Overview

overview

10

Static

static

1

bbb7e921c0...df.exe

windows7-x64

10

bbb7e921c0...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2025, 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe

  • Size

    991KB

  • MD5

    731ba8db421ddaff4337a141afd214ae

  • SHA1

    c1076efa4f4dab9890cf04164366251467515a31

  • SHA256

    bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df

  • SHA512

    ba436aff804a0febb7f260d54d5f537849dc2f7efe2f3529dcddb81f2fe68144d0361a912dae0dbea73d5f6f4daa11472c097361adc9272b0bd3618c66657483

  • SSDEEP

    24576:4QJShOWYqQnzsQNvQFe0MTMoBNE+OycrhZkI:nJShdqsQNvQF9MTMoHohZ

Score
10/10
cryptbotdiscoverypersistencespywarestealer

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe
    "C:\Users\Admin\AppData\Local\Temp\bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SysWOW64\dllhost.exe
      dllhost.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2200
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c cmd < Raggi.pptx
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^CShPCOisTFLHXiAgygkKXQUDzWEDpknfxjnCCQcmAkpBXWjWqXDrSGKMYKvFlDoIucjLIXMfSMpLHzFbKHDkHcbOBMERxQfXrAxCJBgekgluvYyEtYUCqWwLYnpW$" Mia.pptx
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2068
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Perde.exe.com
          Perde.exe.com N
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1124
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Perde.exe.com
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Perde.exe.com N
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\JGUSiZMMMk & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Perde.exe.com"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3052
              • C:\Windows\SysWOW64\timeout.exe
                timeout 4
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2888
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mia.pptx
    Filesize

    872KB

    MD5

    432db5111c328fc0b87d184f38950567

    SHA1

    bd7cd247b0874d245fba80970bbaf132844eb6d8

    SHA256

    a836ceb844192374b835232831bb2e88ff06d71385a816392afcbbef95ef9127

    SHA512

    cc0fb7c1cf02b8ab54aedd877e5f9202992dfecba67f182aa47f7de16d013db86552943fbc79ce621f95cb7521041d31a5879978b5cfb41fd3b9b89f7328bea7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Raggi.pptx
    Filesize

    403B

    MD5

    c163a504e0afeac1d25b28f0b359ecb4

    SHA1

    c00ee458bee5769915468e619a64a50e67959d61

    SHA256

    ab0cfa4ec32d7c422ffd279c721a35602ec5749ea77b2d7e7d923bb8aac603c8

    SHA512

    88d1c6eb9b0f055794ec842cc7d0e8d02f60fa93aa9a664cab2bb242fc057fe0792f17b6b27892da0db834fade87107314989d578a2475ed6ea3152fe777db37

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sono.pptx
    Filesize

    1.1MB

    MD5

    1c87022d53c02839677e440356200396

    SHA1

    ae6cedf2463b84e6932f8319c30242574747d144

    SHA256

    b8d812701be4452ee3074b4513da75e04fc8eb706a568111ea802869de01a255

    SHA512

    e82ccda8b5938ce52b5766d87d655774f578b0b9271b9d77c48b602d27f1e1e645a6fbb181eca1ac76dcb6f3804003acc41399b57661b4c9f9a4507e2df6c505

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Perde.exe.com
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • memory/2932-21-0x0000000004080000-0x00000000040C9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2932-22-0x0000000004080000-0x00000000040C9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2932-23-0x0000000004080000-0x00000000040C9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2932-25-0x0000000004080000-0x00000000040C9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2932-24-0x0000000004080000-0x00000000040C9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2932-26-0x0000000004080000-0x00000000040C9000-memory.dmp

    Filesize

    292KB

    Download