Analysis
-
max time kernel
160s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
12/02/2022, 10:48
Static task
static1
Behavioral task
behavioral1
Sample
1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe
Resource
win7-en-20211208
General
-
Target
1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe
-
Size
303KB
-
MD5
e16669e45db7f6e0300b6cbbd042f033
-
SHA1
bfcc111f6117fd5d232a3337870ddd3b5344b8fd
-
SHA256
1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1
-
SHA512
7057857d5acf5d25abbc0f0e8bb0406ca10ee4d6b0402f44c4202122dea9042b57e12628551111f3fb7c5528bbcac629307d53809dcc97d347182e3f20c4a325
Malware Config
Extracted
cryptbot
sezylf12.top
morasx01.top
-
payload_url
http://ekuhik11.top/download.php?file=maseru.exe
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 1320 created 3580 1320 WerFault.exe 56 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3820 3580 WerFault.exe 56 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3476 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4176" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4360" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.269138" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "11.543917" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893141728260322" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3820 WerFault.exe 3820 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3820 WerFault.exe Token: SeBackupPrivilege 3820 WerFault.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe Token: SeSecurityPrivilege 408 TiWorker.exe Token: SeBackupPrivilege 408 TiWorker.exe Token: SeRestorePrivilege 408 TiWorker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3580 wrote to memory of 508 3580 1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe 59 PID 3580 wrote to memory of 508 3580 1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe 59 PID 3580 wrote to memory of 508 3580 1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe 59 PID 508 wrote to memory of 3476 508 cmd.exe 61 PID 508 wrote to memory of 3476 508 cmd.exe 61 PID 508 wrote to memory of 3476 508 cmd.exe 61 PID 1320 wrote to memory of 3580 1320 WerFault.exe 56 PID 1320 wrote to memory of 3580 1320 WerFault.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe"C:\Users\Admin\AppData\Local\Temp\1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\FQCdOZQaaoYN & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1ecf062e57ac7a546ca661761a16553a3f730b9c8477c92c317614909b1750c1.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:3476
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 11442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3580 -ip 35801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:632
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:408