Analysis Overview
SHA256
4dfb1deeb72088bbc9d755078e69970b1e8c445f92d0329d415ab2a65a45a205
Threat Level: Known bad
The file 43a8636f8748675fb63d026bae9c73b3.bin was found to be: Known bad.
Malicious Activity Summary
CryptBot
Executes dropped EXE
Deletes itself
Reads user/profile data of web browsers
Checks computer location settings
Maps connected drives based on registry
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 01:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 01:15
Reported
2024-01-23 01:18
Platform
win7-20231215-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
CryptBot
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe
"C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"
C:\Windows\SysWOW64\cmd.exe
/C schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"
C:\Windows\SysWOW64\timeout.exe
timeout -t 5
C:\Windows\system32\taskeng.exe
taskeng.exe {35DD2874-F2B1-443B-9304-DD3F6142C5B9} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe "C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fygbib44.top | udp |
| US | 108.186.145.244:80 | fygbib44.top | tcp |
Files
memory/1696-0-0x00000000003A0000-0x000000000045D000-memory.dmp
memory/1696-1-0x0000000000020000-0x0000000000023000-memory.dmp
memory/1696-4-0x00000000003A0000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1D1C.tmp
| MD5 | 7a85bc397ce203d588eec1e25ee57189 |
| SHA1 | d518b6c4d029c178b0e01d4b55b1d15dbbb093c4 |
| SHA256 | 98ab6097c476f36890c60a281601588c163516cb49c544ad1842dc3e443329fd |
| SHA512 | 4de5cd964ee069d5c9c8f120d6d083ed2cc7c76bf9f4341a31c8e484486758289fb10fb2af33bed1de4fd42e2eb62ef5c069e58c6d247b0e366414ed6f64624c |
C:\Users\Admin\AppData\Local\Temp\1C6C.tmp
| MD5 | a2a4dde187bcacb3ae59249131b3e9fd |
| SHA1 | 1c3ef8070e076acc8fabbbec63b4c3ae6d3bed43 |
| SHA256 | 8a8a3e8ccbb5feebd2187a58f01bb239083b956dc9bb7aaffc46607301598ae1 |
| SHA512 | f81441ec2a6efeed5ace449fe955eceb19d49d09858b24b95e4dee60cc60bc30ea5aa17ffdd0f4852b073ce778598de2da6e810367fb9e583cc1d3d62b35e9e8 |
memory/1696-75-0x00000000003A0000-0x000000000045D000-memory.dmp
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm
| MD5 | 205adf0244fdafdf409d366d1618ca07 |
| SHA1 | cda1296a776c9f4fadf0ca6def2822e47c3b3b6a |
| SHA256 | 71be9814ee36a738ecca0d0d62e0172223bd32ee68b20727f42b4269f408d944 |
| SHA512 | 3b3be95ace9c74cded169a3692a5e013451353e9002da767c57fa50c1f105f5642e4377a6272174c43341308f42373f75c160b5320aa43e4bf5b38e967062fbf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 01:15
Reported
2024-01-23 01:18
Platform
win10v2004-20231215-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
CryptBot
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe
"C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
C:\Windows\SysWOW64\cmd.exe
/C schtasks.exe /create /tn \Ww\dthebvdsci /tr """"C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe""" """C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"""" /sc once /ri 1 /f /du 979:19 /st 00:02
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout -t 5 && del "C:\Users\Admin\AppData\Local\Temp\24fca3cd8aad055b2284fdf5c0cd73642b88bb19de7c3137361e46529da5b67f.exe"
C:\Windows\SysWOW64\timeout.exe
timeout -t 5
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe "C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | fygbib44.top | udp |
| US | 108.186.145.244:80 | fygbib44.top | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.145.186.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
Files
memory/5116-1-0x0000000000400000-0x0000000000403000-memory.dmp
memory/5116-0-0x0000000000740000-0x00000000007FD000-memory.dmp
memory/5116-4-0x0000000000740000-0x00000000007FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7AE7.tmp
| MD5 | 3e26c78bfa01de9d5406729f54686644 |
| SHA1 | ef5eee8e368cc7daec9854dfdf5f57df22a0cd8d |
| SHA256 | f5f984824d787c65bb3e7a6e2f47313b1b9ca2ee4a5d4c001d89f6521eda62d3 |
| SHA512 | 2879d64c012758735123adcda3226abb14bd60aa1d7b9380a27b1d8095e2a002ec87527e9b49c90805d5e024cc26f6c13b91ca8bbdb6276c6a47ce409f106820 |
C:\Users\Admin\AppData\Local\Temp\841A.tmp
| MD5 | ea2b0ecc952f7c6f9794722de9e10027 |
| SHA1 | d7936a2bbb28ed5d99ec70636bb021b8f65fd095 |
| SHA256 | 934a08c0dfecd7fddf8fc87c7c7f9d09ac470e683e5e474966a258d725e80191 |
| SHA512 | 1fa5a06414be1730cc176080e49e5d4577222c174162a89aaf29165f4810c320c09481e239e50aac58cffed722d4fb314a8d99ffef61cf46a66e53040f4c2090 |
C:\Users\Admin\AppData\Local\Temp\78D0.tmp
| MD5 | d5279b23e73b246952ab02a90b7d1032 |
| SHA1 | d94f076f31453d3582ffe0ce42089b6e5b7581f3 |
| SHA256 | 9723a13b2b24262593dc50423fa36507229fd3965f85dfbe80ee41efc479d697 |
| SHA512 | 6501055c3159da7ca5e1c3afbd844623861667410a158bab8f6e06b013db46c9ea175d65d5e2c8ec76e4c9fc10b732d79d79cb1d52fdffa48fa831c4e8eeb24b |
memory/5116-101-0x0000000000740000-0x00000000007FD000-memory.dmp
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Roaming\jkpopel\sartst.chm
| MD5 | 205adf0244fdafdf409d366d1618ca07 |
| SHA1 | cda1296a776c9f4fadf0ca6def2822e47c3b3b6a |
| SHA256 | 71be9814ee36a738ecca0d0d62e0172223bd32ee68b20727f42b4269f408d944 |
| SHA512 | 3b3be95ace9c74cded169a3692a5e013451353e9002da767c57fa50c1f105f5642e4377a6272174c43341308f42373f75c160b5320aa43e4bf5b38e967062fbf |