Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12/02/2022, 01:52
Static task
static1
Behavioral task
behavioral1
Sample
9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe
Resource
win7-en-20211208
General
-
Target
9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe
-
Size
270KB
-
MD5
2e699eb3b3c53381ba5fb3cd3c161cee
-
SHA1
c6149aa2dad22df650c22fbb129570d4cf1680ba
-
SHA256
9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759
-
SHA512
796f381818bc6ec2d85a9093d7f4472f8c769c19d14b4b7a278653fd35fb36d7fd3be4e2b3caf1e95b1ca5c5ace24a6f24222e4b32dc36d5d95d4e3b3bc12ccb
Malware Config
Extracted
cryptbot
sezqks52.top
morwyf05.top
-
payload_url
http://ekulmy16.top/download.php?file=vimful.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 268 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 596 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1516 wrote to memory of 268 1516 9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe 27 PID 1516 wrote to memory of 268 1516 9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe 27 PID 1516 wrote to memory of 268 1516 9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe 27 PID 1516 wrote to memory of 268 1516 9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe 27 PID 268 wrote to memory of 596 268 cmd.exe 29 PID 268 wrote to memory of 596 268 cmd.exe 29 PID 268 wrote to memory of 596 268 cmd.exe 29 PID 268 wrote to memory of 596 268 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe"C:\Users\Admin\AppData\Local\Temp\9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\yVtcBFIMZb & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9e49a8f52736cb6b803f257a124cb6c86ab7d3eb8219e2a7a8df5820dc91b759.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:596
-
-