Analysis
-
max time kernel
119s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-12-2021 17:36
Static task
static1
Behavioral task
behavioral1
Sample
mixshop_20211222-153046.exe
Resource
win7-en-20211208
General
-
Target
mixshop_20211222-153046.exe
-
Size
2.6MB
-
MD5
d6067855ac984e670b392dd61df3d362
-
SHA1
9320204b0d517cc239a948514982540e6652bbff
-
SHA256
5794e9722cdb1ec697ee0ae9fe5464fb9e85ba3157485d6ecb9cea44455cf37a
-
SHA512
583db7379dd2f7730a2efcf25a118170f59edf6e332f9b946b63df6323317b4d6ff155f9fa4c64041efdc7880fd70714c14b053f2d6ceb330b8ded35e55a8ce9
Malware Config
Extracted
cryptbot
daispg32.top
morsvo03.top
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mixshop_20211222-153046.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mixshop_20211222-153046.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mixshop_20211222-153046.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2632-115-0x0000000000F70000-0x0000000001650000-memory.dmp themida behavioral2/memory/2632-116-0x0000000000F70000-0x0000000001650000-memory.dmp themida behavioral2/memory/2632-117-0x0000000000F70000-0x0000000001650000-memory.dmp themida behavioral2/memory/2632-118-0x0000000000F70000-0x0000000001650000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
mixshop_20211222-153046.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mixshop_20211222-153046.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
mixshop_20211222-153046.exepid process 2632 mixshop_20211222-153046.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mixshop_20211222-153046.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mixshop_20211222-153046.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mixshop_20211222-153046.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3220 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mixshop_20211222-153046.exepid process 2632 mixshop_20211222-153046.exe 2632 mixshop_20211222-153046.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
mixshop_20211222-153046.execmd.exedescription pid process target process PID 2632 wrote to memory of 628 2632 mixshop_20211222-153046.exe cmd.exe PID 2632 wrote to memory of 628 2632 mixshop_20211222-153046.exe cmd.exe PID 2632 wrote to memory of 628 2632 mixshop_20211222-153046.exe cmd.exe PID 628 wrote to memory of 3220 628 cmd.exe timeout.exe PID 628 wrote to memory of 3220 628 cmd.exe timeout.exe PID 628 wrote to memory of 3220 628 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixshop_20211222-153046.exe"C:\Users\Admin\AppData\Local\Temp\mixshop_20211222-153046.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\mixshop_20211222-153046.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\FCRGCI~1.ZIPMD5
1b1aac00c6538fec42388e103c9725f2
SHA1cb7347e576f408123ba5ea07712c8586050f0e03
SHA2566dc2ff5ac0063d1d11aa84b08ad6fe46896926d19377a66e3414503fb7798a9c
SHA51295a876feda8ae065649dbb74d473839c6cf68006fc97047dcc667738f3a6ac604ba86992d12a52ddbbbf7be7a388ff0d933970632137e5684c0aa66bb7e40ec8
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\SNLOZK~1.ZIPMD5
5f229aedd4ab1765c241e0c4428d1b9b
SHA1b02008f688c279e29ded2c72abb7f25114b7755a
SHA256cbb33ab6dcecfbad37fb8549ee47a5d5f255960923695be722fb577d6387d500
SHA5123e6de61ca1e946a98826e7a4b71e8f3c67234494180a6ba78b39827a6db6c5332d3655755b99cdae0d4763b002282e00229e1edb6f78dc2e54016e5b6a39857e
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\_Files\_Chrome\DEFAUL~1.BINMD5
f4b8e6e7ca32ed5ab1653cc327475cc0
SHA1e7c30740b8cc28534d398ff4036e0cc6649619ce
SHA25634abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2
SHA512edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\_Files\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\_Files\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\_Files\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\_Files\_INFOR~1.TXTMD5
afb2d6309a91b8f0ffe22c091073b4ff
SHA1eeab810a4190bba9db1119edc8d11e2923b52141
SHA25699ae8b13551627fc7299378411c0f261234bc78eef5634e52bb3efeaea8c825d
SHA512ba024705ad343f1cb62d6c3c6532660dd72965ecdb5f27099acaee1d115666fdceea60964c8c48ef7a99d49085b0b1748bd7ce4a8e7253fca322fa528260d00c
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\_Files\_SCREE~1.JPEMD5
599a4d4227eed348b6157992987bd4de
SHA18112029c929abb90978212491a979262d46ca184
SHA256cbb94a7e134b11b6184714b28dc672bf0da11626afc8e560dd6c76e2dce9f1ee
SHA51238a3dc5606f43a34727bfbdba166fd45d9198a3befe6f59019b6f383e88a52a7b688fba3ceef0bfb39961fd39fb13e5bede66f165675dfb755b5fa32dd0bf382
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\files_\SCREEN~1.JPGMD5
599a4d4227eed348b6157992987bd4de
SHA18112029c929abb90978212491a979262d46ca184
SHA256cbb94a7e134b11b6184714b28dc672bf0da11626afc8e560dd6c76e2dce9f1ee
SHA51238a3dc5606f43a34727bfbdba166fd45d9198a3befe6f59019b6f383e88a52a7b688fba3ceef0bfb39961fd39fb13e5bede66f165675dfb755b5fa32dd0bf382
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\files_\SYSTEM~1.TXTMD5
afb2d6309a91b8f0ffe22c091073b4ff
SHA1eeab810a4190bba9db1119edc8d11e2923b52141
SHA25699ae8b13551627fc7299378411c0f261234bc78eef5634e52bb3efeaea8c825d
SHA512ba024705ad343f1cb62d6c3c6532660dd72965ecdb5f27099acaee1d115666fdceea60964c8c48ef7a99d49085b0b1748bd7ce4a8e7253fca322fa528260d00c
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\files_\_Chrome\DEFAUL~1.BINMD5
f4b8e6e7ca32ed5ab1653cc327475cc0
SHA1e7c30740b8cc28534d398ff4036e0cc6649619ce
SHA25634abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2
SHA512edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\files_\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\files_\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\aQIaOBhNoji\files_\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
memory/628-120-0x0000000000000000-mapping.dmp
-
memory/2632-115-0x0000000000F70000-0x0000000001650000-memory.dmpFilesize
6.9MB
-
memory/2632-119-0x0000000076F00000-0x000000007708E000-memory.dmpFilesize
1.6MB
-
memory/2632-118-0x0000000000F70000-0x0000000001650000-memory.dmpFilesize
6.9MB
-
memory/2632-117-0x0000000000F70000-0x0000000001650000-memory.dmpFilesize
6.9MB
-
memory/2632-116-0x0000000000F70000-0x0000000001650000-memory.dmpFilesize
6.9MB
-
memory/3220-135-0x0000000000000000-mapping.dmp