Analysis
-
max time kernel
123s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-12-2021 18:28
Static task
static1
Behavioral task
behavioral1
Sample
d6067855ac984e670b392dd61df3d362.exe
Resource
win7-en-20211208
General
-
Target
d6067855ac984e670b392dd61df3d362.exe
-
Size
2.6MB
-
MD5
d6067855ac984e670b392dd61df3d362
-
SHA1
9320204b0d517cc239a948514982540e6652bbff
-
SHA256
5794e9722cdb1ec697ee0ae9fe5464fb9e85ba3157485d6ecb9cea44455cf37a
-
SHA512
583db7379dd2f7730a2efcf25a118170f59edf6e332f9b946b63df6323317b4d6ff155f9fa4c64041efdc7880fd70714c14b053f2d6ceb330b8ded35e55a8ce9
Malware Config
Extracted
cryptbot
⥦븁
Â
daispg32.top
morsvo03.top
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d6067855ac984e670b392dd61df3d362.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d6067855ac984e670b392dd61df3d362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d6067855ac984e670b392dd61df3d362.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2756-115-0x00000000002B0000-0x0000000000990000-memory.dmp themida behavioral2/memory/2756-116-0x00000000002B0000-0x0000000000990000-memory.dmp themida behavioral2/memory/2756-117-0x00000000002B0000-0x0000000000990000-memory.dmp themida behavioral2/memory/2756-118-0x00000000002B0000-0x0000000000990000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
d6067855ac984e670b392dd61df3d362.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d6067855ac984e670b392dd61df3d362.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
d6067855ac984e670b392dd61df3d362.exepid process 2756 d6067855ac984e670b392dd61df3d362.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d6067855ac984e670b392dd61df3d362.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d6067855ac984e670b392dd61df3d362.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d6067855ac984e670b392dd61df3d362.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1164 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d6067855ac984e670b392dd61df3d362.exepid process 2756 d6067855ac984e670b392dd61df3d362.exe 2756 d6067855ac984e670b392dd61df3d362.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d6067855ac984e670b392dd61df3d362.execmd.exedescription pid process target process PID 2756 wrote to memory of 3792 2756 d6067855ac984e670b392dd61df3d362.exe cmd.exe PID 2756 wrote to memory of 3792 2756 d6067855ac984e670b392dd61df3d362.exe cmd.exe PID 2756 wrote to memory of 3792 2756 d6067855ac984e670b392dd61df3d362.exe cmd.exe PID 3792 wrote to memory of 1164 3792 cmd.exe timeout.exe PID 3792 wrote to memory of 1164 3792 cmd.exe timeout.exe PID 3792 wrote to memory of 1164 3792 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6067855ac984e670b392dd61df3d362.exe"C:\Users\Admin\AppData\Local\Temp\d6067855ac984e670b392dd61df3d362.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\xAQAlKIm & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\d6067855ac984e670b392dd61df3d362.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1164
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\FIXJCX~1.ZIPMD5
88344a8c176b2d585508d518ebc6431f
SHA128508ec3a2226d92bd2ae82e08253e5c50183d98
SHA256d405ec92c22d1948264b3d1b01ba21f3fb9229eadc4b91b6808e7c70b1fc8c2a
SHA512931a5b68744ec555a31a954b917544a3b4db9e0b9a550d5ee6f3730240c153a7fa020faaa3f82d1b191f3865f6c0096f99908fc795dff8003fbe8d182246ac01
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\PNVMSK~1.ZIPMD5
b2a0570ec65512fad666cff1618e6787
SHA14d711376bd95f1b786957ea93e810498a740b8e0
SHA25664b56d9a70dad10939294b668d88cb1f89f5944a0db15a6b1d2f3ab49851c457
SHA51292f69fb9124444ddf6751e12137f4ea36c475da0773793932c86283c4442cac16fe21be5b70fdfc2ea48b4de2b6f479cdce4ac59a1783ce6716a9b3a8371e5be
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_Chrome\DEFAUL~1.BINMD5
f4b8e6e7ca32ed5ab1653cc327475cc0
SHA1e7c30740b8cc28534d398ff4036e0cc6649619ce
SHA25634abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2
SHA512edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_INFOR~1.TXTMD5
e8a57e3d24e304f479b31c224c294ac8
SHA1654ee850eabd613e1e070aa62357d3ea815367a4
SHA256c049f603fc8d2fa280b8aa3b8328932e377b4c9fd2757afcd32dd386d2903897
SHA51219de974974bdd89023340ac6782a79a81bb1ee6eb1787704b620ba236f7afe111e99d4f65b10206c85056b439f95136d273302847036e40073b08777f9242750
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\_Files\_SCREE~1.JPEMD5
6aa3278852e3f069f371a4f497eecc1a
SHA1b75fae664cf7b966a1e7b0b4df1c835fcd828463
SHA2561814a2a5865d3a3243c08b1092de3ee47c24436bb74dffb2aab9595131457f0c
SHA512bf385c0b36ec7490277243701c0e6fcfbcc8a43ddc8f73279d4b1ee4ae10e516af996b4c4ac802600d8287e699482f99c9c99ae1be642a82104f096c9c5d445c
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\SCREEN~1.JPGMD5
6aa3278852e3f069f371a4f497eecc1a
SHA1b75fae664cf7b966a1e7b0b4df1c835fcd828463
SHA2561814a2a5865d3a3243c08b1092de3ee47c24436bb74dffb2aab9595131457f0c
SHA512bf385c0b36ec7490277243701c0e6fcfbcc8a43ddc8f73279d4b1ee4ae10e516af996b4c4ac802600d8287e699482f99c9c99ae1be642a82104f096c9c5d445c
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\SYSTEM~1.TXTMD5
e8a57e3d24e304f479b31c224c294ac8
SHA1654ee850eabd613e1e070aa62357d3ea815367a4
SHA256c049f603fc8d2fa280b8aa3b8328932e377b4c9fd2757afcd32dd386d2903897
SHA51219de974974bdd89023340ac6782a79a81bb1ee6eb1787704b620ba236f7afe111e99d4f65b10206c85056b439f95136d273302847036e40073b08777f9242750
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\_Chrome\DEFAUL~1.BINMD5
f4b8e6e7ca32ed5ab1653cc327475cc0
SHA1e7c30740b8cc28534d398ff4036e0cc6649619ce
SHA25634abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2
SHA512edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\xAQAlKIm\files_\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
memory/1164-135-0x0000000000000000-mapping.dmp
-
memory/2756-115-0x00000000002B0000-0x0000000000990000-memory.dmpFilesize
6.9MB
-
memory/2756-119-0x0000000077140000-0x00000000772CE000-memory.dmpFilesize
1.6MB
-
memory/2756-118-0x00000000002B0000-0x0000000000990000-memory.dmpFilesize
6.9MB
-
memory/2756-117-0x00000000002B0000-0x0000000000990000-memory.dmpFilesize
6.9MB
-
memory/2756-116-0x00000000002B0000-0x0000000000990000-memory.dmpFilesize
6.9MB
-
memory/3792-120-0x0000000000000000-mapping.dmp