Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-12-2021 14:39
Static task
static1
Behavioral task
behavioral1
Sample
activate-it.exe
Resource
win7-en-20211208
General
-
Target
activate-it.exe
-
Size
2.6MB
-
MD5
18c556920d3c2e5a0037ee549896e670
-
SHA1
298d33f873eba5afa9a75fbec65800d97a5eedee
-
SHA256
364b659737adfdb115137df44a5ba08b9e2f89a645095c335c396bba4a924b82
-
SHA512
01f443c3290e86d292fa65986a6a4ade99d831d53d3f510c3f1f0fa661cfc9fd12340b5321d2e0ea34ea8f9ee0a49ab32b943ff185376eee4292d1a73d602201
Malware Config
Extracted
cryptbot
hevykt38.top
morypd03.top
-
payload_url
http://kyrpbr04.top/download.php?file=orrery.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
activate-it.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion activate-it.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion activate-it.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1744 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/1668-55-0x0000000000350000-0x0000000000A34000-memory.dmp themida behavioral1/memory/1668-56-0x0000000000350000-0x0000000000A34000-memory.dmp themida behavioral1/memory/1668-57-0x0000000000350000-0x0000000000A34000-memory.dmp themida behavioral1/memory/1668-58-0x0000000000350000-0x0000000000A34000-memory.dmp themida -
Processes:
activate-it.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA activate-it.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
activate-it.exepid process 1668 activate-it.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
activate-it.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 activate-it.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString activate-it.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 776 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
activate-it.exepid process 1668 activate-it.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
activate-it.execmd.exedescription pid process target process PID 1668 wrote to memory of 1744 1668 activate-it.exe cmd.exe PID 1668 wrote to memory of 1744 1668 activate-it.exe cmd.exe PID 1668 wrote to memory of 1744 1668 activate-it.exe cmd.exe PID 1668 wrote to memory of 1744 1668 activate-it.exe cmd.exe PID 1744 wrote to memory of 776 1744 cmd.exe timeout.exe PID 1744 wrote to memory of 776 1744 cmd.exe timeout.exe PID 1744 wrote to memory of 776 1744 cmd.exe timeout.exe PID 1744 wrote to memory of 776 1744 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\activate-it.exe"C:\Users\Admin\AppData\Local\Temp\activate-it.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\bSmtndlAIYoP & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\activate-it.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/776-60-0x0000000000000000-mapping.dmp
-
memory/1668-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1668-55-0x0000000000350000-0x0000000000A34000-memory.dmpFilesize
6.9MB
-
memory/1668-56-0x0000000000350000-0x0000000000A34000-memory.dmpFilesize
6.9MB
-
memory/1668-57-0x0000000000350000-0x0000000000A34000-memory.dmpFilesize
6.9MB
-
memory/1668-58-0x0000000000350000-0x0000000000A34000-memory.dmpFilesize
6.9MB
-
memory/1744-59-0x0000000000000000-mapping.dmp