Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 14:39
Static task
static1
Behavioral task
behavioral1
Sample
file.bin.exe
Resource
win7-en-20211208
General
-
Target
file.bin.exe
-
Size
2.6MB
-
MD5
801e7993452aba2a57ecc6258323a42f
-
SHA1
269b38bc8080210f48c7418c80950d5e510e53fe
-
SHA256
8a5f6619791694385d6e684913ce6bb67351aa45c0f8e11e47c4856dbc57fae9
-
SHA512
cf311410d38f2d3b821b7a48616b36a1729f1448fc8137eaa4e71ad511a0dd34460132f3512534420a436fef8c95b63ee5458d194e3295fa3824ef1f2aed10bc
Malware Config
Extracted
cryptbot
kotbri22.top
moruzj02.top
-
payload_url
http://okavor03.top/download.php?file=acaboa.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/552-117-0x0000000000030000-0x0000000000716000-memory.dmp themida behavioral2/memory/552-118-0x0000000000030000-0x0000000000716000-memory.dmp themida behavioral2/memory/552-120-0x0000000000030000-0x0000000000716000-memory.dmp themida behavioral2/memory/552-121-0x0000000000030000-0x0000000000716000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.bin.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
file.bin.exepid process 552 file.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.bin.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.bin.exepid process 552 file.bin.exe 552 file.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.bin.exe"C:\Users\Admin\AppData\Local\Temp\file.bin.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/552-117-0x0000000000030000-0x0000000000716000-memory.dmpFilesize
6.9MB
-
memory/552-118-0x0000000000030000-0x0000000000716000-memory.dmpFilesize
6.9MB
-
memory/552-119-0x00000000772B0000-0x000000007743E000-memory.dmpFilesize
1.6MB
-
memory/552-120-0x0000000000030000-0x0000000000716000-memory.dmpFilesize
6.9MB
-
memory/552-121-0x0000000000030000-0x0000000000716000-memory.dmpFilesize
6.9MB