Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-01-2022 12:07
Static task
static1
Behavioral task
behavioral1
Sample
open__with_Pass__1234.exe
Resource
win7-en-20211208
General
-
Target
open__with_Pass__1234.exe
-
Size
1018KB
-
MD5
e0e78d14f28a5d23cab7b4dcb86a18a3
-
SHA1
6a502c655b11c224ae0c75bbfb7c90f5a3281ced
-
SHA256
af0b1d54f4b625461c6bad67daa6566d1ab2047fee5cf2b81c35b191f044ce9d
-
SHA512
5c1dd166b003182c93c286a0c87cf72b434075badd8c99ad5f8ca07e6fa36c3aeb1e8027816ebede87ad45b2a885eff8d3d6852dea03d0fb04aeb16580a0e3ef
Malware Config
Extracted
cryptbot
zyoouw55.top
morlse05.top
-
payload_url
http://yapome07.top/download.php?file=combir.exe
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 580 cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
open__with_Pass__1234.exedescription ioc process File opened for modification C:\Windows\ open__with_Pass__1234.exe File opened for modification C:\Windows\win.ini open__with_Pass__1234.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
open__with_Pass__1234.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 open__with_Pass__1234.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString open__with_Pass__1234.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 756 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
open__with_Pass__1234.execmd.exedescription pid process target process PID 1912 wrote to memory of 580 1912 open__with_Pass__1234.exe cmd.exe PID 1912 wrote to memory of 580 1912 open__with_Pass__1234.exe cmd.exe PID 1912 wrote to memory of 580 1912 open__with_Pass__1234.exe cmd.exe PID 1912 wrote to memory of 580 1912 open__with_Pass__1234.exe cmd.exe PID 580 wrote to memory of 756 580 cmd.exe timeout.exe PID 580 wrote to memory of 756 580 cmd.exe timeout.exe PID 580 wrote to memory of 756 580 cmd.exe timeout.exe PID 580 wrote to memory of 756 580 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\wnJoMBDvt & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\open__with_Pass__1234.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-57-0x0000000000000000-mapping.dmp
-
memory/756-58-0x0000000000000000-mapping.dmp
-
memory/1912-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1912-56-0x0000000000360000-0x00000000003A8000-memory.dmpFilesize
288KB
-
memory/1912-55-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB