Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-01-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
975feaa8efd0fd8c5710652abc197e2c.exe
Resource
win7-en-20211208
General
-
Target
975feaa8efd0fd8c5710652abc197e2c.exe
-
Size
2.6MB
-
MD5
975feaa8efd0fd8c5710652abc197e2c
-
SHA1
496a40eb59fed8322803c276fbd3cd1624f15e24
-
SHA256
7ebd75f04be7424a2c2faa8be74538af662198fcd6c88bbeb4c99df4991ac06d
-
SHA512
5390a8c3cf049a60610d101299f092ddfaf3e1856dff1b87643bfd6d17d2a7b8690b3cb898659e61d2752785ad3aae3e874aea670944e9ccf8846185b0525549
Malware Config
Extracted
cryptbot
zyobyd22.top
moreja02.top
-
payload_url
http://yaphsq02.top/download.php?file=cantey.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
975feaa8efd0fd8c5710652abc197e2c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 975feaa8efd0fd8c5710652abc197e2c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 975feaa8efd0fd8c5710652abc197e2c.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 524 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/832-54-0x0000000000F10000-0x00000000015F3000-memory.dmp themida behavioral1/memory/832-55-0x0000000000F10000-0x00000000015F3000-memory.dmp themida behavioral1/memory/832-56-0x0000000000F10000-0x00000000015F3000-memory.dmp themida behavioral1/memory/832-57-0x0000000000F10000-0x00000000015F3000-memory.dmp themida -
Processes:
975feaa8efd0fd8c5710652abc197e2c.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 975feaa8efd0fd8c5710652abc197e2c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
975feaa8efd0fd8c5710652abc197e2c.exepid process 832 975feaa8efd0fd8c5710652abc197e2c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
975feaa8efd0fd8c5710652abc197e2c.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 975feaa8efd0fd8c5710652abc197e2c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 975feaa8efd0fd8c5710652abc197e2c.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 432 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
975feaa8efd0fd8c5710652abc197e2c.exepid process 832 975feaa8efd0fd8c5710652abc197e2c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
975feaa8efd0fd8c5710652abc197e2c.execmd.exedescription pid process target process PID 832 wrote to memory of 524 832 975feaa8efd0fd8c5710652abc197e2c.exe cmd.exe PID 832 wrote to memory of 524 832 975feaa8efd0fd8c5710652abc197e2c.exe cmd.exe PID 832 wrote to memory of 524 832 975feaa8efd0fd8c5710652abc197e2c.exe cmd.exe PID 832 wrote to memory of 524 832 975feaa8efd0fd8c5710652abc197e2c.exe cmd.exe PID 524 wrote to memory of 432 524 cmd.exe timeout.exe PID 524 wrote to memory of 432 524 cmd.exe timeout.exe PID 524 wrote to memory of 432 524 cmd.exe timeout.exe PID 524 wrote to memory of 432 524 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\975feaa8efd0fd8c5710652abc197e2c.exe"C:\Users\Admin\AppData\Local\Temp\975feaa8efd0fd8c5710652abc197e2c.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\sjldhxInIdiP & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\975feaa8efd0fd8c5710652abc197e2c.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/432-59-0x0000000000000000-mapping.dmp
-
memory/524-58-0x0000000000000000-mapping.dmp
-
memory/832-53-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/832-54-0x0000000000F10000-0x00000000015F3000-memory.dmpFilesize
6.9MB
-
memory/832-55-0x0000000000F10000-0x00000000015F3000-memory.dmpFilesize
6.9MB
-
memory/832-56-0x0000000000F10000-0x00000000015F3000-memory.dmpFilesize
6.9MB
-
memory/832-57-0x0000000000F10000-0x00000000015F3000-memory.dmpFilesize
6.9MB