Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12/02/2022, 00:50
Static task
static1
Behavioral task
behavioral1
Sample
bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe
Resource
win7-en-20211208
General
-
Target
bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe
-
Size
386KB
-
MD5
dfc02658cb106d327ec0379beb50df44
-
SHA1
a2e49b450c91e6ade762e4d1a037b42a054b028b
-
SHA256
bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec
-
SHA512
c768f5646b9c20c4108c3b157f564a38d10d06473af53b3cc0e8c523df0e476c0adba0657ee57f6c34c51c7278f75c6e4d3569c5cfd87dfee6eacaa0d52e0c86
Malware Config
Extracted
cryptbot
gomdhv42.top
morsof04.top
-
payload_url
http://peulnm16.top/download.php?file=parter.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 520 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 932 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1352 wrote to memory of 520 1352 bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe 27 PID 1352 wrote to memory of 520 1352 bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe 27 PID 1352 wrote to memory of 520 1352 bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe 27 PID 1352 wrote to memory of 520 1352 bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe 27 PID 520 wrote to memory of 932 520 cmd.exe 29 PID 520 wrote to memory of 932 520 cmd.exe 29 PID 520 wrote to memory of 932 520 cmd.exe 29 PID 520 wrote to memory of 932 520 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe"C:\Users\Admin\AppData\Local\Temp\bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\lChjuRVtG & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\bcafd3989097e0631a1dbb1fb996690c7c5240c81e6496184268a8f4f2a840ec.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:932
-
-