Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27/01/2022, 18:22
Static task
static1
Behavioral task
behavioral1
Sample
bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe
-
Size
1.3MB
-
MD5
ff99d60ef8dbf1a27b38e3cd86f2c037
-
SHA1
bf51bc4bba9638f5411821d48ef31e7e478c28f3
-
SHA256
188d31cc6d4e4a75f41b6593331a92c5453bbb4c38b790b9a253f2a4c3e2048d
-
SHA512
d244c3088731d70afd078a53735e4380476878aee8e0b54d2cccbf9985727c5f5d17933ea9cd23d8ef6e174bd9ca90c82402f9a0cda8582633aca62a1b571bee
Malware Config
Extracted
Family
cryptbot
C2
gomvub75.top
morder07.top
Attributes
-
payload_url
http://peugbe10.top/download.php?file=lierne.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 1100 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 476 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1944 wrote to memory of 1100 1944 bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe 27 PID 1944 wrote to memory of 1100 1944 bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe 27 PID 1944 wrote to memory of 1100 1944 bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe 27 PID 1944 wrote to memory of 1100 1944 bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe 27 PID 1100 wrote to memory of 476 1100 cmd.exe 29 PID 1100 wrote to memory of 476 1100 cmd.exe 29 PID 1100 wrote to memory of 476 1100 cmd.exe 29 PID 1100 wrote to memory of 476 1100 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe"C:\Users\Admin\AppData\Local\Temp\bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\uQhkMLvP & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\bf51bc4bba9638f5411821d48ef31e7e478c28f3.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:476
-
-