Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-01-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
61d4f24a3ecfb_Wed013b3d5d701.exe
Resource
win7-en-20211208
General
-
Target
61d4f24a3ecfb_Wed013b3d5d701.exe
-
Size
2.7MB
-
MD5
545067a0a51e1d310a2e2f4de09ec7ab
-
SHA1
bfff58d02b443f551623d09fb958e681c2fb629d
-
SHA256
abcacd5822584474d2ee44d7d89a7418d5be58a577118cded92d0f49eb31cbf1
-
SHA512
c7df582f450594ddf2910533ae48b2e2b1affb17aa1082cff81eb4f5609545e89ed3367d41115ec8be29d4c0a65b707fd172eb3cf60928975b17bc4164299b38
Malware Config
Extracted
cryptbot
zyokao27.top
moreja02.top
-
payload_url
http://yaphsq02.top/download.php?file=cantey.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
61d4f24a3ecfb_Wed013b3d5d701.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 61d4f24a3ecfb_Wed013b3d5d701.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 61d4f24a3ecfb_Wed013b3d5d701.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1620 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/1188-56-0x0000000000F60000-0x0000000001650000-memory.dmp themida behavioral1/memory/1188-57-0x0000000000F60000-0x0000000001650000-memory.dmp themida behavioral1/memory/1188-59-0x0000000000F60000-0x0000000001650000-memory.dmp themida behavioral1/memory/1188-58-0x0000000000F60000-0x0000000001650000-memory.dmp themida -
Processes:
61d4f24a3ecfb_Wed013b3d5d701.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 61d4f24a3ecfb_Wed013b3d5d701.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
61d4f24a3ecfb_Wed013b3d5d701.exepid process 1188 61d4f24a3ecfb_Wed013b3d5d701.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
61d4f24a3ecfb_Wed013b3d5d701.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 61d4f24a3ecfb_Wed013b3d5d701.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 61d4f24a3ecfb_Wed013b3d5d701.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1160 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
61d4f24a3ecfb_Wed013b3d5d701.exepid process 1188 61d4f24a3ecfb_Wed013b3d5d701.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
61d4f24a3ecfb_Wed013b3d5d701.execmd.exedescription pid process target process PID 1188 wrote to memory of 1620 1188 61d4f24a3ecfb_Wed013b3d5d701.exe cmd.exe PID 1188 wrote to memory of 1620 1188 61d4f24a3ecfb_Wed013b3d5d701.exe cmd.exe PID 1188 wrote to memory of 1620 1188 61d4f24a3ecfb_Wed013b3d5d701.exe cmd.exe PID 1188 wrote to memory of 1620 1188 61d4f24a3ecfb_Wed013b3d5d701.exe cmd.exe PID 1620 wrote to memory of 1160 1620 cmd.exe timeout.exe PID 1620 wrote to memory of 1160 1620 cmd.exe timeout.exe PID 1620 wrote to memory of 1160 1620 cmd.exe timeout.exe PID 1620 wrote to memory of 1160 1620 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d4f24a3ecfb_Wed013b3d5d701.exe"C:\Users\Admin\AppData\Local\Temp\61d4f24a3ecfb_Wed013b3d5d701.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\NRHkhDtNhBgt & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\61d4f24a3ecfb_Wed013b3d5d701.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1160-61-0x0000000000000000-mapping.dmp
-
memory/1188-55-0x0000000074EC1000-0x0000000074EC3000-memory.dmpFilesize
8KB
-
memory/1188-56-0x0000000000F60000-0x0000000001650000-memory.dmpFilesize
6.9MB
-
memory/1188-57-0x0000000000F60000-0x0000000001650000-memory.dmpFilesize
6.9MB
-
memory/1188-59-0x0000000000F60000-0x0000000001650000-memory.dmpFilesize
6.9MB
-
memory/1188-58-0x0000000000F60000-0x0000000001650000-memory.dmpFilesize
6.9MB
-
memory/1620-60-0x0000000000000000-mapping.dmp