Analysis
-
max time kernel
118s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11/02/2022, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe
Resource
win7-en-20211208
General
-
Target
e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe
-
Size
383KB
-
MD5
7ab2dc0a23659e898606e92ef8d7a8f0
-
SHA1
166791171e781ab0a46db24f9d9d2742e534f4de
-
SHA256
e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e
-
SHA512
0afdbd896ca51d7016cba16a838610c6dccb3dc1062c970dcd5e8d28490adfe360b358185ef31bcf4788f73d6812722db1a13ee67ca41ab7635ea56ef0641066
Malware Config
Extracted
cryptbot
sezfxh22.top
mornoz02.top
-
payload_url
http://ekuimr12.top/download.php?file=elwood.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 576 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1988 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1480 wrote to memory of 576 1480 e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe 27 PID 1480 wrote to memory of 576 1480 e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe 27 PID 1480 wrote to memory of 576 1480 e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe 27 PID 1480 wrote to memory of 576 1480 e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe 27 PID 576 wrote to memory of 1988 576 cmd.exe 29 PID 576 wrote to memory of 1988 576 cmd.exe 29 PID 576 wrote to memory of 1988 576 cmd.exe 29 PID 576 wrote to memory of 1988 576 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe"C:\Users\Admin\AppData\Local\Temp\e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\BpnFDgWYh & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\e69322aa3c2a06dc0c3695d98c4f093902e20d50b388f9bcba7ad41662b0224e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1988
-
-