Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 19:21

General

  • Target

    24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe

  • Size

    7.5MB

  • MD5

    43a8636f8748675fb63d026bae9c73b3

  • SHA1

    e9f2c0a7e105fe35d3bf72b2cd014d32476e0780

  • SHA256

    24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f

  • SHA512

    77bfff59dfa5cff7b66f940e827964635842a5e1ca683ace0af8831e3718f1f542aa5be2628357fa66b7929ad2d0f8fc4b03ede3602a429aef0dfc64e9f8309c

  • SSDEEP

    98304:nVEhTEPMnmpIOHOdMJ7/nATC4K7XsWkkjaHjTo82Pb0cM:nKqPo5MJzATC4C8Wfsj

Malware Config

Extracted

Family

cryptbot

C2

http://fygbib44.top/gate.php

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe
    "C:\Users\Admin\AppData\Local\Temp\24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe"
    1⤵
    • Maps connected drives based on registry
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      /C schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
        3⤵
        • Creates scheduled task(s)
        PID:1888
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\timeout.exe
        timeout -t 5
        3⤵
        • Delays execution with timeout.exe
        PID:2848
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {08D83EAF-66D9-4A7D-A708-140C8A83B7A9} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe
      C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe "C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"
      2⤵
      • Executes dropped EXE
      PID:1704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5C97.tmp

    Filesize

    32B

    MD5

    7abc3c55ef7a800a7d401f89266a7020

    SHA1

    3722eb1d69211675424888bf2b30f300342c8e27

    SHA256

    8d277404ab24c960a7cd89358067a7e4dd03dcdffc2a319bc5bcae65121b6f8e

    SHA512

    2357bda3db7b81f3faa824eb7c62e164386906ad956fbbe60f4db86a2419bac4e458ef2a2b2fc3f369047a2bad0b7b04f8efaa0b361ea9327400eb10d0aca6ef

  • C:\Users\Admin\AppData\Local\Temp\5D95.tmp

    Filesize

    114KB

    MD5

    ad744014b6f94499aa8f0d8637b516c4

    SHA1

    ecda999247b671ebf688540815576c6a223e01d2

    SHA256

    ed37ec732417d663e48ef8187413def51433a6b83cf1d3babb5fefd39b5189d7

    SHA512

    43c1e8d45216d376d1dab7cd54eefc4edcb6b53be66cf0db30fb7d20ea0b5cbe456c5395b061ac61fc2bfd59d8431c2ca2678cc4f4134c8fc60244bfab88e3d6

  • C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm

    Filesize

    131KB

    MD5

    205adf0244fdafdf409d366d1618ca07

    SHA1

    cda1296a776c9f4fadf0ca6def2822e47c3b3b6a

    SHA256

    71be9814ee36a738ecca0d0d62e0172223bd32ee68b20727f42b4269f408d944

    SHA512

    3b3be95ace9c74cded169a3692a5e013451353e9002da767c57fa50c1f105f5642e4377a6272174c43341308f42373f75c160b5320aa43e4bf5b38e967062fbf

  • C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • memory/2900-0-0x0000000000460000-0x000000000051D000-memory.dmp

    Filesize

    756KB

  • memory/2900-1-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

  • memory/2900-4-0x0000000000460000-0x000000000051D000-memory.dmp

    Filesize

    756KB

  • memory/2900-78-0x0000000000460000-0x000000000051D000-memory.dmp

    Filesize

    756KB