Analysis
-
max time kernel
121s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-10-2021 15:33
Static task
static1
Behavioral task
behavioral1
Sample
0aa3cc98fae581989a1d69e57072983f.exe
Resource
win7-en-20211014
General
-
Target
0aa3cc98fae581989a1d69e57072983f.exe
-
Size
373KB
-
MD5
0aa3cc98fae581989a1d69e57072983f
-
SHA1
03021b6bf23e45c1347ac4218bd6779c13cab6e0
-
SHA256
e366497c19208fe45bd04dd3d83f4ec71108b2cefeb4fdaeb60e139743c8bb40
-
SHA512
38af56fad8cd899fea9485c40060a5f18a56042c4ecee8c2482cd54bc5724986ae2d8846eb52a3d91e9e637c6ee211bf94b3b8a3f0d6d5090f6155f59282d03f
Malware Config
Extracted
cryptbot
veoqkb22.top
morpib02.top
-
payload_url
http://tyncel11.top/download.php?file=lv.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1664 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0aa3cc98fae581989a1d69e57072983f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0aa3cc98fae581989a1d69e57072983f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0aa3cc98fae581989a1d69e57072983f.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 764 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0aa3cc98fae581989a1d69e57072983f.execmd.exedescription pid process target process PID 1700 wrote to memory of 1664 1700 0aa3cc98fae581989a1d69e57072983f.exe cmd.exe PID 1700 wrote to memory of 1664 1700 0aa3cc98fae581989a1d69e57072983f.exe cmd.exe PID 1700 wrote to memory of 1664 1700 0aa3cc98fae581989a1d69e57072983f.exe cmd.exe PID 1700 wrote to memory of 1664 1700 0aa3cc98fae581989a1d69e57072983f.exe cmd.exe PID 1664 wrote to memory of 764 1664 cmd.exe timeout.exe PID 1664 wrote to memory of 764 1664 cmd.exe timeout.exe PID 1664 wrote to memory of 764 1664 cmd.exe timeout.exe PID 1664 wrote to memory of 764 1664 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aa3cc98fae581989a1d69e57072983f.exe"C:\Users\Admin\AppData\Local\Temp\0aa3cc98fae581989a1d69e57072983f.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\EKakMPsPh & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0aa3cc98fae581989a1d69e57072983f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/764-60-0x0000000000000000-mapping.dmp
-
memory/1664-59-0x0000000000000000-mapping.dmp
-
memory/1700-55-0x000000000311D000-0x0000000003143000-memory.dmpFilesize
152KB
-
memory/1700-56-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1700-57-0x0000000000250000-0x0000000000295000-memory.dmpFilesize
276KB
-
memory/1700-58-0x0000000000400000-0x0000000002F25000-memory.dmpFilesize
43.1MB