Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2024 19:21
Static task
static1
Behavioral task
behavioral1
Sample
24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe
Resource
win7-20231215-en
General
-
Target
24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe
-
Size
7.5MB
-
MD5
43a8636f8748675fb63d026bae9c73b3
-
SHA1
e9f2c0a7e105fe35d3bf72b2cd014d32476e0780
-
SHA256
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
-
SHA512
77bfff59dfa5cff7b66f940e827964635842a5e1ca683ace0af8831e3718f1f542aa5be2628357fa66b7929ad2d0f8fc4b03ede3602a429aef0dfc64e9f8309c
-
SSDEEP
98304:nVEhTEPMnmpIOHOdMJ7/nATC4K7XsWkkjaHjTo82Pb0cM:nKqPo5MJzATC4C8Wfsj
Malware Config
Extracted
cryptbot
http://fygbib44.top/gate.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe -
Executes dropped EXE 1 IoCs
Processes:
sartst.exepid process 3732 sartst.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5012 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exepid process 3652 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe 3652 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeManageVolumePrivilege 3000 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.execmd.execmd.exedescription pid process target process PID 3652 wrote to memory of 1360 3652 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe cmd.exe PID 3652 wrote to memory of 1360 3652 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe cmd.exe PID 3652 wrote to memory of 1360 3652 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe cmd.exe PID 1360 wrote to memory of 4400 1360 cmd.exe schtasks.exe PID 1360 wrote to memory of 4400 1360 cmd.exe schtasks.exe PID 1360 wrote to memory of 4400 1360 cmd.exe schtasks.exe PID 3652 wrote to memory of 1984 3652 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe cmd.exe PID 3652 wrote to memory of 1984 3652 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe cmd.exe PID 3652 wrote to memory of 1984 3652 24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe cmd.exe PID 1984 wrote to memory of 5012 1984 cmd.exe timeout.exe PID 1984 wrote to memory of 5012 1984 cmd.exe timeout.exe PID 1984 wrote to memory of 5012 1984 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe"C:\Users\Admin\AppData\Local\Temp\24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\cmd.exe/C schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:022⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:023⤵
- Creates scheduled task(s)
PID:4400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\timeout.exetimeout -t 53⤵
- Delays execution with timeout.exe
PID:5012
-
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exeC:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe "C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"1⤵
- Executes dropped EXE
PID:3732
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD5f62fa00ff1e3844bf2d3d53d54fc0a8f
SHA1f0e8c85ca579b5c0d809753160627f076297bc95
SHA25685dd64573fa57cc40630b496904fc7569978d1311db1371b8be6aaba1adc353c
SHA5127d18c8c939f8d6ce60b09ec1547e00cbfc2c4b1467136f22968d9d004ec702ac8f8c5c8b619f450297570c6f3848bd7acf5dc34a24a817b43ec32bdfa1709c70
-
Filesize
1KB
MD5437a5a1968be68206c15a039c90ce228
SHA19379e1032875cdc314d263d4e7c33109213e72e3
SHA256ca903d755a63e7ff12cc83d2ba910d8df079e388eb44342a4996bce89721f2dd
SHA512f4f31246b81c4f95f198fd33142dccef67212d48720cf6761f05e8f56024f8f3509132ab77ed82811d11692f693be2d3d7537e2ae23acb7d808b3a648d289278
-
Filesize
2KB
MD58229d8d555f11acd57b19bd4664d11ef
SHA1b6f7e1c7fdfa542212166b1824a2b8bb60c2488a
SHA2561cf3ae1ee22facb1b187d73f95b6ab8e507f289192d37bcb71b8bcb437b37779
SHA512b536a26578154b31c557655ee69ce1380918d5f3d4b03b639a559b17fa23a7ee46cfdc94cf0b3e35568eabafe690e055636a1082001644244b78a82706b5a03d
-
Filesize
131KB
MD5205adf0244fdafdf409d366d1618ca07
SHA1cda1296a776c9f4fadf0ca6def2822e47c3b3b6a
SHA25671be9814ee36a738ecca0d0d62e0172223bd32ee68b20727f42b4269f408d944
SHA5123b3be95ace9c74cded169a3692a5e013451353e9002da767c57fa50c1f105f5642e4377a6272174c43341308f42373f75c160b5320aa43e4bf5b38e967062fbf
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c