Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
07-01-2022 12:17
Static task
static1
Behavioral task
behavioral1
Sample
3abcef1753adf9814fe251e7ea578d14.exe
Resource
win7-en-20211208
General
-
Target
3abcef1753adf9814fe251e7ea578d14.exe
-
Size
2.6MB
-
MD5
3abcef1753adf9814fe251e7ea578d14
-
SHA1
570711b8ab7fb5a837261d9c2128851c0cec5c6f
-
SHA256
33058aed960aee7a6c3df8f0dee358b3ca819c4ce9553afdd22bea022c6801b9
-
SHA512
60d9326bb61cd5e7eb58a721ba4d092acb9af7e3873345795f9e371606d050583b1198102269f2821babd2eed77877f9abdacc0ab11030171b9e00ff638be39b
Malware Config
Extracted
cryptbot
zyoenm52.top
morlse05.top
-
payload_url
http://yapome07.top/download.php?file=combir.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3abcef1753adf9814fe251e7ea578d14.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3abcef1753adf9814fe251e7ea578d14.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3abcef1753adf9814fe251e7ea578d14.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 956 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/1736-55-0x0000000000050000-0x000000000072C000-memory.dmp themida behavioral1/memory/1736-56-0x0000000000050000-0x000000000072C000-memory.dmp themida behavioral1/memory/1736-57-0x0000000000050000-0x000000000072C000-memory.dmp themida behavioral1/memory/1736-58-0x0000000000050000-0x000000000072C000-memory.dmp themida -
Processes:
3abcef1753adf9814fe251e7ea578d14.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3abcef1753adf9814fe251e7ea578d14.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
3abcef1753adf9814fe251e7ea578d14.exepid process 1736 3abcef1753adf9814fe251e7ea578d14.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3abcef1753adf9814fe251e7ea578d14.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3abcef1753adf9814fe251e7ea578d14.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3abcef1753adf9814fe251e7ea578d14.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 472 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3abcef1753adf9814fe251e7ea578d14.exepid process 1736 3abcef1753adf9814fe251e7ea578d14.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3abcef1753adf9814fe251e7ea578d14.execmd.exedescription pid process target process PID 1736 wrote to memory of 956 1736 3abcef1753adf9814fe251e7ea578d14.exe cmd.exe PID 1736 wrote to memory of 956 1736 3abcef1753adf9814fe251e7ea578d14.exe cmd.exe PID 1736 wrote to memory of 956 1736 3abcef1753adf9814fe251e7ea578d14.exe cmd.exe PID 1736 wrote to memory of 956 1736 3abcef1753adf9814fe251e7ea578d14.exe cmd.exe PID 956 wrote to memory of 472 956 cmd.exe timeout.exe PID 956 wrote to memory of 472 956 cmd.exe timeout.exe PID 956 wrote to memory of 472 956 cmd.exe timeout.exe PID 956 wrote to memory of 472 956 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3abcef1753adf9814fe251e7ea578d14.exe"C:\Users\Admin\AppData\Local\Temp\3abcef1753adf9814fe251e7ea578d14.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\MaXvnUJe & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3abcef1753adf9814fe251e7ea578d14.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/472-60-0x0000000000000000-mapping.dmp
-
memory/956-59-0x0000000000000000-mapping.dmp
-
memory/1736-54-0x0000000076911000-0x0000000076913000-memory.dmpFilesize
8KB
-
memory/1736-55-0x0000000000050000-0x000000000072C000-memory.dmpFilesize
6.9MB
-
memory/1736-56-0x0000000000050000-0x000000000072C000-memory.dmpFilesize
6.9MB
-
memory/1736-57-0x0000000000050000-0x000000000072C000-memory.dmpFilesize
6.9MB
-
memory/1736-58-0x0000000000050000-0x000000000072C000-memory.dmpFilesize
6.9MB