Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-12-2021 09:31
Static task
static1
Behavioral task
behavioral1
Sample
Activate it.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
Activate it.exe
-
Size
667KB
-
MD5
c4a3cd58ec321eabe51e1c482b92441f
-
SHA1
181a601f18cb5069ce9192b66d97b82765488b30
-
SHA256
37fbe23d6ccaf64603921fd9e7f99d205b3ede0d98ff6c3c4355da905ec3ceb5
-
SHA512
1b1bfdd164d9c8ed7a54d7a65de4e17ebfb26c8f872d0f7136f9e5dba54ca2591c28b9e14bfa8bad5316d133e73f8d24f44cdcb7c75f299ecf28d92137461340
Malware Config
Extracted
Family
cryptbot
C2
daifgz13.top
morjey01.top
Attributes
-
payload_url
http://liotuo01.top/download.php?file=librid.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1040 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Activate it.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Activate it.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Activate it.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 588 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Activate it.execmd.exedescription pid process target process PID 968 wrote to memory of 1040 968 Activate it.exe cmd.exe PID 968 wrote to memory of 1040 968 Activate it.exe cmd.exe PID 968 wrote to memory of 1040 968 Activate it.exe cmd.exe PID 968 wrote to memory of 1040 968 Activate it.exe cmd.exe PID 1040 wrote to memory of 588 1040 cmd.exe timeout.exe PID 1040 wrote to memory of 588 1040 cmd.exe timeout.exe PID 1040 wrote to memory of 588 1040 cmd.exe timeout.exe PID 1040 wrote to memory of 588 1040 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activate it.exe"C:\Users\Admin\AppData\Local\Temp\Activate it.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\orYbvfmN & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Activate it.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/588-59-0x0000000000000000-mapping.dmp
-
memory/968-54-0x00000000754B1000-0x00000000754B3000-memory.dmpFilesize
8KB
-
memory/968-55-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/968-56-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/968-57-0x00000000002D0000-0x0000000000318000-memory.dmpFilesize
288KB
-
memory/1040-58-0x0000000000000000-mapping.dmp