Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28/01/2022, 07:53
Static task
static1
General
-
Target
cec36245b24ef143ac15f64d7a2db73020b73b7d.exe
-
Size
1.3MB
-
MD5
f437a2db4d6da017299aadb215b5870b
-
SHA1
cec36245b24ef143ac15f64d7a2db73020b73b7d
-
SHA256
f25ff2f1936c55d00927e445f4386a2f30b0c39b81c30b2b3eb21ae3527d2ec2
-
SHA512
1eddcbcfcccd94fac4b23fe73f5199fabb14250b9d76c21d1d48cbeb78c45e7d877a09da169ebbd096de76140c2280ee63b3256b7da509af7876dbeb785066ad
Malware Config
Extracted
Family
cryptbot
C2
tiswul75.top
morypv07.top
Attributes
-
payload_url
http://danevn10.top/download.php?file=avenin.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 464 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cec36245b24ef143ac15f64d7a2db73020b73b7d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cec36245b24ef143ac15f64d7a2db73020b73b7d.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1384 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1724 wrote to memory of 464 1724 cec36245b24ef143ac15f64d7a2db73020b73b7d.exe 27 PID 1724 wrote to memory of 464 1724 cec36245b24ef143ac15f64d7a2db73020b73b7d.exe 27 PID 1724 wrote to memory of 464 1724 cec36245b24ef143ac15f64d7a2db73020b73b7d.exe 27 PID 1724 wrote to memory of 464 1724 cec36245b24ef143ac15f64d7a2db73020b73b7d.exe 27 PID 464 wrote to memory of 1384 464 cmd.exe 29 PID 464 wrote to memory of 1384 464 cmd.exe 29 PID 464 wrote to memory of 1384 464 cmd.exe 29 PID 464 wrote to memory of 1384 464 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\cec36245b24ef143ac15f64d7a2db73020b73b7d.exe"C:\Users\Admin\AppData\Local\Temp\cec36245b24ef143ac15f64d7a2db73020b73b7d.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\UwMbVUqpynM & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\cec36245b24ef143ac15f64d7a2db73020b73b7d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1384
-
-