Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 08:54
Static task
static1
Behavioral task
behavioral1
Sample
mixshop_20211019-200154.exe
Resource
win7-en-20211014
General
-
Target
mixshop_20211019-200154.exe
-
Size
373KB
-
MD5
a2203019198955a1e07a1251cbf73a84
-
SHA1
1f19ddd874f12050e624daed1a08c1097717ef7a
-
SHA256
6bcc93c0e0be1868a9205a42f4d0154e61e0ec4473bfa3e4a24fb3de4933539c
-
SHA512
43b32f7d2ab6a57ec291e4380ae84b31317c3b7783701f430cd950b521f5b7e6065805b68052f31434279e854c54d11c04f23d10b0eba52e61aa5a873cd7ba47
Malware Config
Extracted
cryptbot
veoqkb22.top
morpib02.top
-
payload_url
http://tyncel11.top/download.php?file=lv.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1176 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mixshop_20211019-200154.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mixshop_20211019-200154.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mixshop_20211019-200154.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 620 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
mixshop_20211019-200154.execmd.exedescription pid process target process PID 1528 wrote to memory of 1176 1528 mixshop_20211019-200154.exe cmd.exe PID 1528 wrote to memory of 1176 1528 mixshop_20211019-200154.exe cmd.exe PID 1528 wrote to memory of 1176 1528 mixshop_20211019-200154.exe cmd.exe PID 1528 wrote to memory of 1176 1528 mixshop_20211019-200154.exe cmd.exe PID 1176 wrote to memory of 620 1176 cmd.exe timeout.exe PID 1176 wrote to memory of 620 1176 cmd.exe timeout.exe PID 1176 wrote to memory of 620 1176 cmd.exe timeout.exe PID 1176 wrote to memory of 620 1176 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixshop_20211019-200154.exe"C:\Users\Admin\AppData\Local\Temp\mixshop_20211019-200154.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\CaLiHBWeCblb & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\mixshop_20211019-200154.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/620-59-0x0000000000000000-mapping.dmp
-
memory/1176-58-0x0000000000000000-mapping.dmp
-
memory/1528-54-0x00000000030CD000-0x00000000030F2000-memory.dmpFilesize
148KB
-
memory/1528-55-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1528-56-0x0000000000230000-0x0000000000275000-memory.dmpFilesize
276KB
-
memory/1528-57-0x0000000000400000-0x0000000002F25000-memory.dmpFilesize
43.1MB