Overview

overview

10

Static

static

open__with...34.exe

windows7_x64

10

open__with...34.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    07-01-2022 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    open__with_Pass__1234.exe

  • Size

    1018KB

  • MD5

    e0e78d14f28a5d23cab7b4dcb86a18a3

  • SHA1

    6a502c655b11c224ae0c75bbfb7c90f5a3281ced

  • SHA256

    af0b1d54f4b625461c6bad67daa6566d1ab2047fee5cf2b81c35b191f044ce9d

  • SHA512

    5c1dd166b003182c93c286a0c87cf72b434075badd8c99ad5f8ca07e6fa36c3aeb1e8027816ebede87ad45b2a885eff8d3d6852dea03d0fb04aeb16580a0e3ef

Score
10/10
cryptbotspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

zyoouw55.top

morlse05.top
Attributes
  • payload_url

    http://yapome07.top/download.php?file=combir.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Deletes itself 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe
    "C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"
    1⤵
    • Drops file in Windows directory
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\wnJoMBDvt & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:756

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/580-57-0x0000000000000000-mapping.dmp
    Download
  • memory/756-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1912-54-0x0000000075F21000-0x0000000075F23000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1912-56-0x0000000000360000-0x00000000003A8000-memory.dmp
    Filesize

    288KB

    Download
  • memory/1912-55-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download