Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-12-2021 17:36
Static task
static1
Behavioral task
behavioral1
Sample
mixshop_20211222-153046.exe
Resource
win7-en-20211208
General
-
Target
mixshop_20211222-153046.exe
-
Size
2.6MB
-
MD5
d6067855ac984e670b392dd61df3d362
-
SHA1
9320204b0d517cc239a948514982540e6652bbff
-
SHA256
5794e9722cdb1ec697ee0ae9fe5464fb9e85ba3157485d6ecb9cea44455cf37a
-
SHA512
583db7379dd2f7730a2efcf25a118170f59edf6e332f9b946b63df6323317b4d6ff155f9fa4c64041efdc7880fd70714c14b053f2d6ceb330b8ded35e55a8ce9
Malware Config
Extracted
cryptbot
daispg32.top
morsvo03.top
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mixshop_20211222-153046.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mixshop_20211222-153046.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mixshop_20211222-153046.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1212 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/1696-54-0x0000000000840000-0x0000000000F20000-memory.dmp themida behavioral1/memory/1696-55-0x0000000000840000-0x0000000000F20000-memory.dmp themida behavioral1/memory/1696-56-0x0000000000840000-0x0000000000F20000-memory.dmp themida behavioral1/memory/1696-57-0x0000000000840000-0x0000000000F20000-memory.dmp themida -
Processes:
mixshop_20211222-153046.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mixshop_20211222-153046.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
mixshop_20211222-153046.exepid process 1696 mixshop_20211222-153046.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mixshop_20211222-153046.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mixshop_20211222-153046.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mixshop_20211222-153046.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 860 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
mixshop_20211222-153046.exepid process 1696 mixshop_20211222-153046.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
mixshop_20211222-153046.execmd.exedescription pid process target process PID 1696 wrote to memory of 1212 1696 mixshop_20211222-153046.exe cmd.exe PID 1696 wrote to memory of 1212 1696 mixshop_20211222-153046.exe cmd.exe PID 1696 wrote to memory of 1212 1696 mixshop_20211222-153046.exe cmd.exe PID 1696 wrote to memory of 1212 1696 mixshop_20211222-153046.exe cmd.exe PID 1212 wrote to memory of 860 1212 cmd.exe timeout.exe PID 1212 wrote to memory of 860 1212 cmd.exe timeout.exe PID 1212 wrote to memory of 860 1212 cmd.exe timeout.exe PID 1212 wrote to memory of 860 1212 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixshop_20211222-153046.exe"C:\Users\Admin\AppData\Local\Temp\mixshop_20211222-153046.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\smNrGSGG & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\mixshop_20211222-153046.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/860-59-0x0000000000000000-mapping.dmp
-
memory/1212-58-0x0000000000000000-mapping.dmp
-
memory/1696-53-0x0000000076001000-0x0000000076003000-memory.dmpFilesize
8KB
-
memory/1696-54-0x0000000000840000-0x0000000000F20000-memory.dmpFilesize
6.9MB
-
memory/1696-55-0x0000000000840000-0x0000000000F20000-memory.dmpFilesize
6.9MB
-
memory/1696-56-0x0000000000840000-0x0000000000F20000-memory.dmpFilesize
6.9MB
-
memory/1696-57-0x0000000000840000-0x0000000000F20000-memory.dmpFilesize
6.9MB