Analysis
-
max time kernel
117s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
24-02-2022 18:09
Static task
static1
Behavioral task
behavioral1
Sample
9f9b4a29bff765b3a6c79737f4471268.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
General
-
Target
9f9b4a29bff765b3a6c79737f4471268.exe
-
Size
698KB
-
MD5
9f9b4a29bff765b3a6c79737f4471268
-
SHA1
ac6dd5c92e07bf2057dacf5b15cace59b2d0f88e
-
SHA256
161ce807aa141a328eeb24bdc91264071ab2dddf6184c974dabf86ad91b0a77e
-
SHA512
67c83d686ca2da124877fbb31e953be80363ecf27e0dc29093f3bf6259b2ca41800223b23a8d13b87f1d8df6fe9d47ada6748be8cdaff602cffa0a8461d487bb
Malware Config
Extracted
Family
cryptbot
C2
brikwl42.top
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 9f9b4a29bff765b3a6c79737f4471268.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9f9b4a29bff765b3a6c79737f4471268.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9f9b4a29bff765b3a6c79737f4471268.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1896 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3756 wrote to memory of 3320 3756 9f9b4a29bff765b3a6c79737f4471268.exe 62 PID 3756 wrote to memory of 3320 3756 9f9b4a29bff765b3a6c79737f4471268.exe 62 PID 3756 wrote to memory of 3320 3756 9f9b4a29bff765b3a6c79737f4471268.exe 62 PID 3320 wrote to memory of 1896 3320 cmd.exe 64 PID 3320 wrote to memory of 1896 3320 cmd.exe 64 PID 3320 wrote to memory of 1896 3320 cmd.exe 64
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f9b4a29bff765b3a6c79737f4471268.exe"C:\Users\Admin\AppData\Local\Temp\9f9b4a29bff765b3a6c79737f4471268.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\iIYHvrrq & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9f9b4a29bff765b3a6c79737f4471268.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1896
-
-