Analysis
-
max time kernel
120s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 18:09
Static task
static1
General
-
Target
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe
-
Size
2.7MB
-
MD5
e55422d97015ca9945114cebaeba4cbf
-
SHA1
671d3c900b4aa7b4568e8a4c61a49075fc74484b
-
SHA256
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420
-
SHA512
9453ae884da5d039fa0ca4fc33216b1ca02d2b40831edf534d7fde16a01c045f1c49ae7935ab317cd6f515e21a9a22ee14cbf3a068627b03e334cdc115603f6f
Malware Config
Extracted
cryptbot
dainfe42.top
morvtu04.top
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/752-115-0x00000000000A0000-0x0000000000793000-memory.dmp themida behavioral1/memory/752-116-0x00000000000A0000-0x0000000000793000-memory.dmp themida behavioral1/memory/752-118-0x00000000000A0000-0x0000000000793000-memory.dmp themida behavioral1/memory/752-117-0x00000000000A0000-0x0000000000793000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exepid process 752 f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1184 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exepid process 752 f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe 752 f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.execmd.exedescription pid process target process PID 752 wrote to memory of 956 752 f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe cmd.exe PID 752 wrote to memory of 956 752 f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe cmd.exe PID 752 wrote to memory of 956 752 f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe cmd.exe PID 956 wrote to memory of 1184 956 cmd.exe timeout.exe PID 956 wrote to memory of 1184 956 cmd.exe timeout.exe PID 956 wrote to memory of 1184 956 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe"C:\Users\Admin\AppData\Local\Temp\f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\QMVVUA~1.ZIPMD5
1afde88099eb54c24cf24e123629a821
SHA1c7c7a2e4577fe7a7afc34588c99d39d7150ffc99
SHA2560fedc2143ab1391b8a6c3d16c64699563913567a67a9841f2e663f06fed21e1e
SHA512a7f4792c4b573091226bafda91fa077ec3edf9c269902cc8486bdd5ce1595774cfb9fd49d581a12b3a9d806d0764ca7d1c72594292f4facd9d3dfe05e2cd8b14
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\SPPTOS~1.ZIPMD5
c91f5ed9ed075c653d1bd6b90e647a4f
SHA19505c7538bcfc4598c73251e1f0e584cedf89a21
SHA256d2fac8502b11298240cb18a6ffd899af719ebb9b5a392f3425ff7ec3698660f4
SHA512ac50d3abf86a8e45b0157263787322c24b1427cf5b06a6fe4dab5f8663ba6e001d9048c638d74ca82465ab885887516ec4193009c9b41256f10ea686b0c2b465
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_Chrome\DEFAUL~1.BINMD5
09500b419541e759ce53d87e324fe8fc
SHA14b882732508d2fc28536f8281c3b58777720c7da
SHA256f80e7db7d3a06c87f03f5d0a9c7ab592ef05bc4fa5a8ab65c318c8455bd94476
SHA51245e04f6283559638be00bffaf1a52a52a6998f835d5d40f756806a2323623074cb7ee9f802f4eba7d7523ccf3170f8986f89349ffbc1f2514ce25fdae0114fde
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_INFOR~1.TXTMD5
52108477a0afc90a07b1579157943dea
SHA1e9a1971ef121f37667064004daed23b5b413d225
SHA256ad43c5edb230f8747985fa02397bd7007b43caa66da1a95e17cd52230c1ba247
SHA5125ef5f8621c1c6ce6ef6897a031b3d4c41c549ed22ab0f5856c81717b94257748bb6354fd469adaddaac67e481cb86b5297de0a90597cfb9c367af44e4ed45a3b
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\_Files\_SCREE~1.JPEMD5
5204c15d08649dc778ffef238c39bc2c
SHA1f059bc76dab5631845be823103379758b1025bcc
SHA25674989b21780d0285d08008211c313896bad11c9ee5d903c1a8b5cdbe33d6907a
SHA512be20c544c7e1e6bc2e551f7760f08516a8b5f779c32f44e25715eb539b96ce4beaa3e2876f25592e67615b89270b6b9b511fea53d24700530393d58dc46d56cd
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\SCREEN~1.JPGMD5
5204c15d08649dc778ffef238c39bc2c
SHA1f059bc76dab5631845be823103379758b1025bcc
SHA25674989b21780d0285d08008211c313896bad11c9ee5d903c1a8b5cdbe33d6907a
SHA512be20c544c7e1e6bc2e551f7760f08516a8b5f779c32f44e25715eb539b96ce4beaa3e2876f25592e67615b89270b6b9b511fea53d24700530393d58dc46d56cd
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\SYSTEM~1.TXTMD5
52108477a0afc90a07b1579157943dea
SHA1e9a1971ef121f37667064004daed23b5b413d225
SHA256ad43c5edb230f8747985fa02397bd7007b43caa66da1a95e17cd52230c1ba247
SHA5125ef5f8621c1c6ce6ef6897a031b3d4c41c549ed22ab0f5856c81717b94257748bb6354fd469adaddaac67e481cb86b5297de0a90597cfb9c367af44e4ed45a3b
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\_Chrome\DEFAUL~1.BINMD5
09500b419541e759ce53d87e324fe8fc
SHA14b882732508d2fc28536f8281c3b58777720c7da
SHA256f80e7db7d3a06c87f03f5d0a9c7ab592ef05bc4fa5a8ab65c318c8455bd94476
SHA51245e04f6283559638be00bffaf1a52a52a6998f835d5d40f756806a2323623074cb7ee9f802f4eba7d7523ccf3170f8986f89349ffbc1f2514ce25fdae0114fde
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\_Chrome\DEFAUL~1.DBMD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\_Chrome\DEFAUL~2.DBMD5
055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\GOsXJpIrntJst\files_\_Chrome\DEFAUL~3.DBMD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
memory/752-115-0x00000000000A0000-0x0000000000793000-memory.dmpFilesize
6.9MB
-
memory/752-119-0x0000000077CF0000-0x0000000077E7E000-memory.dmpFilesize
1.6MB
-
memory/752-117-0x00000000000A0000-0x0000000000793000-memory.dmpFilesize
6.9MB
-
memory/752-118-0x00000000000A0000-0x0000000000793000-memory.dmpFilesize
6.9MB
-
memory/752-116-0x00000000000A0000-0x0000000000793000-memory.dmpFilesize
6.9MB
-
memory/956-120-0x0000000000000000-mapping.dmp
-
memory/1184-135-0x0000000000000000-mapping.dmp