cryptbot | bfd5c9433c4242347c9538b7106467e97bb2aef87dd62fa085368346f84981d1

General

Target

bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe
Size

991KB
MD5

731ba8db421ddaff4337a141afd214ae
SHA1

c1076efa4f4dab9890cf04164366251467515a31
SHA256

bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df
SHA512

ba436aff804a0febb7f260d54d5f537849dc2f7efe2f3529dcddb81f2fe68144d0361a912dae0dbea73d5f6f4daa11472c097361adc9272b0bd3618c66657483
SSDEEP

24576:4QJShOWYqQnzsQNvQFe0MTMoBNE+OycrhZkI:nJShdqsQNvQF9MTMoHohZ

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Executes dropped EXE 2 IoCs

pid	Process
4960	Perde.exe.com
2708	Perde.exe.com

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perde.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Perde.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5596	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Perde.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Perde.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5596	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4960	Perde.exe.com
4960	Perde.exe.com
4960	Perde.exe.com
2708	Perde.exe.com
2708	Perde.exe.com
2708	Perde.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4960	Perde.exe.com
4960	Perde.exe.com
4960	Perde.exe.com
2708	Perde.exe.com
2708	Perde.exe.com
2708	Perde.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 1164	4160	bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe	86
PID 4160 wrote to memory of 1164	4160	bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe	86
PID 4160 wrote to memory of 1164	4160	bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe	86
PID 4160 wrote to memory of 3816	4160	bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe	87
PID 4160 wrote to memory of 3816	4160	bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe	87
PID 4160 wrote to memory of 3816	4160	bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe	87
PID 3816 wrote to memory of 4352	3816	cmd.exe	89
PID 3816 wrote to memory of 4352	3816	cmd.exe	89
PID 3816 wrote to memory of 4352	3816	cmd.exe	89
PID 4352 wrote to memory of 6128	4352	cmd.exe	90
PID 4352 wrote to memory of 6128	4352	cmd.exe	90
PID 4352 wrote to memory of 6128	4352	cmd.exe	90
PID 4352 wrote to memory of 4960	4352	cmd.exe	91
PID 4352 wrote to memory of 4960	4352	cmd.exe	91
PID 4352 wrote to memory of 4960	4352	cmd.exe	91
PID 4352 wrote to memory of 5596	4352	cmd.exe	92
PID 4352 wrote to memory of 5596	4352	cmd.exe	92
PID 4352 wrote to memory of 5596	4352	cmd.exe	92
PID 4960 wrote to memory of 2708	4960	Perde.exe.com	95
PID 4960 wrote to memory of 2708	4960	Perde.exe.com	95
PID 4960 wrote to memory of 2708	4960	Perde.exe.com	95

C:\Users\Admin\AppData\Local\Temp\bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe
"C:\Users\Admin\AppData\Local\Temp\bbb7e921c02c44367f13533453ae6d3ab8390dc1e7a4ef27ecc655b76b3248df.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Raggi.pptx
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^CShPCOisTFLHXiAgygkKXQUDzWEDpknfxjnCCQcmAkpBXWjWqXDrSGKMYKvFlDoIucjLIXMfSMpLHzFbKHDkHcbOBMERxQfXrAxCJBgekgluvYyEtYUCqWwLYnpW$" Mia.pptx
      4⤵
      System Location Discovery: System Language Discovery
      PID:6128
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Perde.exe.com
      Perde.exe.com N
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Perde.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Perde.exe.com N
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2708
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mia.pptx

Filesize
872KB

MD5
432db5111c328fc0b87d184f38950567

SHA1
bd7cd247b0874d245fba80970bbaf132844eb6d8

SHA256
a836ceb844192374b835232831bb2e88ff06d71385a816392afcbbef95ef9127

SHA512
cc0fb7c1cf02b8ab54aedd877e5f9202992dfecba67f182aa47f7de16d013db86552943fbc79ce621f95cb7521041d31a5879978b5cfb41fd3b9b89f7328bea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Perde.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Raggi.pptx

Filesize
403B

MD5
c163a504e0afeac1d25b28f0b359ecb4

SHA1
c00ee458bee5769915468e619a64a50e67959d61

SHA256
ab0cfa4ec32d7c422ffd279c721a35602ec5749ea77b2d7e7d923bb8aac603c8

SHA512
88d1c6eb9b0f055794ec842cc7d0e8d02f60fa93aa9a664cab2bb242fc057fe0792f17b6b27892da0db834fade87107314989d578a2475ed6ea3152fe777db37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sono.pptx

Filesize
1.1MB

MD5
1c87022d53c02839677e440356200396

SHA1
ae6cedf2463b84e6932f8319c30242574747d144

SHA256
b8d812701be4452ee3074b4513da75e04fc8eb706a568111ea802869de01a255

SHA512
e82ccda8b5938ce52b5766d87d655774f578b0b9271b9d77c48b602d27f1e1e645a6fbb181eca1ac76dcb6f3804003acc41399b57661b4c9f9a4507e2df6c505

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnrcIPKmLCIbq\_Files\_Information.txt

Filesize
1KB

MD5
0cd7f4206702d06e74832dc829330520

SHA1
9bb5812e7883fee24e86354af3b55e7ed72febf5

SHA256
ca91b1b48bccedcce612efe91d06be44b6d0649aaa6d7b253062e9a60df48b57

SHA512
75b6afec6b808f663cea1023d771bf2f9cbb997b260cb11de471cd838c836f65565249c7aef16da150b01e0c788754544afd53b32377208ecbf63545f01cd099

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnrcIPKmLCIbq\_Files\_Information.txt

Filesize
7KB

MD5
6567d8062e023eef66396797a6c65409

SHA1
7b13590deb7ae9aa37d7cb64b00d7a8807e31722

SHA256
17aef2a991f293dc042c18bf4a2d498526526de68c3ded3934b4ca1c6eb10f74

SHA512
d15cd497d97fb1a26d4f3fba8596f0a48b8d93f8376df81f005d66ced2dbf97f6a0cc715817052e3c71a917cac68469025b1a99fb84d3070fe52af8091c0276d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnrcIPKmLCIbq\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
8fffbeb2f94b1cdd284134ecf99b965e

SHA1
7b1b913d74027063fb8cc416553be1e822ff8dc6

SHA256
3ccef52f36ef61645853ccbd6b6bbe378627ea1467fd24c0fdcf712eb03ab72e

SHA512
d59fd3b12d891b9b2c7133a16fba4f79b0118b4b23ac4bb51042177ccb798db0611da315823809a4ee205215aa3b5485cde4345bece327012b2a93ebbfa49f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnrcIPKmLCIbq\vkbrxndqWNFth.zip

Filesize
46KB

MD5
a7439a02d31e733b9ac1533016e5c851

SHA1
cf541348e3a81fa97b7035a22cbc8a051f3ec783

SHA256
1dfdf0c2ffaf9b09a4f8cc3e360f388fd3a5251dc84549efe63942c5c451fd66

SHA512
44ba1e20f5841c5abd5c97e8925302b52a3a86653282fc54321845803f6610eba3aa16216bc2ef74e20bf18e77d081e400989e3c1fc7af809d324dc13fbe929b

Download Submit
memory/2708-21-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/2708-24-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/2708-23-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/2708-22-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/2708-20-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download
memory/2708-19-0x00000000003A0000-0x00000000003E9000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads