cryptbot | 46f4b1ec288a17527f403e01e718ddd3cf4a489b8f98e2683a23dbd468237137

Analysis

max time kernel
94s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Main-Installer.exe
Size

2.1MB
MD5

54ce61c4a0a44b61eb0cdfd8f2a2d9de
SHA1

b7768927797cc3bda4d5b049aeba68f2b3712d3c
SHA256

c65c74893e884b5f4109608289b4b38200d7f8eff0f04e2dc244a1bbcdb3f233
SHA512

50e5da3227a05c410fec148099289574196b1039007f0da687762e0fc746cb597ceaf7101df03de9b34dce92018cc440a2f19cbf56c73a469337ce65adcbdc80
SSDEEP

49152:Z7UA42umT5om24Ljd0bQaPa0nv63j210D2JBHPCeI:ZoT2umlon8d0bQc9/1tBHaeI

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

resource	yara_rule
behavioral2/memory/1300-24-0x0000000004430000-0x0000000004515000-memory.dmp	family_cryptbot
behavioral2/memory/1300-25-0x0000000004430000-0x0000000004515000-memory.dmp	family_cryptbot
behavioral2/memory/1300-26-0x0000000004430000-0x0000000004515000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Main-Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Riaprirmi.exe.com

Executes dropped EXE 2 IoCs

pid	Process
3064	Riaprirmi.exe.com
1300	Riaprirmi.exe.com

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Main-Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Riaprirmi.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Riaprirmi.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5072	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Riaprirmi.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Riaprirmi.exe.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3264	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5072	PING.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1300	Riaprirmi.exe.com
1300	Riaprirmi.exe.com

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1364	1056	Main-Installer.exe	83
PID 1056 wrote to memory of 1364	1056	Main-Installer.exe	83
PID 1056 wrote to memory of 1364	1056	Main-Installer.exe	83
PID 1364 wrote to memory of 216	1364	cmd.exe	85
PID 1364 wrote to memory of 216	1364	cmd.exe	85
PID 1364 wrote to memory of 216	1364	cmd.exe	85
PID 216 wrote to memory of 3036	216	cmd.exe	86
PID 216 wrote to memory of 3036	216	cmd.exe	86
PID 216 wrote to memory of 3036	216	cmd.exe	86
PID 216 wrote to memory of 3064	216	cmd.exe	87
PID 216 wrote to memory of 3064	216	cmd.exe	87
PID 216 wrote to memory of 3064	216	cmd.exe	87
PID 216 wrote to memory of 5072	216	cmd.exe	88
PID 216 wrote to memory of 5072	216	cmd.exe	88
PID 216 wrote to memory of 5072	216	cmd.exe	88
PID 3064 wrote to memory of 1300	3064	Riaprirmi.exe.com	89
PID 3064 wrote to memory of 1300	3064	Riaprirmi.exe.com	89
PID 3064 wrote to memory of 1300	3064	Riaprirmi.exe.com	89
PID 1300 wrote to memory of 3612	1300	Riaprirmi.exe.com	104
PID 1300 wrote to memory of 3612	1300	Riaprirmi.exe.com	104
PID 1300 wrote to memory of 3612	1300	Riaprirmi.exe.com	104
PID 3612 wrote to memory of 3264	3612	cmd.exe	106
PID 3612 wrote to memory of 3264	3612	cmd.exe	106
PID 3612 wrote to memory of 3264	3612	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Main-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Main-Installer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Consolato.tiff
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^CVYCRORZuebEyJkvJtosaPWIaoqERlLjlkgMnPrkCQCNVdgPGQimJxQNYfpIOjiWdlxUcnXTqXOBhpMeUlYwrjCPxBNo$" Lineamento.tiff
      4⤵
      System Location Discovery: System Language Discovery
      PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
      Riaprirmi.exe.com z
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com z
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\DocHYgMheuaxG & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3264
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ali.tiff

Filesize
894KB

MD5
e10283439c190db013c3e5b1f524e91b

SHA1
0698f42be2164626390656a360323cfff9198773

SHA256
e42642ec415f7e760c51a5264f0c45f2ee97fbdbe5f359300973f0bb7f644de9

SHA512
48a94dc39ae79372dcf230f56598b63ed7d41dab5d02a4eb32fcd97d4808dd1b184e18d7b125ba09456bc6dc3786e43d1747adcc314f7bae5c1667135dc80103

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cancellata.tiff

Filesize
603KB

MD5
87bcbfacde09406114109eb7e13402d9

SHA1
7e9220e1f7a0ef7dcc0adc045140a8f22f8c5116

SHA256
421b0d3b2595a4b16545363d243a3ef7cc1c54cc2828d2c839d59ceaae7582b2

SHA512
781275caf4fee8c6b399ae7c3ed3c66fd494dfdf7db5d234fa71bfca238dd0847a8ebaddaf47d27bc189aa9c8e90279df1cdceb3acb1bc997e272153451855ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Consolato.tiff

Filesize
306B

MD5
3b10b75b93db8ecb14b58c28de83c2bf

SHA1
eb0361b53d27049a8f4d53af84bf9c6e8c490616

SHA256
c93e16629655420a024d75e837adf71791200b35648b41ea91326adb19e51f1a

SHA512
bd83d572947a954ca905aa0129f91167fe16ff37096791c2fcd44b30285249706bb7b89e9afa7626dbc961aeb1d183aac0a47d1adaa26f191c780b0ad1319205

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lineamento.tiff

Filesize
872KB

MD5
c6a8a536c1cd7c3f9cb464cf5f5f495b

SHA1
d4f344cdf59d0be87d54e953039446c8137889fb

SHA256
02afb6e64292ff7caa21c9027cd5b27924ad0bc556c5db5f137a572ebf85b3a3

SHA512
e3ce924cee057cfe92f32c8539d2335317ac4f70efd40680c6b09a8daa33f879f39116927e929ebb95094a943c7b583c573e826c34fd3cea313d638c519872c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riaprirmi.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DocHYgMheuaxG\TDOYJL~1.ZIP

Filesize
41KB

MD5
5f8bdf01a69228dcd6ef08c30f4da63c

SHA1
92f7e51a4a55f251aad32c29c6f38b58a2ed2106

SHA256
a9bf43b87d3c5fc3ffc4331bd9ad9590d62eb1636d371363b93027101fc64ca8

SHA512
cdd074804a4c215d2c68cb2a62ac43ef2acfecf69236511115295a3a4283d5509cdbd84e35a00c5b3bde18423078ad81dfc724b1a917fe9fc274868cc52ee205

Download Submit
C:\Users\Admin\AppData\Local\Temp\DocHYgMheuaxG\VNWNCI~1.ZIP

Filesize
41KB

MD5
b3971cea939b8906209132980c8dc4d5

SHA1
d5f8954d2fdcc42f8e13c801d94f3899bcb4a3c2

SHA256
e16c60aa24fed17f1bf037964474b4086701736e38c5832473c3798fdd31e4a1

SHA512
41ed931261635a1470c03738d541a41fd45d35aad39e5f8690a028b21abcd0863eb13c3622dc0149530aeee52e3b2f36b25225ec6c3e6f4b040969ba19a9991b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DocHYgMheuaxG\_Files\_INFOR~1.TXT

Filesize
7KB

MD5
73dd0be102fcd09ee6770a4311827f8f

SHA1
934e31ad93da4fc7e32ac9c101546d03c98d38af

SHA256
0a6bce3d3e1c9c33b3f8d22d7d2e88f33b8a2b73767f071b4c4be84ec21c65c6

SHA512
e15cd0211fdf4dfe8d5e16b02ecdd19ba2622a0178afc405a7daaf2e1f9ab380f23c7d7fb8a45306910d9aa0e48913d8a71a46afb8c0adbf72bcafd98034ee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\DocHYgMheuaxG\_Files\_Information.txt

Filesize
4KB

MD5
a121bd693a43d1fce619913134166602

SHA1
aebb5aa17f4828e03204e440e3fdb30c37d33612

SHA256
86757cb02db92813549d29d655b013c9081e11d2110f8cc7e8cda0a8d6db9bce

SHA512
84c436c3f2ba4cdd6d962ab7efcd89e7c65e52581588bb74c9432918577af3e442ebd8715d98eca517dcaff3e8d19184278f388317d9eae9f027a74602e676d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DocHYgMheuaxG\_Files\_Screen_Desktop.jpeg

Filesize
47KB

MD5
e8e6322c7690792579c7792069c91052

SHA1
12f65f8b8f07dcd60f6fe21c7dee5f6c064f21fc

SHA256
3c44b84e9475b315635905922d06ad93cc1724a661fcb889bf7e21eedae42b44

SHA512
b8e6781cf82645608dc5940d22fe6a2a104161951f7f8ee8c68d158429757ad20bd3a321a6f17fa0affbcbf622e2ea9dc9cbfbfa1c7a41a200cf7f5536c4b0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DocHYgMheuaxG\files_\system_info.txt

Filesize
1KB

MD5
3ece40187e6613fbd9200aba1749a70e

SHA1
fb43d3bee17247f4927a151bf669946a2e390df6

SHA256
96b9a0fc241a6d26b9c07c73b7bbce204089c3fcdaf1688948e5b53b6dceec81

SHA512
96e4e2ac33e3e5dfcfef99b063ca1d565f1bef75b6463a957888fa4de21538dd41423301c0045e537ee7862822c479c777fe733d5ec536424547188d9d974a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DocHYgMheuaxG\files_\system_info.txt

Filesize
7KB

MD5
311e9f063a74784076c4f4ee766defeb

SHA1
86969020ec70aae2cf7a5cd145c4747b156bd764

SHA256
dd522c4c2afa39f6cf055b8ba6f0573abab2d4f3d1765b5e87149b704aaa9532

SHA512
577f456ffd7969b70577de4e52ec815d7a23e6ef45b319abfdb52ed191cc67e6fde472d0ec7debf872e1a83840ccc5a96c59712e6de7389b4d85026f8fb88b86

Download Submit
memory/1300-26-0x0000000004430000-0x0000000004515000-memory.dmp

Filesize
916KB

Download
memory/1300-25-0x0000000004430000-0x0000000004515000-memory.dmp

Filesize
916KB

Download
memory/1300-24-0x0000000004430000-0x0000000004515000-memory.dmp

Filesize
916KB

Download
memory/1300-23-0x0000000004430000-0x0000000004515000-memory.dmp

Filesize
916KB

Download
memory/1300-22-0x0000000004430000-0x0000000004515000-memory.dmp

Filesize
916KB

Download
memory/1300-21-0x0000000004430000-0x0000000004515000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads