Overview

overview

10

Static

static

3

setup_x86_...1).exe

windows7-x64

10

setup_x86_...1).exe

windows10-2004-x64

10

setup_x86_...0).exe

windows7-x64

10

setup_x86_...0).exe

windows10-2004-x64

10

setup_x86_...1).exe

windows7-x64

10

setup_x86_...1).exe

windows10-2004-x64

10

setup_x86_...2).exe

windows7-x64

10

setup_x86_...2).exe

windows10-2004-x64

10

setup_x86_...3).exe

windows7-x64

10

setup_x86_...3).exe

windows10-2004-x64

10

setup_x86_...4).exe

windows7-x64

10

setup_x86_...4).exe

windows10-2004-x64

10

setup_x86_...5).exe

windows7-x64

10

setup_x86_...5).exe

windows10-2004-x64

10

setup_x86_...6).exe

windows7-x64

10

setup_x86_...6).exe

windows10-2004-x64

10

setup_x86_...7).exe

windows7-x64

10

setup_x86_...7).exe

windows10-2004-x64

10

setup_x86_...8).exe

windows7-x64

10

setup_x86_...8).exe

windows10-2004-x64

10

setup_x86_...9).exe

windows7-x64

10

setup_x86_...9).exe

windows10-2004-x64

10

setup_x86_...2).exe

windows7-x64

10

setup_x86_...2).exe

windows10-2004-x64

10

setup_x86_...0).exe

windows7-x64

10

setup_x86_...0).exe

windows10-2004-x64

10

setup_x86_...1).exe

windows7-x64

10

setup_x86_...1).exe

windows10-2004-x64

10

setup_x86_...2).exe

windows7-x64

10

setup_x86_...2).exe

windows10-2004-x64

10

setup_x86_...3).exe

windows7-x64

10

setup_x86_...3).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install (10).exe

  • Size

    1.8MB

  • MD5

    961ed865e49001eab634e7f1d49d4865

  • SHA1

    ac28f77d1b75703518ebf6df8cdafa77da9a08aa

  • SHA256

    00bea63783ba58ffe8a63b70aa5c4c019491bed0a92ed17148836409ab7e5cc1

  • SHA512

    8d13430e0fd68959239475082822a11e681f3923471ba0cbb7bf906da86fc940b19a1e81e2a1494deee5b6fe08da8bc6ab715dcd08edb5a4f9755e39a4bbdd4a

  • SSDEEP

    24576:L3hOb1cU1l+aHBs8D3tCXG5IfsvYAPzTvW/SWlWIPqz0beYU2Z5gsUtR/VUTUb3/:LxOpmX70uDMQDU/FVUTURHinXuaa

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 3 IoCs
  • Cryptbot family
    cryptbot
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (10).exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install (10).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3180
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Sommesso.ppt
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^ZOQsXtAtHxdyuhsSoVBajbWjbeoOEYrTNLMLtwdlZxVnlJckSKVqpClCSEUVWLmIsbsxAFNuFdaSBbwNGXVTeeJkApTAicggUhuNawKhWPcSpaw$" Apparenze.ppt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3628
        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
          Pensieroso.exe.com N
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com N
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:3644
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\RinnEiOct & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:760
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:5004
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 30
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Apparenze.ppt
    Filesize

    872KB

    MD5

    2caf8e89e6a05bb30057c7c470fdf260

    SHA1

    edb048d2d92046e97b2f991e9dbec16247ee5d8c

    SHA256

    492fcd3db49355cefd9c23e78d0a3c3082037f4d2e6ccaff65c81273255a22e8

    SHA512

    4f0e0f11c989f4030c77e274e919cb10a4b93283591d2e79f8ff4d3d44c0384dead702804abe221b54b32c8eeaa6be845e0d59cac336f6cf9256c95ae3469f3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ingranditi.ppt
    Filesize

    663KB

    MD5

    9fef53ec7afd145869f53138338e189f

    SHA1

    17d26e52ca0cb3de7083b5737f7b2a84a483b462

    SHA256

    e2cce7b050bc38ea22285645f3953ea3f9ea7dab11b94da0612ebace7f59eb09

    SHA512

    b434b0839269cdc32edb0aa94b570de2e19761feb0460be7fbbc5ef2250adc09ab138c1a0ab591b89dee06957c3559dbc69af156fa560c30c19d1509be8bbaa4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Isola.ppt
    Filesize

    894KB

    MD5

    0d1cb8e6cc1623b8a86ecabd84613e0e

    SHA1

    353b60c29f0fb219f6b1f49b112038912ec040c8

    SHA256

    05ebdcbe3983b1f87e69ffcdab45a2692e0248bb6beccbaeebacad4fb1d72bc4

    SHA512

    0af070ec9d3dcac2103f6d259b3d847303c0c14d245f3f6d8a86f81f233fad3048632c8cf43f93d3f53dca974a0ff0a61732686471a24df5d391c025757eda38

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pensieroso.exe.com
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sommesso.ppt
    Filesize

    325B

    MD5

    1b4d94eb8f5923f889afcbe5caddd449

    SHA1

    c613c7cfe6db911b07760a7767492de829cd37e7

    SHA256

    812f3d792ef7a99472b2aff8ee37c09218aed327036292cea950f27981071885

    SHA512

    6b4f3b1c3afc5acc8252746ea02eb59f1dd5d314439ea86097f3c0144aa13f2b955c77aa1d980a93f2e342393258d3943f14ca7708f303195b66f1fb5cd24c88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RinnEiOct\BDQEOK~1.ZIP
    Filesize

    45KB

    MD5

    1f0901ae6371051d6be150e0bff4138a

    SHA1

    689f8cc68a51c01e089e6684037bff49dfa9a181

    SHA256

    666dbb74f165f6af7c2b13d28e3c39b96d39dcac8afda1a12a647da759ef594c

    SHA512

    d3c823ac4367784ccaa65d43ed5ccf4990c0ea83c83994c8d5170a6b93ed6e4235f4c0dbbb003139808ff019bf1e8d025003830a04f277d1783c736431b18b89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RinnEiOct\QUNWOF~1.ZIP
    Filesize

    45KB

    MD5

    0a508403255722f43303e679ecd06255

    SHA1

    73adf6925cbd41331460a8982259d63b78217b91

    SHA256

    f5fb66aa3bd89dcda3632432208b304483e54fddff680268f42ee7e2c40f938a

    SHA512

    d0081e42bdc5d2cab8e83966d3de4dc3398e4503f278c97d2f3fdf13b27c66c972cc03090686916d6d170268f00f3d74de9e8d90f0f816aa314846ee25c76bc2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RinnEiOct\_Files\_Information.txt
    Filesize

    1KB

    MD5

    6b2f4bc264793f98479a75cc958831ee

    SHA1

    ba65633a50d071868479c65d944a9e46a60a9de2

    SHA256

    0792173c9019f324c4f5b3d7d32e5d811e24a1b6d47c92f40e66d2cc2d9f6980

    SHA512

    73d6a8f53272479eccc3e5d56bac546afb9f556dbee5a74739f4bc40bab38bdfb5d52132529c57214e06652db02828e2023b7be7694a247db0197f4c6ddd4131

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RinnEiOct\_Files\_Information.txt
    Filesize

    1KB

    MD5

    ba84d54775e4a7aee334254e8924eefb

    SHA1

    3df415443e05a8bd80c1a8bbb1f9d7324c70e3e7

    SHA256

    2e2877e17dc5e8ed5e177b954463579301c147fada04157342ef9015a307f3f6

    SHA512

    d93d980d9d624b82e74f384277437c83d20951ae1e3836c29eec78ae4727ed96dc1f2fb292e32fc8f01c8dabd200be8d877a15f1b1cadfb382a22c42c154e227

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RinnEiOct\_Files\_Information.txt
    Filesize

    7KB

    MD5

    5558470287929e75294784f8880ef4fa

    SHA1

    14d9fd38d35dbc6d42a099b03fe24cf07a17ce79

    SHA256

    2715beb8170bd28967294f74f93c8415b837f125eb4ad8a87a34abce7127be97

    SHA512

    ffc15f3779c19c3576ef539dc6c593e2d98670715fd6deaa59baad6c6d918648486aa5b6dd9b08f9d666c4033b810c9344794f81f2f5e7393291a8e7b8c2e5bd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RinnEiOct\_Files\_Screen_Desktop.jpeg
    Filesize

    51KB

    MD5

    7ea479b1c06a3c818dfb0385e963ae17

    SHA1

    e37fb5515c6bd7b3fe677581e405ac21f427b80f

    SHA256

    b6954373f5ad643065a054993cd35e6e534f1750856644105b90768714707ebd

    SHA512

    bf7b6dc15aa6bac2dd6a4ad147068250250773bc4e4327738036f8012aea65bf1c0ae7c2e554d92db8101187e4eec4ddb6760904684c03bf1975814f447b9754

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RinnEiOct\files_\system_info.txt
    Filesize

    796B

    MD5

    daeab1d3a1855a959656b95dbe7aa8b3

    SHA1

    7c5bf8b39add7f5030a8464bca763fb569e921b0

    SHA256

    a7ff6c20e3af1fa16f36e24a08a617e11f3d5edae9dd2a30622d3bac8745270c

    SHA512

    aa8c018866bbb31264ef5ff88a191ec145e143be16bc370c28d87ce075f25c699a8ca01022230e5f6d46b13910308a261a0fc418983762ac2e643b8153cbd91a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RinnEiOct\files_\system_info.txt
    Filesize

    7KB

    MD5

    af2eff2851b36eba6f87ae58a0084f07

    SHA1

    f2337b2b127907b0bdf91c60abecc32f8ffb1423

    SHA256

    ab8484065914f668d76f9b775553f12c89dbf89ae3276daae8d6ddd2ca527b69

    SHA512

    171f668ad0b6d7392a7e3d4b70670d28f32e81a611a2ca971a6e3f5c3120cee0872f16e640fe81e48a983bdb3b77bdd8b8e6371c67b06adb7fa49c270a9b2610

    Download Submit

  • memory/3644-25-0x0000000000340000-0x0000000000425000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3644-26-0x0000000000340000-0x0000000000425000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3644-24-0x0000000000340000-0x0000000000425000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3644-23-0x0000000000340000-0x0000000000425000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3644-22-0x0000000000340000-0x0000000000425000-memory.dmp

    Filesize

    916KB

    Download

  • memory/3644-21-0x0000000000340000-0x0000000000425000-memory.dmp

    Filesize

    916KB

    Download