Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12/02/2022, 01:38
Static task
static1
Behavioral task
behavioral1
Sample
a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe
Resource
win7-en-20211208
General
-
Target
a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe
-
Size
1.6MB
-
MD5
5ca4eb1b6296d6f6f2e118e0a2a228ba
-
SHA1
9ae9bb0b2edc22af695974b784cd0dd3c62a7f97
-
SHA256
a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d
-
SHA512
c5ca3629c71e7d38e71e1eb341fafeb31dac8b34aa27dcdd8ce8c556e6167f3e4f05a3f66c7c01a2d15efa114dca6a9e8a6e8ec99d8e98a562bf8969089a2073
Malware Config
Extracted
cryptbot
tisatp45.top
morivm04.top
-
payload_url
http://danwza05.top/download.php?file=jevons.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 1664 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 460 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 964 wrote to memory of 1664 964 a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe 27 PID 964 wrote to memory of 1664 964 a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe 27 PID 964 wrote to memory of 1664 964 a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe 27 PID 964 wrote to memory of 1664 964 a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe 27 PID 1664 wrote to memory of 460 1664 cmd.exe 29 PID 1664 wrote to memory of 460 1664 cmd.exe 29 PID 1664 wrote to memory of 460 1664 cmd.exe 29 PID 1664 wrote to memory of 460 1664 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe"C:\Users\Admin\AppData\Local\Temp\a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\SeEMUbVVSTdau & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a5219362cbb0c09963e6fe68b63565180a53ce4fac271770aeb180c03442575d.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:460
-
-