Analysis

  • max time kernel
    138s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2024 19:21

General

  • Target

    24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe

  • Size

    7.5MB

  • MD5

    43a8636f8748675fb63d026bae9c73b3

  • SHA1

    e9f2c0a7e105fe35d3bf72b2cd014d32476e0780

  • SHA256

    24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f

  • SHA512

    77bfff59dfa5cff7b66f940e827964635842a5e1ca683ace0af8831e3718f1f542aa5be2628357fa66b7929ad2d0f8fc4b03ede3602a429aef0dfc64e9f8309c

  • SSDEEP

    98304:nVEhTEPMnmpIOHOdMJ7/nATC4K7XsWkkjaHjTo82Pb0cM:nKqPo5MJzATC4C8Wfsj

Malware Config

Extracted

Family

cryptbot

C2

http://fygbib44.top/gate.php

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe
    "C:\Users\Admin\AppData\Local\Temp\24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe"
    1⤵
    • Checks computer location settings
    • Maps connected drives based on registry
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Windows\SysWOW64\cmd.exe
      /C schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
        3⤵
        • Creates scheduled task(s)
        PID:4400
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\24FCA3CD8AAD055B2284FDF5C0CD73642B88BB19DE7C3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Windows\SysWOW64\timeout.exe
        timeout -t 5
        3⤵
        • Delays execution with timeout.exe
        PID:5012
  • C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe
    C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe "C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"
    1⤵
    • Executes dropped EXE
    PID:3732
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:3436
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\44DF.tmp

      Filesize

      32B

      MD5

      f62fa00ff1e3844bf2d3d53d54fc0a8f

      SHA1

      f0e8c85ca579b5c0d809753160627f076297bc95

      SHA256

      85dd64573fa57cc40630b496904fc7569978d1311db1371b8be6aaba1adc353c

      SHA512

      7d18c8c939f8d6ce60b09ec1547e00cbfc2c4b1467136f22968d9d004ec702ac8f8c5c8b619f450297570c6f3848bd7acf5dc34a24a817b43ec32bdfa1709c70

    • C:\Users\Admin\AppData\Local\Temp\45CD.tmp

      Filesize

      1KB

      MD5

      437a5a1968be68206c15a039c90ce228

      SHA1

      9379e1032875cdc314d263d4e7c33109213e72e3

      SHA256

      ca903d755a63e7ff12cc83d2ba910d8df079e388eb44342a4996bce89721f2dd

      SHA512

      f4f31246b81c4f95f198fd33142dccef67212d48720cf6761f05e8f56024f8f3509132ab77ed82811d11692f693be2d3d7537e2ae23acb7d808b3a648d289278

    • C:\Users\Admin\AppData\Local\Temp\49EF.tmp

      Filesize

      2KB

      MD5

      8229d8d555f11acd57b19bd4664d11ef

      SHA1

      b6f7e1c7fdfa542212166b1824a2b8bb60c2488a

      SHA256

      1cf3ae1ee22facb1b187d73f95b6ab8e507f289192d37bcb71b8bcb437b37779

      SHA512

      b536a26578154b31c557655ee69ce1380918d5f3d4b03b639a559b17fa23a7ee46cfdc94cf0b3e35568eabafe690e055636a1082001644244b78a82706b5a03d

    • C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm

      Filesize

      131KB

      MD5

      205adf0244fdafdf409d366d1618ca07

      SHA1

      cda1296a776c9f4fadf0ca6def2822e47c3b3b6a

      SHA256

      71be9814ee36a738ecca0d0d62e0172223bd32ee68b20727f42b4269f408d944

      SHA512

      3b3be95ace9c74cded169a3692a5e013451353e9002da767c57fa50c1f105f5642e4377a6272174c43341308f42373f75c160b5320aa43e4bf5b38e967062fbf

    • C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe

      Filesize

      872KB

      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    • memory/3000-107-0x0000011EF8880000-0x0000011EF8890000-memory.dmp

      Filesize

      64KB

    • memory/3000-123-0x0000011EF8980000-0x0000011EF8990000-memory.dmp

      Filesize

      64KB

    • memory/3000-139-0x0000011EFCCF0000-0x0000011EFCCF1000-memory.dmp

      Filesize

      4KB

    • memory/3000-141-0x0000011EFCD20000-0x0000011EFCD21000-memory.dmp

      Filesize

      4KB

    • memory/3000-142-0x0000011EFCD20000-0x0000011EFCD21000-memory.dmp

      Filesize

      4KB

    • memory/3000-143-0x0000011EFCE30000-0x0000011EFCE31000-memory.dmp

      Filesize

      4KB

    • memory/3652-104-0x00000000009D0000-0x0000000000A8D000-memory.dmp

      Filesize

      756KB

    • memory/3652-4-0x00000000009D0000-0x0000000000A8D000-memory.dmp

      Filesize

      756KB

    • memory/3652-0-0x00000000009D0000-0x0000000000A8D000-memory.dmp

      Filesize

      756KB

    • memory/3652-1-0x00000000004F0000-0x00000000004F3000-memory.dmp

      Filesize

      12KB