Analysis
-
max time kernel
78s -
max time network
21s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
04/02/2022, 07:20
Static task
static1
Behavioral task
behavioral1
Sample
49e8225fe23b5837bd438b4e6a30cf32.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
49e8225fe23b5837bd438b4e6a30cf32.exe
Resource
win10v2004-en-20220112
General
-
Target
49e8225fe23b5837bd438b4e6a30cf32.exe
-
Size
1.2MB
-
MD5
49e8225fe23b5837bd438b4e6a30cf32
-
SHA1
c5a5d8d70db15326c0c0fea262cbf8efc3539951
-
SHA256
000bb73658113adcf4b6f1c6c323321875885393a27e3b7541f9418f8875d3eb
-
SHA512
b763ac7e137e2ef541d729bb9c95d301137e2328536efd53b2188051e75c7c66c6cfa87cda87d5150993dba0be2917d3ef5d97451feb4ad9c57344636f909f55
Malware Config
Extracted
cryptbot
faodrt28.top
-
payload_url
http://cutlej02.top/download.php?file=wapude.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 748 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 49e8225fe23b5837bd438b4e6a30cf32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 49e8225fe23b5837bd438b4e6a30cf32.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 776 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1476 wrote to memory of 748 1476 49e8225fe23b5837bd438b4e6a30cf32.exe 27 PID 1476 wrote to memory of 748 1476 49e8225fe23b5837bd438b4e6a30cf32.exe 27 PID 1476 wrote to memory of 748 1476 49e8225fe23b5837bd438b4e6a30cf32.exe 27 PID 1476 wrote to memory of 748 1476 49e8225fe23b5837bd438b4e6a30cf32.exe 27 PID 748 wrote to memory of 776 748 cmd.exe 29 PID 748 wrote to memory of 776 748 cmd.exe 29 PID 748 wrote to memory of 776 748 cmd.exe 29 PID 748 wrote to memory of 776 748 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\49e8225fe23b5837bd438b4e6a30cf32.exe"C:\Users\Admin\AppData\Local\Temp\49e8225fe23b5837bd438b4e6a30cf32.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\nFsudOTbd & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\49e8225fe23b5837bd438b4e6a30cf32.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:776
-
-