Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-12-2021 09:38
General
-
Target
0c0e06b2fc4996fdafe77334d4035fac.exe
-
Size
407KB
-
MD5
0c0e06b2fc4996fdafe77334d4035fac
-
SHA1
7df47e23b345415cbb5e3c0a8493b36616939eda
-
SHA256
70797599ab85bc7961922e179e9836d64e85a9ed21f85877442529d0d23daad5
-
SHA512
27ec4be9b7990920a1d07844d98f9ece448c94c2f106a9baecef665da7bc67db0853b3cbfdcb45b017c18066e57718f6035351bfb0b3d16dabdc3c7964513792
Score
10/10
Malware Config
Extracted
Family
cryptbot
C2
daibly12.top
morjey01.top
Attributes
-
payload_url
http://lionek12.top/download.php?file=maysin.exe
Signatures
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Deletes itself 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0e06b2fc4996fdafe77334d4035fac.exe"C:\Users\Admin\AppData\Local\Temp\0c0e06b2fc4996fdafe77334d4035fac.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\LPwghWvo & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\0c0e06b2fc4996fdafe77334d4035fac.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
148KB
-
Filesize
8KB
-
Filesize
276KB
-
Filesize
920KB
-