Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11/02/2022, 02:44
Static task
static1
Behavioral task
behavioral1
Sample
dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe
Resource
win7-en-20211208
General
-
Target
dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe
-
Size
2.7MB
-
MD5
3aad5cb245c67dcc227bda1dd4ffc88b
-
SHA1
13be9d3f00503f3faf7233815f5adcc3357993bd
-
SHA256
dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1
-
SHA512
9efa9aea5dc722519fe15127a6bf24cd7c45113414734c3da8089a1ab13cfe34120ecdf2aca5972d25078d4f4752b2a7ef91d61ad808c1692308fe8287c8be2f
Malware Config
Extracted
cryptbot
zyodof42.top
moregv04.top
-
payload_url
http://yaplzm05.top/download.php?file=bargen.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe -
Deletes itself 1 IoCs
pid Process 1724 cmd.exe -
resource yara_rule behavioral1/memory/1668-55-0x00000000010F0000-0x00000000017DD000-memory.dmp themida behavioral1/memory/1668-56-0x00000000010F0000-0x00000000017DD000-memory.dmp themida behavioral1/memory/1668-58-0x00000000010F0000-0x00000000017DD000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1668 dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 660 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1668 dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1668 wrote to memory of 1724 1668 dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe 27 PID 1668 wrote to memory of 1724 1668 dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe 27 PID 1668 wrote to memory of 1724 1668 dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe 27 PID 1668 wrote to memory of 1724 1668 dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe 27 PID 1724 wrote to memory of 660 1724 cmd.exe 29 PID 1724 wrote to memory of 660 1724 cmd.exe 29 PID 1724 wrote to memory of 660 1724 cmd.exe 29 PID 1724 wrote to memory of 660 1724 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe"C:\Users\Admin\AppData\Local\Temp\dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\idtUAWAp & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\dd96b13e82e44ba3b20e0ef08bedd0342cc7347339292388f29d9c7539e71df1.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:660
-
-