Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe
Resource
win7-20231215-en
General
-
Target
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe
-
Size
7.5MB
-
MD5
43a8636f8748675fb63d026bae9c73b3
-
SHA1
e9f2c0a7e105fe35d3bf72b2cd014d32476e0780
-
SHA256
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
-
SHA512
77bfff59dfa5cff7b66f940e827964635842a5e1ca683ace0af8831e3718f1f542aa5be2628357fa66b7929ad2d0f8fc4b03ede3602a429aef0dfc64e9f8309c
-
SSDEEP
98304:nVEhTEPMnmpIOHOdMJ7/nATC4K7XsWkkjaHjTo82Pb0cM:nKqPo5MJzATC4C8Wfsj
Malware Config
Extracted
cryptbot
http://fygbib44.top/gate.php
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1320 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
sartst.exepid process 1504 sartst.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1848 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exepid process 1696 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.execmd.execmd.exetaskeng.exedescription pid process target process PID 1696 wrote to memory of 2412 1696 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 1696 wrote to memory of 2412 1696 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 1696 wrote to memory of 2412 1696 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 1696 wrote to memory of 2412 1696 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 2412 wrote to memory of 2460 2412 cmd.exe schtasks.exe PID 2412 wrote to memory of 2460 2412 cmd.exe schtasks.exe PID 2412 wrote to memory of 2460 2412 cmd.exe schtasks.exe PID 2412 wrote to memory of 2460 2412 cmd.exe schtasks.exe PID 1696 wrote to memory of 1320 1696 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 1696 wrote to memory of 1320 1696 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 1696 wrote to memory of 1320 1696 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 1696 wrote to memory of 1320 1696 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 1320 wrote to memory of 1848 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1848 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1848 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1848 1320 cmd.exe timeout.exe PID 2916 wrote to memory of 1504 2916 taskeng.exe sartst.exe PID 2916 wrote to memory of 1504 2916 taskeng.exe sartst.exe PID 2916 wrote to memory of 1504 2916 taskeng.exe sartst.exe PID 2916 wrote to memory of 1504 2916 taskeng.exe sartst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"1⤵
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\cmd.exe/C schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:022⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:023⤵
- Creates scheduled task(s)
PID:2460 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\timeout.exetimeout -t 53⤵
- Delays execution with timeout.exe
PID:1848
-
C:\Windows\system32\taskeng.exetaskeng.exe {35DD2874-F2B1-443B-9304-DD3F6142C5B9} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exeC:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe "C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"2⤵
- Executes dropped EXE
PID:1504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD5a2a4dde187bcacb3ae59249131b3e9fd
SHA11c3ef8070e076acc8fabbbec63b4c3ae6d3bed43
SHA2568a8a3e8ccbb5feebd2187a58f01bb239083b956dc9bb7aaffc46607301598ae1
SHA512f81441ec2a6efeed5ace449fe955eceb19d49d09858b24b95e4dee60cc60bc30ea5aa17ffdd0f4852b073ce778598de2da6e810367fb9e583cc1d3d62b35e9e8
-
Filesize
114KB
MD57a85bc397ce203d588eec1e25ee57189
SHA1d518b6c4d029c178b0e01d4b55b1d15dbbb093c4
SHA25698ab6097c476f36890c60a281601588c163516cb49c544ad1842dc3e443329fd
SHA5124de5cd964ee069d5c9c8f120d6d083ed2cc7c76bf9f4341a31c8e484486758289fb10fb2af33bed1de4fd42e2eb62ef5c069e58c6d247b0e366414ed6f64624c
-
Filesize
131KB
MD5205adf0244fdafdf409d366d1618ca07
SHA1cda1296a776c9f4fadf0ca6def2822e47c3b3b6a
SHA25671be9814ee36a738ecca0d0d62e0172223bd32ee68b20727f42b4269f408d944
SHA5123b3be95ace9c74cded169a3692a5e013451353e9002da767c57fa50c1f105f5642e4377a6272174c43341308f42373f75c160b5320aa43e4bf5b38e967062fbf
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c