Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-12-2021 08:10
Static task
static1
Behavioral task
behavioral1
Sample
e55422d97015ca9945114cebaeba4cbf.exe
Resource
win7-en-20211208
General
-
Target
e55422d97015ca9945114cebaeba4cbf.exe
-
Size
2.7MB
-
MD5
e55422d97015ca9945114cebaeba4cbf
-
SHA1
671d3c900b4aa7b4568e8a4c61a49075fc74484b
-
SHA256
f3b4f47ab6b09e0b090c6fb6f6145774485e2d043d373ed2971034bf6cd9f420
-
SHA512
9453ae884da5d039fa0ca4fc33216b1ca02d2b40831edf534d7fde16a01c045f1c49ae7935ab317cd6f515e21a9a22ee14cbf3a068627b03e334cdc115603f6f
Malware Config
Extracted
cryptbot
dainfe42.top
morvtu04.top
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e55422d97015ca9945114cebaeba4cbf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e55422d97015ca9945114cebaeba4cbf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e55422d97015ca9945114cebaeba4cbf.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 960 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/972-56-0x00000000010E0000-0x00000000017D3000-memory.dmp themida behavioral1/memory/972-57-0x00000000010E0000-0x00000000017D3000-memory.dmp themida behavioral1/memory/972-59-0x00000000010E0000-0x00000000017D3000-memory.dmp themida behavioral1/memory/972-58-0x00000000010E0000-0x00000000017D3000-memory.dmp themida -
Processes:
e55422d97015ca9945114cebaeba4cbf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e55422d97015ca9945114cebaeba4cbf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
e55422d97015ca9945114cebaeba4cbf.exepid process 972 e55422d97015ca9945114cebaeba4cbf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
e55422d97015ca9945114cebaeba4cbf.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e55422d97015ca9945114cebaeba4cbf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e55422d97015ca9945114cebaeba4cbf.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1172 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e55422d97015ca9945114cebaeba4cbf.exepid process 972 e55422d97015ca9945114cebaeba4cbf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
e55422d97015ca9945114cebaeba4cbf.execmd.exedescription pid process target process PID 972 wrote to memory of 960 972 e55422d97015ca9945114cebaeba4cbf.exe cmd.exe PID 972 wrote to memory of 960 972 e55422d97015ca9945114cebaeba4cbf.exe cmd.exe PID 972 wrote to memory of 960 972 e55422d97015ca9945114cebaeba4cbf.exe cmd.exe PID 972 wrote to memory of 960 972 e55422d97015ca9945114cebaeba4cbf.exe cmd.exe PID 960 wrote to memory of 1172 960 cmd.exe timeout.exe PID 960 wrote to memory of 1172 960 cmd.exe timeout.exe PID 960 wrote to memory of 1172 960 cmd.exe timeout.exe PID 960 wrote to memory of 1172 960 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e55422d97015ca9945114cebaeba4cbf.exe"C:\Users\Admin\AppData\Local\Temp\e55422d97015ca9945114cebaeba4cbf.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\lXVXSlRC & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\e55422d97015ca9945114cebaeba4cbf.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/960-60-0x0000000000000000-mapping.dmp
-
memory/972-55-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB
-
memory/972-56-0x00000000010E0000-0x00000000017D3000-memory.dmpFilesize
6.9MB
-
memory/972-57-0x00000000010E0000-0x00000000017D3000-memory.dmpFilesize
6.9MB
-
memory/972-59-0x00000000010E0000-0x00000000017D3000-memory.dmpFilesize
6.9MB
-
memory/972-58-0x00000000010E0000-0x00000000017D3000-memory.dmpFilesize
6.9MB
-
memory/1172-61-0x0000000000000000-mapping.dmp