Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2024 01:15
Static task
static1
Behavioral task
behavioral1
Sample
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe
Resource
win7-20231215-en
General
-
Target
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe
-
Size
7.5MB
-
MD5
43a8636f8748675fb63d026bae9c73b3
-
SHA1
e9f2c0a7e105fe35d3bf72b2cd014d32476e0780
-
SHA256
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f
-
SHA512
77bfff59dfa5cff7b66f940e827964635842a5e1ca683ace0af8831e3718f1f542aa5be2628357fa66b7929ad2d0f8fc4b03ede3602a429aef0dfc64e9f8309c
-
SSDEEP
98304:nVEhTEPMnmpIOHOdMJ7/nATC4K7XsWkkjaHjTo82Pb0cM:nKqPo5MJzATC4C8Wfsj
Malware Config
Extracted
cryptbot
http://fygbib44.top/gate.php
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe -
Executes dropped EXE 1 IoCs
Processes:
sartst.exepid process 5052 sartst.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3592 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exepid process 5116 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe 5116 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.execmd.execmd.exedescription pid process target process PID 5116 wrote to memory of 2968 5116 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 5116 wrote to memory of 2968 5116 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 5116 wrote to memory of 2968 5116 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 2968 wrote to memory of 4292 2968 cmd.exe schtasks.exe PID 2968 wrote to memory of 4292 2968 cmd.exe schtasks.exe PID 2968 wrote to memory of 4292 2968 cmd.exe schtasks.exe PID 5116 wrote to memory of 832 5116 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 5116 wrote to memory of 832 5116 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 5116 wrote to memory of 832 5116 24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe cmd.exe PID 832 wrote to memory of 3592 832 cmd.exe timeout.exe PID 832 wrote to memory of 3592 832 cmd.exe timeout.exe PID 832 wrote to memory of 3592 832 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\cmd.exe/C schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:022⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\timeout.exetimeout -t 53⤵
- Delays execution with timeout.exe
PID:3592
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:021⤵
- Creates scheduled task(s)
PID:4292
-
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exeC:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe "C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"1⤵
- Executes dropped EXE
PID:5052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD5d5279b23e73b246952ab02a90b7d1032
SHA1d94f076f31453d3582ffe0ce42089b6e5b7581f3
SHA2569723a13b2b24262593dc50423fa36507229fd3965f85dfbe80ee41efc479d697
SHA5126501055c3159da7ca5e1c3afbd844623861667410a158bab8f6e06b013db46c9ea175d65d5e2c8ec76e4c9fc10b732d79d79cb1d52fdffa48fa831c4e8eeb24b
-
Filesize
115KB
MD53e26c78bfa01de9d5406729f54686644
SHA1ef5eee8e368cc7daec9854dfdf5f57df22a0cd8d
SHA256f5f984824d787c65bb3e7a6e2f47313b1b9ca2ee4a5d4c001d89f6521eda62d3
SHA5122879d64c012758735123adcda3226abb14bd60aa1d7b9380a27b1d8095e2a002ec87527e9b49c90805d5e024cc26f6c13b91ca8bbdb6276c6a47ce409f106820
-
Filesize
2KB
MD5ea2b0ecc952f7c6f9794722de9e10027
SHA1d7936a2bbb28ed5d99ec70636bb021b8f65fd095
SHA256934a08c0dfecd7fddf8fc87c7c7f9d09ac470e683e5e474966a258d725e80191
SHA5121fa5a06414be1730cc176080e49e5d4577222c174162a89aaf29165f4810c320c09481e239e50aac58cffed722d4fb314a8d99ffef61cf46a66e53040f4c2090
-
Filesize
131KB
MD5205adf0244fdafdf409d366d1618ca07
SHA1cda1296a776c9f4fadf0ca6def2822e47c3b3b6a
SHA25671be9814ee36a738ecca0d0d62e0172223bd32ee68b20727f42b4269f408d944
SHA5123b3be95ace9c74cded169a3692a5e013451353e9002da767c57fa50c1f105f5642e4377a6272174c43341308f42373f75c160b5320aa43e4bf5b38e967062fbf
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c