Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
22-10-2021 15:20
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-en-20211014
0 signatures
0 seconds
General
-
Target
file.exe
-
Size
428KB
-
MD5
f05d925a72dc47eef4bdf4c48ce12217
-
SHA1
1c6a724e4c517ee84aa7c62d0cc60013396a4b5b
-
SHA256
43607d4de290ff5e25187bf75d511cc6aaab51727c9a8aedbe59fa7b16393da1
-
SHA512
dfa4661a779508e15907266cf298a093cf7961309637c2ca17b599a5c515ce7e8ae177d1439f390d242dcb85fd5ac99d2f244e881da5666c80e44e62efca817b
Malware Config
Extracted
Family
cryptbot
C2
veogmc52.top
mornoi05.top
Attributes
-
payload_url
http://tynwyl15.top/download.php?file=penwa.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1468 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 568 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
file.execmd.exedescription pid process target process PID 948 wrote to memory of 1468 948 file.exe cmd.exe PID 948 wrote to memory of 1468 948 file.exe cmd.exe PID 948 wrote to memory of 1468 948 file.exe cmd.exe PID 948 wrote to memory of 1468 948 file.exe cmd.exe PID 1468 wrote to memory of 568 1468 cmd.exe timeout.exe PID 1468 wrote to memory of 568 1468 cmd.exe timeout.exe PID 1468 wrote to memory of 568 1468 cmd.exe timeout.exe PID 1468 wrote to memory of 568 1468 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\nTcgJTNDeBcHO & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-60-0x0000000000000000-mapping.dmp
-
memory/948-55-0x00000000009D9000-0x00000000009FE000-memory.dmpFilesize
148KB
-
memory/948-56-0x0000000075D31000-0x0000000075D33000-memory.dmpFilesize
8KB
-
memory/948-57-0x0000000000220000-0x0000000000265000-memory.dmpFilesize
276KB
-
memory/948-58-0x0000000000400000-0x000000000089A000-memory.dmpFilesize
4.6MB
-
memory/1468-59-0x0000000000000000-mapping.dmp