Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
06-12-2021 14:26
Static task
static1
Behavioral task
behavioral1
Sample
cab436d07eb1ff3826a830ed4b477da9.exe
Resource
win7-en-20211104
General
-
Target
cab436d07eb1ff3826a830ed4b477da9.exe
-
Size
392KB
-
MD5
cab436d07eb1ff3826a830ed4b477da9
-
SHA1
efa4b5ae9c6806766baf75b0fe3802d1f6954124
-
SHA256
ee53cf56f393658949e4756c48e63e0c02542c1403c87e72d926bfb6b0306809
-
SHA512
8f5193189227ca29c25dcfae4edeceff125c112513c09ccf2ecbe281b8fab154d5e210a514275aa9a5f4f311d0eb13a7f6d238149eb7d0d886e3b22f48ffd6b8
Malware Config
Extracted
cryptbot
gomoxw12.top
morxub01.top
-
payload_url
http://peumgu12.top/download.php?file=melder.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1372 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
cab436d07eb1ff3826a830ed4b477da9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cab436d07eb1ff3826a830ed4b477da9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cab436d07eb1ff3826a830ed4b477da9.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1656 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cab436d07eb1ff3826a830ed4b477da9.execmd.exedescription pid process target process PID 1168 wrote to memory of 1372 1168 cab436d07eb1ff3826a830ed4b477da9.exe cmd.exe PID 1168 wrote to memory of 1372 1168 cab436d07eb1ff3826a830ed4b477da9.exe cmd.exe PID 1168 wrote to memory of 1372 1168 cab436d07eb1ff3826a830ed4b477da9.exe cmd.exe PID 1168 wrote to memory of 1372 1168 cab436d07eb1ff3826a830ed4b477da9.exe cmd.exe PID 1372 wrote to memory of 1656 1372 cmd.exe timeout.exe PID 1372 wrote to memory of 1656 1372 cmd.exe timeout.exe PID 1372 wrote to memory of 1656 1372 cmd.exe timeout.exe PID 1372 wrote to memory of 1656 1372 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cab436d07eb1ff3826a830ed4b477da9.exe"C:\Users\Admin\AppData\Local\Temp\cab436d07eb1ff3826a830ed4b477da9.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\FxodCqhXPM & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\cab436d07eb1ff3826a830ed4b477da9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1168-55-0x00000000005BB000-0x00000000005E1000-memory.dmpFilesize
152KB
-
memory/1168-56-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1168-57-0x0000000000220000-0x0000000000265000-memory.dmpFilesize
276KB
-
memory/1168-58-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1372-59-0x0000000000000000-mapping.dmp
-
memory/1656-60-0x0000000000000000-mapping.dmp