Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2024 01:15

General

  • Target

    24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe

  • Size

    7.5MB

  • MD5

    43a8636f8748675fb63d026bae9c73b3

  • SHA1

    e9f2c0a7e105fe35d3bf72b2cd014d32476e0780

  • SHA256

    24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f

  • SHA512

    77bfff59dfa5cff7b66f940e827964635842a5e1ca683ace0af8831e3718f1f542aa5be2628357fa66b7929ad2d0f8fc4b03ede3602a429aef0dfc64e9f8309c

  • SSDEEP

    98304:nVEhTEPMnmpIOHOdMJ7/nATC4K7XsWkkjaHjTo82Pb0cM:nKqPo5MJzATC4C8Wfsj

Malware Config

Extracted

Family

cryptbot

C2

http://fygbib44.top/gate.php

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe
    "C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"
    1⤵
    • Maps connected drives based on registry
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\SysWOW64\cmd.exe
      /C schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
        3⤵
        • Creates scheduled task(s)
        PID:2460
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\timeout.exe
        timeout -t 5
        3⤵
        • Delays execution with timeout.exe
        PID:1848
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {35DD2874-F2B1-443B-9304-DD3F6142C5B9} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe
      C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe "C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"
      2⤵
      • Executes dropped EXE
      PID:1504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1C6C.tmp

    Filesize

    32B

    MD5

    a2a4dde187bcacb3ae59249131b3e9fd

    SHA1

    1c3ef8070e076acc8fabbbec63b4c3ae6d3bed43

    SHA256

    8a8a3e8ccbb5feebd2187a58f01bb239083b956dc9bb7aaffc46607301598ae1

    SHA512

    f81441ec2a6efeed5ace449fe955eceb19d49d09858b24b95e4dee60cc60bc30ea5aa17ffdd0f4852b073ce778598de2da6e810367fb9e583cc1d3d62b35e9e8

  • C:\Users\Admin\AppData\Local\Temp\1D1C.tmp

    Filesize

    114KB

    MD5

    7a85bc397ce203d588eec1e25ee57189

    SHA1

    d518b6c4d029c178b0e01d4b55b1d15dbbb093c4

    SHA256

    98ab6097c476f36890c60a281601588c163516cb49c544ad1842dc3e443329fd

    SHA512

    4de5cd964ee069d5c9c8f120d6d083ed2cc7c76bf9f4341a31c8e484486758289fb10fb2af33bed1de4fd42e2eb62ef5c069e58c6d247b0e366414ed6f64624c

  • C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm

    Filesize

    131KB

    MD5

    205adf0244fdafdf409d366d1618ca07

    SHA1

    cda1296a776c9f4fadf0ca6def2822e47c3b3b6a

    SHA256

    71be9814ee36a738ecca0d0d62e0172223bd32ee68b20727f42b4269f408d944

    SHA512

    3b3be95ace9c74cded169a3692a5e013451353e9002da767c57fa50c1f105f5642e4377a6272174c43341308f42373f75c160b5320aa43e4bf5b38e967062fbf

  • C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe

    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

  • memory/1696-0-0x00000000003A0000-0x000000000045D000-memory.dmp

    Filesize

    756KB

  • memory/1696-1-0x0000000000020000-0x0000000000023000-memory.dmp

    Filesize

    12KB

  • memory/1696-4-0x00000000003A0000-0x000000000045D000-memory.dmp

    Filesize

    756KB

  • memory/1696-75-0x00000000003A0000-0x000000000045D000-memory.dmp

    Filesize

    756KB