Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11/02/2022, 02:35
Static task
static1
Behavioral task
behavioral1
Sample
e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe
Resource
win7-en-20211208
General
-
Target
e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe
-
Size
2.8MB
-
MD5
e066ff0c7010232f1059d0398dc2c720
-
SHA1
320d69f502460a590679e4ac35309df0f0707216
-
SHA256
e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d
-
SHA512
852cf674c9ecd9586e9355a0558d97feec59669bee9270a1dcb7906976e13d9514afa0974ec2bcec9aa68d14b603f15b4f6b18d252720afba17eafcbe86cc88d
Malware Config
Extracted
cryptbot
zyoksv12.top
morlea01.top
-
payload_url
http://yapivt01.top/download.php?file=ainger.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe -
Deletes itself 1 IoCs
pid Process 268 cmd.exe -
resource yara_rule behavioral1/memory/856-54-0x0000000000110000-0x0000000000857000-memory.dmp themida behavioral1/memory/856-56-0x0000000000110000-0x0000000000857000-memory.dmp themida behavioral1/memory/856-57-0x0000000000110000-0x0000000000857000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 856 e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 528 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 856 e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 856 wrote to memory of 268 856 e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe 27 PID 856 wrote to memory of 268 856 e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe 27 PID 856 wrote to memory of 268 856 e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe 27 PID 856 wrote to memory of 268 856 e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe 27 PID 268 wrote to memory of 528 268 cmd.exe 29 PID 268 wrote to memory of 528 268 cmd.exe 29 PID 268 wrote to memory of 528 268 cmd.exe 29 PID 268 wrote to memory of 528 268 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe"C:\Users\Admin\AppData\Local\Temp\e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\YnIXXbgIM & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\e1d2efbb7c57651e87c324030e6a1c53f171e2f69a49c94556ae7ff63f7e864d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:528
-
-