000-0x00000000047A5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3128-26-0x00000000046C0000-0x00000000047A5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3128-25-0x00000000046C0000-0x00000000047A5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3128-24-0x00000000046C0000-0x00000000047A5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3128-23-0x00000000046C0000-0x00000000047A5000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3128-22-0x00000000046C0000-0x00000000047A5000-memory.dmp

    Filesize

    916KB

    Download