Analysis
-
max time kernel
39s -
max time network
55s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14/05/2021, 06:51
Static task
static1
Behavioral task
behavioral1
Sample
2da5f09b58088a8e3a3ffa45d1f5f5d9.exe
Resource
win7v20210410
General
-
Target
2da5f09b58088a8e3a3ffa45d1f5f5d9.exe
-
Size
771KB
-
MD5
2da5f09b58088a8e3a3ffa45d1f5f5d9
-
SHA1
3086e2a39dd09b0c8f2a9e9e8a471555f417e0e4
-
SHA256
3fbbe701191020522bf1488b4015d325f38c46acd07456de0cd8f4035f1ed170
-
SHA512
0cf11a5556069e78aac01f4281507a71186d997790b902e0378342930db44bc9403c422ab0ae73634b695cef3a164baca0b45dbea7c95202072ea314b94704b6
Malware Config
Extracted
cryptbot
remkoy32.top
morkqz03.top
-
payload_url
http://sulejx04.top/download.php?file=lv.exe
Signatures
-
CryptBot Payload 2 IoCs
resource yara_rule behavioral2/memory/764-114-0x0000000002650000-0x0000000002731000-memory.dmp family_cryptbot behavioral2/memory/764-115-0x0000000000400000-0x00000000008B9000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3424 timeout.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 764 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe 764 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 764 wrote to memory of 3756 764 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe 78 PID 764 wrote to memory of 3756 764 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe 78 PID 764 wrote to memory of 3756 764 2da5f09b58088a8e3a3ffa45d1f5f5d9.exe 78 PID 3756 wrote to memory of 3424 3756 cmd.exe 80 PID 3756 wrote to memory of 3424 3756 cmd.exe 80 PID 3756 wrote to memory of 3424 3756 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\FmThvdxtIBfNm & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2da5f09b58088a8e3a3ffa45d1f5f5d9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3424
-
-