Analysis
-
max time kernel
118s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12/02/2022, 12:58
Static task
static1
Behavioral task
behavioral1
Sample
089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe
Resource
win7-en-20211208
General
-
Target
089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe
-
Size
3.3MB
-
MD5
567375246cc940c692c8a4096197ab4d
-
SHA1
09d8d3ced838d86dbc30b34ecee96fa58b479efc
-
SHA256
089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e
-
SHA512
6542f2574a283447b7111a7792c8f90a8bad30df5a168db0b7b3560590c7a8398492928391876eee0c682147268a7362fd46a619d998fe5007a06b6e3b68ab3c
Malware Config
Extracted
cryptbot
gomdsx15.top
morxub01.top
-
payload_url
http://peulaq01.top/download.php?file=lintel.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 1280 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 652 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1280 1628 089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe 27 PID 1628 wrote to memory of 1280 1628 089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe 27 PID 1628 wrote to memory of 1280 1628 089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe 27 PID 1628 wrote to memory of 1280 1628 089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe 27 PID 1280 wrote to memory of 652 1280 cmd.exe 29 PID 1280 wrote to memory of 652 1280 cmd.exe 29 PID 1280 wrote to memory of 652 1280 cmd.exe 29 PID 1280 wrote to memory of 652 1280 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe"C:\Users\Admin\AppData\Local\Temp\089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\xxDcXrfpTVAx & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\089998c6cf33a70076c0b7457f140a7875a6bd06613705561c2c0d1cb3dcbf0e.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:652
-
-